IET logo
 
IET
Decrease font size
Increase font size
Topic Title: Log in
Topic Summary: Still not working despite fiddling with passwords!
Created On: 05 October 2017 07:40 AM
Status: Read Only
Linear : Threading : Single : Branch
Search Topic Search Topic
Topic Tools Topic Tools
View similar topics View similar topics
View topic in raw text format. Print this topic.
 05 October 2017 07:40 AM
User is online View Users Profile Print this message



davezawadi

Posts: 3956
Joined: 26 June 2002

I tried to log in this morning and was told my password was not complex enough, with the usual string of rules to ensure I would not remember it! Having changed it to something more suitable (which I need to write down, thus making it available to others) I still needed to log in twice to access the forum. The original problem has still not been fixed!

I will now turn to my other job. Those who think that transmitting passwords across the net is a good idea need to think again. It is not necessary to send them at all, just to use easily available encryption techniques to send a different long string each time which bears no relation to either the key string or the password. It appears that those who look at passwords understand nothing about security, be it the allegedly secure banks or the IET. All passwords would then be transmitted as an essentially random string of some length deemed to provide adequate protection against decoding (say 1024 bits) only once, so any kind of attack has essentially zero chance of breaking in. Simple enough to implement, and it no longer matters what the real password is because it will always provide the same length random string.

All of this was invented at GCHQ many years ago, and kept secret for a long time. It is pretty trivial for a modern computer to manage, but we still have this idiotic password business where the actual string is sent in plain language, and rules which make keeping them secret impossible.

You will find another method with my name on it in the Patent database, but the above is entirely adequate for passwords.

-------------------------
David
BSc CEng MIET
david@ZawadiSoundAndLighting.co.uk
 05 October 2017 09:47 AM
User is online View Users Profile Print this message



AJJewsbury

Posts: 16113
Joined: 13 August 2003

Those who think that transmitting passwords across the net is a good idea need to think again. It is not necessary to send them at all, just to use easily available encryption techniques to send a different long string each time which bears no relation to either the key string or the password.

Isn't that pretty much what happens when the login process is over https? (passwords, like almost everything else, is encrypted in the browser before transmission, using random keys that are re-generated for every session).

- Andy.
 05 October 2017 10:20 AM
User is online View Users Profile Print this message



AJJewsbury

Posts: 16113
Joined: 13 August 2003

with the usual string of rules to ensure I would not remember it

I do have some sympathy with that - and anything which reduces the set of all possible passwords isn't good cryptographically either - no matter how trivial the difference might seem initially - the classic example was the German Enigma which couldn't ever encrypt a letter as itself - which gave the allies one lever into identifying messages.

The human side technique is perhaps to think in term of 'pass phrases' rather than 'pass words' though - say "I got up at 6 a.m." or "Babbage - 50 eggs for breakfast!" probably satisfies all their rules but should be reasonably memorable. (Obviously, please, no-one copy those examples for a real password!)

- Andy.
 05 October 2017 01:49 PM
User is offline View Users Profile Print this message



potential

Posts: 1642
Joined: 01 February 2007

Yes, the need to log in twice has been a regular occurrence for years and years.
Fortunately my browser remembers my password so I just have to do a double set of clicking to log on...................................

.................that was until the other day.

Now I cannot log on in the normal way because my password stored on my browser is deemed to be incorrect by the IET website.

I'm typing this because I have access to this forum via a remind-me-of-my-password link which allows me entry to my account.

However when I try to change my password in the "My IET" link I get the message that my current password is incorrect.

Truly a no-win situation.
 05 October 2017 03:26 PM
User is offline View Users Profile Print this message



GeoffBlackwell

Posts: 3798
Joined: 18 January 2003

What a load of messing about !

Because this account is not register as an IET member I have always had a second one that is - I usually only use it for purchases. It shares the same email address as this account and it seems that is now being detected and rejected.

I would link the accounts but it appears that this is currently not possible.

Regards

Geoff Blackwell
 05 October 2017 04:48 PM
User is offline View Users Profile Print this message



kellyselectric

Posts: 191
Joined: 22 July 2016

Well I have to confess I didn't understand much of the second post I admit I know absolutely nothing about computers but I have also noticed I have to log in twice I thought was just me I never said anything partly thru fear ide be told I was doing it wrong. Is it anything to do with preventing the tinned meat brigade getting in
 05 October 2017 06:35 PM
User is offline View Users Profile Print this message



davidwalker2

Posts: 306
Joined: 29 April 2009

I also found I could not log in yesterday. But when I tried to change my password, the system didn't recognise me as a member, not my name or membership number. After several attempts I gave up. However, when I tried again later that evening I was able to change my password. But when I tried to change it to a password in use by the IET in another part of the organisation it was judged to be insecure!!

Once more I can log in - but yes it takes two attempts.

David
 05 October 2017 06:45 PM
User is offline View Users Profile Print this message



geoffsd

Posts: 1786
Joined: 15 June 2010

I was this afternoon using my tablet and got the "password policy has been updated etc." which resulted in, and still does, my username and password not being recognised.

However, my PC has not been affected and is still logged in using the bookmark I always use. I also always use the bookmark to return to the home page after reading a thread.
 05 October 2017 09:08 PM
User is online View Users Profile Print this message



davezawadi

Posts: 3956
Joined: 26 June 2002

HTTPS is only somewhat secure. If one can monitor the whole transaction to set a key, it is easy to break. Fortunately not too many people can manage to do this as it means either a direct connection to one end of the link, or a massive monitoring operation of the entire internet. Using a whole phrase rather than a word is considerably better as it prevents dictionary attacks (at least of a fairly simple kind). However you would be surprised how many sites limit the password length to perhaps 12 characters, which is crazy and extremely ignorant of the site concerned. A hash of the password to 1k or more bits is an excellent idea, and easily implemented on your device, meaning that you can then use any simple password which can be remembered, assuming that this 128 character string is acceptable to the site. I must test the IET!

