• Quango (cs)

    Sorry just had to do this..

    Sadly this over-compensating-defeats-the-object isn't uncommon in corporate and even small businesses.

  • dpm (cs)

    . . . because everyone knows that passwords longer than 12 characters are easier to guess.

  • CaptainSmartass (cs)

    So the password has to be at least 8 characters, and must be over 6 characters long. Got it.

  • andres (unregistered)

    The can still do better:

    http://www.dilbert.com/strips/comic/2005-09-10/

  • dogbrags (cs)

    Adding exclamation marks to the end of each requirement makes them much more exciting than normal requirements. [Must not contain your username!]

  • Mcoder (cs)

    Yeah, between 8 and 12 chars, at no more than 8 letters, no more than 8 digits, no scpecial character, no repeating character.

    That makes for an EASY AS HELL password to crack.

  • James Q. Smithers (unregistered)

    "be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks"

    Does this mean a password must be 75% upper case, 75% lowercase, 75% digits, and 75% punctuation?

    Or does it mean that the 75% of the password must be one of [uppercase, lowercase, digit, or punctuation]?

  • jim (unregistered) in reply to dogbrags
    dogbrags:
    Adding exclamation marks to the end of each requirement makes them much more exciting than normal requirements. [Must not contain your username!]

    These rules should be in Comic Sans.

  • James Q. Smithers (unregistered)

    (continued ... see next post)

    "and may not contain your user name or any part of your full name."

    Oh. So if my name is James Q. Smithers, the letters [list of letters deleted] are disallowed? That's good, I like that. My buddy Charles "Zippy" Quanstrom-Peebles likes it a lot, too.

  • Bill (unregistered)

    When I was working on a project for a major government agency we were in a meeting with the client when she needed her latest password (they had very stringent password rules), she pulled up her calendar, navigated to a certain date and pulled out her password.

    I was floored. She has this password stored in a public calendar (at least within her organization) and in plain text.

    This is the problem with creating really strigent password rules, people can't remember them and write them down in tremendously insecure ways.

    Rule of security vs. usability

    secure <------------------------------------------> usable

    You can't have both, you get more secure it gets less usable, you get more usable (think Microsoft adding scripting to email) you get less secure.

  • DCRoss (cs) in reply to andres
    andres:
    The can still do better:

    http://www.dilbert.com/strips/comic/2005-09-10/

    Or even http://www.dilbert.com/fast/2011-04-28/.

    But that would be spamming, so I'm going to complain a bit here.

  • James Q. Smithers (unregistered)

    Notes to self while trying to post a simple comment:

    ***I don't know why this post might be considered spam. Any guesses? Is "Quanstrom-Peebles" some sort of slang I don't know about? Will this note fix it?

    ***No, that didn't do it. Maybe I should put in a link to some dodgy erection-peddler, just to see if that helps?

    *** Okay, copy the comment text into a new comment, let's see if that does it.

    *** No. What if I take out the quote markup?

    *** different name?

    *** Maybe akismet is just on the rag today.

    *** AH! It's the list of the letters in "James Q. Smithers" that it doesn't like!

  • Alargule (unregistered) in reply to Mcoder
    Mcoder:
    Yeah, between 8 and 12 chars, at no more than 8 letters, no more than 8 digits, no scpecial character, no repeating character.

    That makes for an EASY AS HELL password to crack.

    You did check the other requirements, or didn't you?

    I'd like to see this captured in a regex...

  • Rob (unregistered)

    I think I figured it out. If no password is valid, then nobody can hack into the system. They get 100% system security, at the low cost of 0% system usage. A security analyst's dream come true.

    CAPTCHA: facilisi (not a valid password)

  • Anon (unregistered)
    • be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks, and may not contain your user name or any part of your full name.

    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)

    Then I realized it must mean contains 3 or 4 uppercase, 3 or 4 lowercase, 3 or 4 digits and 3 or 4 punctuation. Of course to follow that rule, your password must be at least 12 characters, so the "must be at least 6 characters" is redundant. Also the punctuation part is difficult when they've already explicitly forbidden several marks.

