Wachovia to Wells Fargo Conversion Adventure

Marc Auslander wrote in news: snipped-for-privacy@aptiva.optonline.net:

I've run into this exact problem 3 or 4 tmes when one bank or brokerage merged with another. You'd think someone would verify such things as part of the merge process.

Of course 'You'd think', and "I'd think" and most logical thinking humans would, but something about the transition of customer accounts resulting from bank mergers are never applied by logical thinking humans.

Good news on the reconnection of accounts and credit cards for d/l.

I always like it when you have to setup a new password, on a bank, brokerage, company access, website forum, etc and they NEVER tell you the reqs for the password, but you always get the error messages...

You'll usually have a couple of attempts: length too short not mixed alpha + numeric caps + lower special chars

"ps56k" wrote in news:ilu9bt$7l4$1 @news.eternal-september.org:

The sad thing is that the more restrictive the rules are, the easier it is to crack via a brute force attack.

Not sure I understand this comment. If the rules are to make the password more restrictive, thus adding to the possible combinations, why does that make it EASIER to crack? For example, if passwords were allowed only use characters, but then they add a restriction to forcing you to use at least a single digit somewhere in the string, doesn't that increase the number of allowable passwords by a huge factor?

Am I missing something?

"Andrew" wrote in news:4d834aad$0$6168$ snipped-for-privacy@cv.net:

A brute force attack simply tries all possible passwords. Adding restrictions reduces the nubmr of possible combinations.

If I know that the password must contain a number, then I wouldn't bother trying those that are all letters.

Allowing numbers, letters and mixed case in a password is good. Requiring them is not.

The only advantage to the "must contain a number" rule is that it makes dictionary attacks (try all words from the dictionary) harder. But some people get around that but putting a number in front of or at the end of a word. So the next logical rule is that there must be a number, but it has to be somewhere in the middle.

There are better ways to foil a brute force attack. Many systems disable the userid after 3 or 5 successive invalid passwords. Another technique one adds an ever increasing delay after each invalid attempt. So the first try is almost instantaneous, the second one takes a second, the third 10 seconds etc. By the 10th try the system takes mre than a hour to reply, and hopefully by then some human has been notified.

Yes, It decrease the number of passwords.

For a given length string of characters, there are more possible strings if you can use any characters than if you have restrictions. For example, in a 2 character (for simplicity) string, if I am forced to include both letters and numbers, I can create fewer strings than I can if I can use ANY chracters. The strings AB and 12 are not allowed. A person trying to crack this would need only try strings of the form letter-number or number-letter. There are 520 strings of this form (26*10*2) and if any characters are allowed, there are 1296 (36*36) combinations using letters and numbers. Throwing in case and other characters and making longer passwords increases the number of strings but does not change the fact that restrictions on the form reduce the number of possible passwords by a significant amount, by over half in our example.

My (least) favorite was a bank I used to use that let me have a mix of letters and numbers but it *had* to be *exactly* 8 characters long. Talk about easy to crack...

The other, so far unmentioned, problem with *requiring* complex passwords is that it encourages folks to write them down. That doesn't make them easier to guess unless someone finds that slip of paper...

Bruce

OK - I think I misunderstood the definition of a 'restriction'. In my example, having a 'restriction' that one or more of the characters had to be a number INCREASES the number of passwords allowed. I was thinking the word 'restriction' meant enforcing a greater rules definition, NOT reducing the number of characters or types or lengths or whatever.

Got it.

See my reply to Porter. In my example, adding the 'restriction' that you HAD to have a number in the password DOES increase the number of PWs. My confusion was what the term 'restriction' meant. I took it to mean that you were given RULES that had to be followed, such as FORCING at least one digit in the string. In other words, we were RESTRICTING the rule it could NOT be all letters.

Thanks for the post.

Yes, the number of passwords of a given size is smaller if you restrict it just to letters instead of a larger character set. But if you change from allowing just letters to requiring even one number, then for the same lenght passwords, you have reduced the number of passwords by over 60% (because there are 26 letters but only 10 numbers).

But the smartest thing to do is allow any characters of any kind (in the standard computer character set).