Security by Post-It

« Return to Article
  • Quango 2011-04-28 04:22
    Sorry just had to do this..


    Sadly this over-compensating-defeats-the-object isn't uncommon in corporate and even small businesses.
  • dpm 2011-04-28 10:04
    . . . because everyone knows that passwords longer than 12 characters are *easier* to guess.
  • CaptainSmartass 2011-04-28 10:06
    So the password has to be at least 8 characters, and must be over 6 characters long. Got it.
  • andres 2011-04-28 10:07
    The can still do better:

    http://www.dilbert.com/strips/comic/2005-09-10/
  • dogbrags 2011-04-28 10:07
    Adding exclamation marks to the end of each requirement makes them much more exciting than normal requirements. [Must not contain your username!]
  • Mcoder 2011-04-28 10:16
    Yeah, between 8 and 12 chars, at no more than 8 letters, no more than 8 digits, no scpecial character, no repeating character.

    That makes for an EASY AS HELL password to crack.
  • James Q. Smithers 2011-04-28 10:21
    "be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks"

    Does this mean a password must be 75% upper case, 75% lowercase, 75% digits, and 75% punctuation?

    Or does it mean that the 75% of the password must be one of [uppercase, lowercase, digit, or punctuation]?
  • jim 2011-04-28 10:21
    dogbrags:
    Adding exclamation marks to the end of each requirement makes them much more exciting than normal requirements. [Must not contain your username!]


    These rules should be in Comic Sans.
  • James Q. Smithers 2011-04-28 10:22
    (continued ... see next post)

    "and may not contain your user name or any part of your full name."

    Oh. So if my name is James Q. Smithers, the letters [list of letters deleted] are disallowed? That's good, I like that. My buddy Charles "Zippy" Quanstrom-Peebles likes it a lot, too.
  • Bill 2011-04-28 10:23
    When I was working on a project for a major government agency we were in a meeting with the client when she needed her latest password (they had very stringent password rules), she pulled up her calendar, navigated to a certain date and pulled out her password.

    I was floored. She has this password stored in a public calendar (at least within her organization) and in plain text.

    This is the problem with creating really strigent password rules, people can't remember them and write them down in tremendously insecure ways.

    Rule of security vs. usability

    secure <------------------------------------------> usable

    You can't have both, you get more secure it gets less usable, you get more usable (think Microsoft adding scripting to email) you get less secure.
  • DCRoss 2011-04-28 10:23
    andres:
    The can still do better:

    http://www.dilbert.com/strips/comic/2005-09-10/


    Or even http://www.dilbert.com/fast/2011-04-28/.

    But that would be spamming, so I'm going to complain a bit here.
  • James Q. Smithers 2011-04-28 10:23
    Notes to self while trying to post a simple comment:

    ***I don't know why this post might be considered spam. Any guesses? Is "Quanstrom-Peebles" some sort of slang I don't know about? Will this note fix it?

    ***No, that didn't do it. Maybe I should put in a link to some dodgy erection-peddler, just to see if that helps?

    *** Okay, copy the comment text into a new comment, let's see if that does it.

    *** No. What if I take out the quote markup?

    *** different name?

    *** Maybe akismet is just on the rag today.

    *** AH! It's the list of the letters in "James Q. Smithers" that it doesn't like!
  • Alargule 2011-04-28 10:26
    Mcoder:
    Yeah, between 8 and 12 chars, at no more than 8 letters, no more than 8 digits, no scpecial character, no repeating character.

    That makes for an EASY AS HELL password to crack.


    You did check the other requirements, or didn't you?

    I'd like to see this captured in a regex...
  • Rob 2011-04-28 10:26
    I think I figured it out. If no password is valid, then nobody can hack into the system. They get 100% system security, at the low cost of 0% system usage. A security analyst's dream come true.

    CAPTCHA: facilisi (not a valid password)
  • Anon 2011-04-28 10:27
    • be at least 6 characters long, contain 3/4 of uppercase,
    lowercase, digits and punctuation marks, and may not
    contain your user name or any part of your full name.


    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)

    Then I realized it must mean contains 3 or 4 uppercase, 3 or 4 lowercase, 3 or 4 digits and 3 or 4 punctuation. Of course to follow that rule, your password must be at least 12 characters, so the "must be at least 6 characters" is redundant. Also the punctuation part is difficult when they've already explicitly forbidden several marks.

  • Rob 2011-04-28 10:29
    Quango:
    Sorry just had to do this..



    I'm sorry, that is not a valid FRIST, as it doesn't contain lower-case letters or digits!

    Please change your FRIST as soon as possible, or your FRIST privileges will be locked out!