  • Rob (unregistered) in reply to Quango
    Quango:
    Sorry just had to do this..

    I'm sorry, that is not a valid FRIST, as it doesn't contain lower-case letters or digits!

    Please change your FRIST as soon as possible, or your FRIST privileges will be locked out!

    Thank you!

  • Anon (unregistered) in reply to Bill

    Also, more rules restricting stating what your password can't be = less entropy = less secure.

  • Mark (unregistered)

    OK, seriously, where is the WTF? Other than the restrictions on symbols and max. length, I've had numerous (memorized) passwords over the years that would satisfy these requirements.

  • My Name (unregistered)

    abcdEFGH

    maybe?

  • Steve The Cynic (cs) in reply to James Q. Smithers
    James Q. Smithers:
    "be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks"

    Does this mean a password must be 75% upper case, 75% lowercase, 75% digits, and 75% punctuation?

    Or does it mean that the 75% of the password must be one of [uppercase, lowercase, digit, or punctuation]?

    No, it means you must use characters from at least three of the four categories, aside from the forbidden punctuation marks, obviously. I had a similar situation once, except the rules were: "must be at least 7 but not more than 8 characters, and if 7 then all four categories must feature, else only three", with the categories being uppercase, lowercase, digits, and symbols, and the added proviso that uppercase in the first position did not count as using uppercase, and digits in the last position did not count as using digits. So I kept the same last 5 characters the same in all passwords and invented various three character combinations involving letters and digits to lead them, generally expressing my dissatisfaction with the rules (1ck for ick, u6h for ugh, etc.). Overall, a security disaster.

  • Staffan (unregistered)

    With all those rules an attacker would have an easy task at hand.

    Everything is so restricted so the password space should probably be reduced to something responding to 6 characters or so.

  • Mark (unregistered) in reply to Anon
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks, and may not contain your user name or any part of your full name.

    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)

    Then I realized it must mean contains 3 or 4 uppercase, 3 or 4 lowercase, 3 or 4 digits and 3 or 4 punctuation. Of course to follow that rule, your password must be at least 12 characters, so the "must be at least 6 characters" is redundant. Also the punctuation part is difficult when they've already explicitly forbidden several marks.

    Or, more likely, they mean you must use at least 3 of the 4 character classes (uppercase, lowercase, digits, punctuation)

  • frits (cs)

    We had a similar policy that was implemented at a former employer of mine. Actually, it was more asinine. The original policy madated passwords be 7 characters long, but changed every 3 months. The CFO didn't like changing his password so often. A compromise was struck and users only had to change passwords every 3 months. However, all passwords must be at least 14 characters long. It all made sense, since 6/3 = 14/7...

    The result, of course was most users had their passwords written somewhere within 2 feet (61 cm.) of their computers. Our director of IT decided to have a crackdown and started threatening to make examples of people who wrote down their passwords. The IT director wasn't a total ogre, however, and actually had a pragmatic workaround: anyone who had trouble remembering the long passwords should just use their old 7 character password typed twice.

  • Lockwood (cs)

    One of the hospitals around here had a complex password rule, with a "do not reuse passwords that were used before, for the last X amount of time" rule added in.

    This caused a lot of post-it notes on monitors.

  • pdpi (unregistered) in reply to Anon

    Upper, lower, digits, punctuation are 4 different classes of characters. your password must contain characters from 3 out of 4 classes.

  • Dazed (unregistered)

    I don't think the problem is so much being able to remember your password as trying to find a valid one in the first place. I can see it now:

    • (shout) "WTF can I use for a password?"
    • (shout from another cubicle) "QWErty123$%^ seems to work*"
    • everyone in the office now uses the same password.
    • This is a hypothesis on my part, not a promise.
  • Jon H. (unregistered)
    Article:
    • have no more than 1 pair(s) of repeating characters!