-------------------------
David
BSc CEng MIET
david@ZawadiSoundAndLighting.co.uk
 05 October 2017 10:30 PM
User is offline View Users Profile Print this message



mapj1

Posts: 9704
Joined: 22 July 2004

I must say I agree, this is an exercise in wasting our time. There is no merit in a complexity that makes the word un-memorable. Personally, as I now cannot remember the new password, and have to have it saved instead, it is a lot less secure here, and I will no longer be so readily logging in from a machine of opportunity. Given I have all my savings quite successfuly protected by a 4 digit PIN, I;m not sure what the benefit is of using such a complex system to prevent people to login and pretend to be me... good luck to them.
The downside of a system such as that proposed by DZ, the special scrambling would need to be handled at browser level, or you are locked to a machine with the special scrambling code on it, and if that was done then the browser maybe capable of being subverted.

-------------------------
regards Mike
 06 October 2017 09:14 AM
User is online View Users Profile Print this message



davezawadi

Posts: 3956
Joined: 26 June 2002

Well the best way is to keep the hashing code on your USB key, perhaps with a pin access! Then you can use any computer.

-------------------------
David
BSc CEng MIET
david@ZawadiSoundAndLighting.co.uk
 06 October 2017 10:19 AM
User is online View Users Profile Print this message



AJJewsbury

Posts: 16113
Joined: 13 August 2003

Well the best way is to keep the hashing code on your USB key, perhaps with a pin access! Then you can use any computer.

Oh no you can't - lots of organisations while happy to let you use their PCs absolutely prohibit removable media - not to mention tablets and phones that don't have a full size USB port. Or the challenge of hashing software that'll work on any OS/processor/architecture. That's the big advantage of a memorable password (or passphrase) - it's just as transportable and compatible as you are.

I have all my savings quite successfuly protected by a 4 digit PIN

But only if you have your card at the same time - the PIN is just half of a two-token system - something you have and something you know.

- Andy.
 06 October 2017 11:09 AM
User is online View Users Profile Print this message



davezawadi

Posts: 3956
Joined: 26 June 2002

Clearly Andy you have missed out on the technology. You don't run the code on the PC you want to use (or Linux or Apple for that matter). Your USB key has its own processor in it, like those used in the Civil Service etc. A PIN in your card takes a second to crack once I have your card, the system is pretty insecure really. All the information you have from M or A etc on their security is a front to stop you asking questions. Why do you think that internet fraud is at an all time high?

-------------------------
David
BSc CEng MIET
david@ZawadiSoundAndLighting.co.uk
 06 October 2017 12:26 PM
User is online View Users Profile Print this message



AJJewsbury

Posts: 16113
Joined: 13 August 2003

Clearly Andy you have missed out on the technology. You don't run the code on the PC you want to use (or Linux or Apple for that matter). Your USB key has its own processor in it

Interesting - but how do you enter the PIN? Unless the USB stick has its own keypad won't it have to interface with the host machine/OS etc to access the keyboard?

- Andy.
 06 October 2017 12:35 PM
User is online View Users Profile Print this message



AJJewsbury

Posts: 16113
Joined: 13 August 2003

Ah, I see some of them do indeed have their own little keypad built in! (That just leaves the problem of half my devices that don't have a full sized USB port....)
- Andy.
 06 October 2017 12:41 PM
User is offline View Users Profile Print this message



potential

Posts: 1642
Joined: 01 February 2007

Originally posted by: davezawadi

Clearly Andy you have missed out on the technology. You don't run the code on the PC you want to use (or Linux or Apple for that matter). Your USB key has its own processor in it, like those used in the Civil Service etc. A PIN in your card takes a second to crack once I have your card, the system is pretty insecure really. All the information you have from M or A etc on their security is a front to stop you asking questions. Why do you think that internet fraud is at an all time high?

I'm not criticising the thrust of your argument regarding fraud but the reality regarding "other organisations" is that most are happy to continue using software long past it's sell-by date.
For instance Tesco's Scan and Shop software is run on XP systems and AFAIA the software platform of all ATM's is still Windows 2000.

The reason most organisations don't allow the use of portable storage media via USB ports (and others) is 2 fold.
They wish to prevent an intrusion of malware into their software, systems and networks and they want to prevent theft of sensitive and/or valuable information.

The problem I have is I have too many passwords to remember.
I certainly wouldn't want to keep them in one place nor rely on personal encryption. Apart from the storage media getting lost or stolen, I've had too many encryptions go awry to start with!
I have dozens and dozens of different passwords for various purposes and many of them require renewing on a regular basis to maintain my security.

I write my passwords down on paper using codes that only I know the answer to.
(an advantage of being old, most of my friends in the know are dead and my young ones or loved ones have no idea of what I'm talking about.)
 08 October 2017 09:51 PM
User is offline View Users Profile Print this message



kellyselectric

Posts: 191
Joined: 22 July 2016

I just had to change my password following the complexity rules I had to write it down as I know ive not got a cat in bells chance of actually remembering it. I know its probably necessary to keep out the tinned meat brigade but its just another complication I hope the spammers are happy now they've made another thing more complex thanks for that! I'm not bitter!!
Statistics

New here?


See Also:



FuseTalk Standard Edition v3.2 - © 1999-2017 FuseTalk Inc. All rights reserved.

..