    Thank you!
  • Anon 2011-04-28 10:31
    Also, more rules restricting stating what your password can't be = less entropy = less secure.
  • Mark 2011-04-28 10:33
    OK, seriously, where is the WTF? Other than the restrictions on symbols and max. length, I've had numerous (memorized) passwords over the years that would satisfy these requirements.
  • My Name 2011-04-28 10:35
    abcdEFGH

    maybe?
  • Steve The Cynic 2011-04-28 10:36
    James Q. Smithers:
    "be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks"

    Does this mean a password must be 75% upper case, 75% lowercase, 75% digits, and 75% punctuation?

    Or does it mean that the 75% of the password must be one of [uppercase, lowercase, digit, or punctuation]?

    No, it means you must use characters from at least three of the four categories, aside from the forbidden punctuation marks, obviously. I had a similar situation once, except the rules were: "must be at least 7 but not more than 8 characters, and if 7 then all four categories must feature, else only three", with the categories being uppercase, lowercase, digits, and symbols, and the added proviso that uppercase in the first position did not count as using uppercase, and digits in the last position did not count as using digits. So I kept the same last 5 characters the same in all passwords and invented various three character combinations involving letters and digits to lead them, generally expressing my dissatisfaction with the rules (1ck for ick, u6h for ugh, etc.). Overall, a security disaster.
  • Staffan 2011-04-28 10:39
    With all those rules an attacker would have an easy task at hand.

    Everything is so restricted so the password space should probably be reduced to something responding to 6 characters or so.
  • Mark 2011-04-28 10:39
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase,
    lowercase, digits and punctuation marks, and may not
    contain your user name or any part of your full name.


    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)

    Then I realized it must mean contains 3 or 4 uppercase, 3 or 4 lowercase, 3 or 4 digits and 3 or 4 punctuation. Of course to follow that rule, your password must be at least 12 characters, so the "must be at least 6 characters" is redundant. Also the punctuation part is difficult when they've already explicitly forbidden several marks.



    Or, more likely, they mean you must use at least 3 of the 4 character classes (uppercase, lowercase, digits, punctuation)
  • frits 2011-04-28 10:44
    We had a similar policy that was implemented at a former employer of mine. Actually, it was more asinine. The original policy madated passwords be 7 characters long, but changed every 3 months. The CFO didn't like changing his password so often. A compromise was struck and users only had to change passwords every 3 months. However, all passwords must be at least 14 characters long. It all made sense, since 6/3 = 14/7...

    The result, of course was most users had their passwords written somewhere within 2 feet (61 cm.) of their computers. Our director of IT decided to have a crackdown and started threatening to make examples of people who wrote down their passwords. The IT director wasn't a total ogre, however, and actually had a pragmatic workaround: anyone who had trouble remembering the long passwords should just use their old 7 character password typed twice.
  • Lockwood 2011-04-28 10:46
    One of the hospitals around here had a complex password rule, with a "do not reuse passwords that were used before, for the last X amount of time" rule added in.

    This caused a lot of post-it notes on monitors.
  • pdpi 2011-04-28 10:48
    Upper, lower, digits, punctuation are 4 different classes of characters. your password must contain characters from 3 out of 4 classes.
  • Dazed 2011-04-28 10:49
    I don't think the problem is so much being able to remember your password as trying to find a valid one in the first place. I can see it now:

    - (shout) "WTF can I use for a password?"
    - (shout from another cubicle) "QWErty123$%^ seems to work*"
    - everyone in the office now uses the same password.

    * This is a hypothesis on my part, not a promise.
  • Jon H. 2011-04-28 10:52
    Article:
    • have no more than 1 pair(s) of repeating characters!


    We don't even have that luxury at work. you can't imagine how many passwords end up having a pair of repeating characters.

    Plus, TRWTF is having a cap on password length. Is there a reason to that? Do longer password hashes take more space than normal ones?
  • boog 2011-04-28 10:53
    I think this might have been a former client of mine. I remember having to change my password and have some full-page list of crazy-ass requirements, some of which were redundant ("must be at least 8 characters" then further down the page "must be at least 6 characters").

    I'm guessing the way they come up with this list is every time they hear of a potential risk or breach (such as passwords written on post-its) they get IT managers in a room to review the list to figure out what they're doing wrong, and what rule they can add to the list to quick-fix it.
  • pippin 2011-04-28 10:55
    have at least 8 character(s)

    or
    be at least 6 characters long

    Not only is it absurd, but it's contradictory! (exclamation included to give my comment added umpfh ;)
  • boog 2011-04-28 10:56
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase,
    lowercase, digits and punctuation marks, and may not
    contain your user name or any part of your full name.

    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
    12 quarters = 3 passwords.