    We don't even have that luxury at work. you can't imagine how many passwords end up having a pair of repeating characters.

    Plus, TRWTF is having a cap on password length. Is there a reason to that? Do longer password hashes take more space than normal ones?

  • boog (cs)

    I think this might have been a former client of mine. I remember having to change my password and have some full-page list of crazy-ass requirements, some of which were redundant ("must be at least 8 characters" then further down the page "must be at least 6 characters").

    I'm guessing the way they come up with this list is every time they hear of a potential risk or breach (such as passwords written on post-its) they get IT managers in a room to review the list to figure out what they're doing wrong, and what rule they can add to the list to quick-fix it.

  • pippin (unregistered)
    have at least 8 character(s)
    or
    be at least 6 characters long
    Not only is it absurd, but it's contradictory! (exclamation included to give my comment added umpfh ;)
  • boog (cs) in reply to Anon
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks, and may not contain your user name or any part of your full name.
    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
    12 quarters = 3 passwords.

    That is a bit excessive.

  • trtrwtf (unregistered)

    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security? Wouldn't it make more sense to just require a sufficiently complex and long password and leave it at that? I think just about anyone could memorize a truly random 14-character password if they had to type it every day, but if you have to change it once a month then you have to come up with algorithms for generating "unguessable" passwords. These include things like regular substitutions, which become well known (ie, @ for a, 1 for i or l, and so forth), and the purpose is successfully defeated.

  • Pat (unregistered)

    The real WTF is the validation code they'll use to enforce that policy...

  • boog (cs) in reply to Jon H.
    Jon H.:
    ...TRWTF is having a cap on password length. Is there a reason to that? Do longer password hashes take more space than normal ones?
    To answer your first question: longer passwords result in more calls to the helpdesk to reset passwords that users forgot or mistyped more than 3 times.

    In other words, the excuse for a cap on password length could just be outright laziness.

  • Spivonious (unregistered)

    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the hacker has access to my desk, he deserves access to my PC.

  • da Doctah (cs)

    Still searching for that elusive tipping point where the rules become so stringent that the typical user will only be able to think of one or two passwords that the system will accept.

    At which point you find that three quarters of your user population are using the same password.

  • trtrwtf (unregistered) in reply to Spivonious
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.

    FTFY

  • Kempeth (unregistered)

    Hmm. Aside from that last requirement my password would work if I trimmed some characters off the end...

    Is that good or bad?

  • Marvin the Martian (unregistered)

    With this many restrictions, wouldn't it be easier to just circulate a whitelist of passwords that will pass the rules?

  • Justin (unregistered) in reply to trtrwtf
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.

    FTFY

    HA!

  • Dazed (unregistered) in reply to boog
    boog:
    To answer your first question: longer passwords result in more calls to the helpdesk to reset passwords that users forgot or mistyped more than 3 times.
    The limit of 3 attempts is a WTF itself. It was probably reasonable in the days when people had to remember one password of five or six characters. If you are going to enforce long passwords and make people change them as well, then you should allow 6 attempts at least.
  • Justin Thought (unregistered) in reply to Jon H.
    Jon H.:
    Article:
    • have no more than 1 pair(s) of repeating characters!

    We don't even have that luxury at work. you can't imagine how many passwords end up having a pair of repeating characters.

    Plus, TRWTF is having a cap on password length. Is there a reason to that? Do longer password hashes take more space than normal ones?

    This whole article smells of a method of password verification by trial and error. In other words, you monitor passwords and determine which ones are not-secure and then add a new rule to make that one illegal. This means that the IT department was monitoring people's passwords in plain-text.

    My second conjecture is that a regular expression was being used. The length between 8-12 characters was so that the regular expression would not get too big (the writer was not good at regular expressions, which is indicated by not allowing characters that are regex-special characters).

