watervole: (Default)
Judith Proctor ([personal profile] watervole) wrote2013-09-17 01:49 pm

passwords

 My business bank have asked me to set up a new password.  It must be all numbers and ten digits long and I quote "it must be memorable"

Right...

Apart from pi, and your mobile number, both of which are bloody obvious to any hacker, how many 'memorable' ten digit numbers do you know?

I can do memorable letter sequences, but my brain isn't oriented to remember numbers.
lexin: (Default)

[personal profile] lexin 2013-09-17 12:55 pm (UTC)(link)
I suppose the numbers in your National Insurance number would be too easy to find out? There are 6 of them, but you could use all six then repeat four.
kalypso: (Numbers)

[personal profile] kalypso 2013-09-17 01:33 pm (UTC)(link)
Could you edit down your parents' birthdates and run one after the other? Of course this depends on having two double-digits and two single-digits among the dates and months, but it would work with my parents!
Edited 2013-09-17 13:37 (UTC)
damerell: (money)

[personal profile] damerell 2013-09-17 04:04 pm (UTC)(link)
Two BR locomotive numbers back to back. :-)
kerravonsen: Tenth Doctor, animated, face-palming: *facepalm* (facepalm)

[personal profile] kerravonsen 2013-09-17 09:53 pm (UTC)(link)
It must be all numbers and ten digits long and I quote "it must be memorable"

Oh good heavens, how ridiculous and stupid!

I can do memorable letter sequences, but my brain isn't oriented to remember numbers.

Me, I would fall back on l33tsp33k, and substitute numbers for the letters that they look the most similar to.

1 = i or l
2 = R or "to"
3 = E
4 = A or "for"
5 = S
6 = b
7 - I can't remember what this stands for, maybe Z
8 = "ate"
9 = g
0 = o

How many words can you make with that combination of letters?
Edited (a few more bits) 2013-09-17 21:58 (UTC)
feng_shui_house: me at my computer (Default)

[personal profile] feng_shui_house 2013-09-19 04:10 pm (UTC)(link)
I'd do as kerravonsen says, use numbers to make words. In addition to her suggestions, you could use 7 as an L and 8 as a capital B.

I'm sure you can come up with a ten letter phrase out of the available letters.

[identity profile] altariel.livejournal.com 2013-09-17 01:10 pm (UTC)(link)
My childhood home phone number would work. But that's really tricky.
ext_15862: (Judith)

[identity profile] watervole.livejournal.com 2013-09-18 08:16 am (UTC)(link)
But a risk in that there are some people who would know the number (though not random hackers).

[identity profile] altariel.livejournal.com 2013-09-18 08:26 am (UTC)(link)
That's going to be a risk with any series of numbers that you choose for having some significance, so I guess you have to decide what you want to trade off. Putting the STD to the end might help. Other options include a series of random numbers that you either write down (obviously risky) or attempt to memorize (beyond my humble capabilities). Or else make use of the "forgot your password?" function each time you log in, and get them to send you something new each time.

[identity profile] artw.livejournal.com 2013-09-17 01:14 pm (UTC)(link)
Your mother's date of birth, followed by the number of aunts and uncles you have.
Or a memorable word coded A=1, B=2 etc.

[identity profile] sam-t.livejournal.com 2013-09-17 02:03 pm (UTC)(link)
Preferably not a dictionary word, but that would work.

Baffles me why they'd ask for a number. Why would you choose a 10-choices-per-character unmemorable password over a 36-or-more-choices-per-character memorable one?

[identity profile] izhilzha.livejournal.com 2013-09-17 05:19 pm (UTC)(link)
Or a memorable word with numbers substituted for letters in your own cipher (offset or backwards or whatever you can remember). Less easy to discover, but easy to recall.
ext_15862: (Judith)

[identity profile] watervole.livejournal.com 2013-09-18 08:20 am (UTC)(link)
The problem with that one is that you need to write the mnemonic down somewhere (in order to remember which bank account you've used it for out of all the 20 odd passwords you have memorised already). If anyone finds the mnemonic, then they could work out the password. (Though I have to say that the mnemonic for the password I ended up with is no better - I regard it as one of my least secure passwords)

[identity profile] sam-t.livejournal.com 2013-09-18 08:45 am (UTC)(link)
Maybe consider a password safe?

[identity profile] luckykaa.livejournal.com 2013-09-17 02:38 pm (UTC)(link)
10 digits isn't hugely secure. 6 randomly chosen digits and mixed case letters would be more secure.
ext_15862: (Judith)

[identity profile] watervole.livejournal.com 2013-09-18 08:15 am (UTC)(link)
But that also hits the 'write it down' problem. Though it is a bit better as long as I can have mostly letters.

When allowed a mixture of my own choosing, I can do better. I can find mnemonics - did that recently for funding circle - I have a password that is a mixture, but I think would be very difficult for anyone else to guess, but is still memorable for me.

