[Rolebama]

I find it amazing that signing onto some websites you have to use X amount of digits, X amount of upper and lower case letters, and X amount of characters. Now I have those same accounts telling me I have to use 4-digit PINs. Yet some demanded up to 12 digits etc to sign up. But it's OK because they have 'secure' websites.

[Santa]

Beats me too. Now, many of them text me a number that I have to enter as well.

[Drivingforfun]

It seems to be since around the time of those programs coming out that store all your passwords for you

I don't know if that would be relevant, because if you have the phone with all their passwords in you likely have access to their email and phone which the PIN gets sent to

[olduser]

A bit of maths.

A four digit pin number has 10 possible numbers for each of the four digits = 10^4 combinations or 10,000
If we decide to have 6 numbers in out PIN the combinations would be = 10^6 or 1,000,000

Passwords follow the same maths so 8 characters long and if we have all the printable ASCI characters = 94 the possible combinations = 94^8.

From this we can see increasing the number of characters in a password is very powerful.

I general avoid the obvious because people wanting to be in will try those first, 0000, 1111, 1234, 4321, birthdates, "password", names, patterns on the keyboard, etc.

[Rolebama]

Ultimate stupidity.

Yesterday I had cause to phone my broadband supplier. I always use my mobile for these calls as my mobile number allows them to find my account details immediately. So I tell them what I want, and they advise they need to ask a few security questions.
Question 1, "What is your mobile number?"
Question 2. "I have sent a 4-digit number to your mobile, can you read it back to me?"
I despair.

[NMNeil]

@Rolebama I logged on to my account with my cellphone provider because I got a new phone and wanted to activate it and keep my existing number. For the life of me I could not remember the password so I did the "Click here to reset your password" thing. I did and the next message was "We have sent a 6 digit number to your e-mail address on record". Well that's great except that e-mail address was no longer valid.
No matter what I did they insisted on sending a security code to my now defunct e-mail address.
I went through the automated "Press this number" etc and went round in circles but could never actually talk to a live person, just the bloody machine.
Funny that when I pressed the number to have my phone service terminated I had a customer service rep on the phone instantly asking why I no longer wanted their wonderful service. Five minutes later it was all sorted. 😏

[Drivingforfun]

@olduser

I think your maths is spot on but my understanding was the issue is the other way round, i.e. the 4-digit PIN is introduced at a later date. If you already have a password with 94^8 combinations, adding in a second requirement of a 4 digit PIN only increases the security by a minuscule amount

On a slightly different note I'd be interested to know the logic behind how password requirements are decided as there must be a lot of juggling between usability and security, with diminishing returns thrown in too!

Editing to add I'm guessing there comes a point where there are so many combinations you effectively have zero chance of guessing it with brute force (i.e. statistically it might take longer than a lifetime) and more characters becomes a burden that doesn't offer any extra tangible security

[Rolebama]

@Drivingforfun Not sure I got my point across, but the 4-digit number is used as a replacement for my 12-character password.
On a similar note, I love it when someone phones me and wants to ask security questions, but the call cuts when I point out they called me, and I will not talk to them unless they answer my security questions. Mind, it helps Royal Mail profits when they write to me.

[olduser]

Q1 Test to se if the caller is the owner of the mobile the call is on.
Q2 Is this your phone, and not subject to a replacement card scam?


Yes, if you have not turned it off, your mobile will give them your number, which is risky (giving the world your mobile number willy nilly is not good) but I would want them to use other questions to confirm it was me making the call.
Account password, email address, address, or answer to one of the security questions.

I know it's a bind, when we are asked what appear to be questions that they already know the answers to but I would rather they did that than make it easy for scammers.

Sending a code to your phone number, unless the scammers are very sophisticated only your phone can receive that code.
NB there is software that will allow a third party to see what is on your phone screen but they have to get that onto your phone, you have to authorise it loading, and then you have to turn it on.

[Drivingforfun]

@Rolebama oh, I see now

On sending letters, when my granny was still alive and getting her state pension, sometime in the 70s they introduced a £10 Christmas bonus which was a nice amount back then - it did quite a bit of her Christmas shopping. They always sent a letter to inform the £10 had been paid in.

They still do it today but the £10 hasn't been increased with inflation. It seems odd to spend the money sending out a letter to everyone, especially now with online banking. I don't know how many letters that is but I get it with my PIP, on top of state pensioners and I think unemployed people get it too, must be several million letters

[olduser]

Originally Posted by Drivingforfun

@olduser

I think your maths is spot on but my understanding was the issue is the other way round, i.e. the 4-digit PIN is introduced at a later date. If you already have a password with 94^8 combinations, adding in a second requirement of a 4 digit PIN only increases the security by a minuscule amount

On a slightly different note I'd be interested to know the logic behind how password requirements are decided as there must be a lot of juggling between usability and security, with diminishing returns thrown in too!

Editing to add I'm guessing there comes a point where there are so many combinations you effectively have zero chance of guessing it with brute force (i.e. statistically it might take longer than a lifetime) and more characters becomes a burden that doesn't offer any extra tangible security

The trend has been to move toward two factor security, or bio security.
They feel two factor is so good they can reduce the password down to a pin number.

Yet the original idea was to increase the security?

As you quite rightly point out, there has to be a compromise between length of passwords and memorability or there is the risk, if too long the user is tempted to write it down.

[olduser]

I get a letter once per year telling what the state pension will be next year.

Thinking about it, I think they take the cost of living in September as the guide to pension increases so that's why they write around Sept for the following year.

I assume the government negotiate special rates for post?

[Santa]

Any large user can negotiate discounts from the Post Office/Royal Mail.

When I was a manager in Birmingham, we used to frank all our outgoing mail, including parcels. Letters went through a machine that printed 1st or 2nd class on them as appropriate. I was more concerned with parcels and we posted them all over the world.

The operator would weigh the parcel and then look up the rate in a book provided by the PO. This not only gave the postal charge but also listed all the rules relating to each country. They would enter the correct postage and print a sticky label to attach.

The PO routed foreign parcels through a sorting office in London, where they checked the postage. On one occasion I got a refund when one of my guys looked up the rate for Guyana instead of Ghana.