  • boog (cs) in reply to Anon
    Anon:
    Also, more rules restricting stating what your password can't be = less entropy = less secure.
    I keep wondering when "security experts" (or whatever managers like to call themselves) will create that one password rule that really limits the password space.
    • your password may not contain adjacent letters or adjacent numbers (they must alternate: S2t3u8p1d)
    • your password may not contain letters/numbers from your username (I can't use b, o, g, B, O, or G)
    • your password may not contain any consecutive letters/numbers (if you use C, you can't use B or D anywhere)
    • your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.

  • Anne (unregistered)

    Worse than that, all these rules actually make the passwords less secure.

    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?

    The same goes for "leading character must be a letter"? Why can't it be a number? Why are characters forbidden? You're actually reducing the number of possible passwords here.

  • The Corrector (unregistered) in reply to boog
    boog:
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks, and may not contain your user name or any part of your full name.
    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
    12 quarters = 3 <span style="color:black;text-decoration:line-through;">passwords</span> dollars.

    That is a bit excessive.

  • The Corrector (unregistered) in reply to The Corrector
    The Corrector:
    boog:
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks, and may not contain your user name or any part of your full name.
    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
    12 quarters = 3 <span style="color:black;text-decoration:line-through;">passwords</span> dollars.

    That is a bit excessive.

    FTFY

    FTFMS
  • trtrwtf (unregistered) in reply to boog
    boog:
    Anon:
    Also, more rules restricting stating what your password can't be = less entropy = less secure.
    I keep wondering when "security experts" (or whatever managers like to call themselves) will create that one password rule that really limits the password space.
    • your password may not contain adjacent letters or adjacent numbers (they must alternate: S2t3u8p1d)
    • your password may not contain letters/numbers from your username (I can't use b, o, g, B, O, or G)
    • your password may not contain any consecutive letters/numbers (if you use C, you can't use B or D anywhere)
    • your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.

    Don't forget this one: your password can't contain any sequence of 3 adjacent letters on a qwerty keyboard. No asdf, no zxc.

  • Larry (unregistered)

    TRWTF is the guy in charge of the CAPTCHAs making fun of other people's security methods.

  • TheCPUWizard (cs)

    Ironic... I just compared passwords I use (from memory) for a number of secure systems, and over 90% of them met the requirements [1 out of 17 failed].

    This is on various systems that do not have overly compex rules...guess is speaks volumes about my state of mind <eek!>

  • boog (cs) in reply to Dazed
    Dazed:
    boog:
    To answer your first question: longer passwords result in more calls to the helpdesk to reset passwords that users forgot or mistyped more than 3 times.
    The limit of 3 attempts is a WTF itself. It was probably reasonable in the days when people had to remember one password of five or six characters. If you are going to enforce long passwords and make people change them as well, then you should allow 6 attempts at least.
    Can't agree more that locking accounts after 3 failed attempts is a WTF. I've been saying it for years, but my bank still won't listen to me.

    I've heard a great alternative to locking passwords after the "maximum attempts" is to put delays on that account. After n failed attempts, the next n tries each take 10 seconds to submit, then the next n tries each take 30 seconds to submit, after that it takes 1 minute to submit every time.

    Brute force attacks take a lot longer to search the password space, making them virtually useless.

  • William (unregistered) in reply to Bill
    Bill:
    This is the problem with creating really strigent password rules, people can't remember them and write them down in tremendously insecure ways.

    Rule of security vs. usability

    secure <------------------------------------------> usable

    You can't have both, you get more secure it gets less usable, you get more usable (think Microsoft adding scripting to email) you get less secure.

    You're contradicting yourself here. Think about it. If you increase the security requirements in such a way as to reduce the usability of the system, you're actually decreasing the actual security of the system, because users respond to the lack of usability with tremendously insecure work-arounds to the dysfunctional system.

    The best security is also very usable. Two factor authentication is quite easy to use when done well. Swipe your smart card, run the fingerprint scanner, etc. and also type in your passphrase with no limits other than a minimum 10 characters, full sentences encouraged.

Leave a comment on “Security by Post-It”

Log In or post as a guest

Replying to comment #:

« Return to Article