[identity profile] luckykaa.livejournal.com 2013-09-18 09:05 am (UTC)(link)
Sorry. I need to explain my meaining a bit more clearly. It was a comment on password strength.

6 characters will be rejected by most password systems as insecure. This will take 6 times as many guesses for a computer as a 10 digit number. At 1000 guesses a second, this will be guessed in a few months. Of course the banks systems will detect this sort of attack, and block it, but they shouldn't really rely on this.

This xkcd strip illustrates the problem: http://xkcd.com/936/ (http://xkcd.com/936/)

[identity profile] inamac.livejournal.com 2013-09-17 05:00 pm (UTC)(link)
There is nothing secure about a ten digit number - because everyone is going to write it down somewhere, or it'll be a birthdate + something obvious. Both basic tests for hackers.

This is especially true about older customers, who would be particularly vulnerable to fraudsters getting access to their bank details (and we all know how sympathetic banks are to victims of those crimes).

Have you pointed this out to the bank?

(And I can't remember most of my four-digit PIN numbers, let alone my mobile number. One of the many reasons I don't do online banking.)

[identity profile] makyo.livejournal.com 2013-09-17 08:59 pm (UTC)(link)
One approach is to choose a memorable ten-word phrase (or the first ten words of a longer passage) and turn it into a ten-digit number by counting the letters in each word. So, for example, "the first thing we do, let's kill all the lawyers" (from Henry VI part II) becomes 3552244337. I think this should be reasonably secure (certainly more so than using a phone number or pi) unless I've missed something obvious.
ext_15862: (Judith)

[identity profile] watervole.livejournal.com 2013-09-18 08:11 am (UTC)(link)
I've actually adopted this trick for the 5 numeral password they want in addition to the 10 digit one, but the problem with doing this for a long number is the risk of a counting error while doing the conversion. Especially for 2 digit letters.

[identity profile] murphys-lawyer.livejournal.com 2013-09-17 11:35 pm (UTC)(link)
All numbers?

ALL NUMBERS?!!1 ELEVENTY!1!

I wouldn't waste a bullet on the moron who thought in this day and age that a ten digit number was an acceptable password for a financial system. I have a five-foot stick I keep next to my desk with "Mr. Clue" written on it, and it's long overdue for an outing.

At the very least, I would drop heavy hints that they set the system up to fail and blame the customers when their accounts were emptied, on the grounds that "you obviously shared your PIN" or "you chose something too obvious".

In all seriousness, look at other business banks, and hope to Great Turing's Ghost their security is put together by someone with half a clue.

[identity profile] rockwell-666.livejournal.com 2013-09-17 11:59 pm (UTC)(link)
What pillock came up with *that* brilliant idea?!

Making it all numbers reduces the complexity massively, requiring it to be exactly ten digits is even more stupid because it lets hackers know precisely how many characters are in it so they don't even have to try 8, 9 or 11 digit versions!

You should send the bank a copy of this XKCD strip: http://xkcd.com/936/

[identity profile] dumain.com (from livejournal.com) 2013-09-18 08:19 am (UTC)(link)
Memorise a trivial hashing algorithm and apply it to the bank account number plus a memorable secret to derive the PIN. Thats what I do with my bank/credit card PINs. The hashing algorithm is obviously not strong but by the time anyone has enough samples to figure out what it is they will already have all my pins. Might seem a little over the top but I find memorising an algorithm easier than an arbitrary digit string.

[identity profile] inamac.livejournal.com 2013-09-18 07:02 pm (UTC)(link)
Memorable 10 digit number:

0123456789

(I'd be willing to bet a lot of people use that.)

[identity profile] espresso-addict.livejournal.com 2013-09-19 12:51 am (UTC)(link)
I can't remember numbers at all. Suggest writing it down and putting the note into something locked at home. We also store passwords in a spreadsheet protected with a decent encryption program on a hard-drive that's also encrypted, but that's harder to organise.

[identity profile] eledonecirrhosa.livejournal.com 2013-09-19 12:43 pm (UTC)(link)
Could you have a string of shorter memorable numbers, and leave yourself a clue in words somewhere?

Like this: year we bought the cat - my height in cm - favourite BBC channel - number of cherry trees in garden.
ext_15862: (Judith)

[identity profile] watervole.livejournal.com 2013-09-19 01:26 pm (UTC)(link)
I quite like that suggestion.

[identity profile] linda-joyce.livejournal.com 2013-09-22 08:59 am (UTC)(link)
Do you know your grand parents birthdays a combination of these numbers might work, eg month and day from one set, year in full from the the other. eg year from granny A, month and day from grandpa X . Though even that only gives you 8 digits add the day from grandpa A. It could be done with parents birthdays but that would be a bit obvious too.