    That is a bit excessive.
  • trtrwtf 2011-04-28 10:58
    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security? Wouldn't it make more sense to just require a sufficiently complex and long password and leave it at that? I think just about anyone could memorize a truly random 14-character password if they had to type it every day, but if you have to change it once a month then you have to come up with algorithms for generating "unguessable" passwords. These include things like regular substitutions, which become well known (ie, @ for a, 1 for i or l, and so forth), and the purpose is successfully defeated.
  • Pat 2011-04-28 11:04
    The real WTF is the validation code they'll use to enforce that policy...
  • boog 2011-04-28 11:04
    Jon H.:
    ...TRWTF is having a cap on password length. Is there a reason to that? Do longer password hashes take more space than normal ones?
    To answer your first question: longer passwords result in more calls to the helpdesk to reset passwords that users forgot or mistyped more than 3 times.

    In other words, the excuse for a cap on password length could just be outright laziness.
  • Spivonious 2011-04-28 11:07
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the hacker has access to my desk, he deserves access to my PC.
  • da Doctah 2011-04-28 11:07
    Still searching for that elusive tipping point where the rules become so stringent that the typical user will only be able to think of one or two passwords that the system will accept.

    At which point you find that three quarters of your user population are using the same password.
  • trtrwtf 2011-04-28 11:08
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.


    FTFY
  • Kempeth 2011-04-28 11:13
    Hmm. Aside from that last requirement my password would work if I trimmed some characters off the end...

    Is that good or bad?
  • Marvin the Martian 2011-04-28 11:15
    With this many restrictions, wouldn't it be easier to just circulate a whitelist of passwords that will pass the rules?
  • Justin 2011-04-28 11:16
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.


    FTFY


    HA!
  • Dazed 2011-04-28 11:16
    boog:
    To answer your first question: longer passwords result in more calls to the helpdesk to reset passwords that users forgot or mistyped more than 3 times.

    The limit of 3 attempts is a WTF itself. It was probably reasonable in the days when people had to remember one password of five or six characters. If you are going to enforce long passwords and make people change them as well, then you should allow 6 attempts at least.
  • Justin Thought 2011-04-28 11:17
    Jon H.:
    Article:
    • have no more than 1 pair(s) of repeating characters!


    We don't even have that luxury at work. you can't imagine how many passwords end up having a pair of repeating characters.

    Plus, TRWTF is having a cap on password length. Is there a reason to that? Do longer password hashes take more space than normal ones?

    This whole article smells of a method of password verification by trial and error. In other words, you monitor passwords and determine which ones are not-secure and then add a new rule to make that one illegal. This means that the IT department was monitoring people's passwords in plain-text.

    My second conjecture is that a regular expression was being used. The length between 8-12 characters was so that the regular expression would not get too big (the writer was not good at regular expressions, which is indicated by not allowing characters that are regex-special characters).
  • boog 2011-04-28 11:17
    Anon:
    Also, more rules restricting stating what your password can't be = less entropy = less secure.
    I keep wondering when "security experts" (or whatever managers like to call themselves) will create that one password rule that really limits the password space.

    - your password may not contain adjacent letters or adjacent numbers (they must alternate: S2t3u8p1d)
    - your password may not contain letters/numbers from your username (I can't use b, o, g, B, O, or G)
    - your password may not contain any consecutive letters/numbers (if you use C, you can't use B or D anywhere)
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.
  • Anne 2011-04-28 11:19
    Worse than that, all these rules actually make the passwords less secure.

    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?

    The same goes for "leading character must be a letter"? Why can't it be a number? Why are characters forbidden? You're actually reducing the number of possible passwords here.
  • The Corrector 2011-04-28 11:20
    boog:
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase,
    lowercase, digits and punctuation marks, and may not
    contain your user name or any part of your full name.

    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
    12 quarters = 3 passwords dollars.

    That is a bit excessive.
  • The Corrector 2011-04-28 11:22
    The Corrector:
    boog:
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase,
    lowercase, digits and punctuation marks, and may not
    contain your user name or any part of your full name.

    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
    12 quarters = 3 passwords dollars.

    That is a bit excessive.

    FTFY

    FTFMS
  • trtrwtf 2011-04-28 11:22
    boog:
    Anon:
    Also, more rules restricting stating what your password can't be = less entropy = less secure.
    I keep wondering when "security experts" (or whatever managers like to call themselves) will create that one password rule that really limits the password space.

    - your password may not contain adjacent letters or adjacent numbers (they must alternate: S2t3u8p1d)
    - your password may not contain letters/numbers from your username (I can't use b, o, g, B, O, or G)
    - your password may not contain any consecutive letters/numbers (if you use C, you can't use B or D anywhere)
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.


    Don't forget this one: your password can't contain any sequence of 3 adjacent letters on a qwerty keyboard. No asdf, no zxc.
  • Larry 2011-04-28 11:23
    TRWTF is the guy in charge of the CAPTCHAs making fun of other people's security methods.
  • TheCPUWizard 2011-04-28 11:24
    Ironic... I just compared passwords I use (from memory) for a number of secure systems, and over 90% of them met the requirements [1 out of 17 failed].

    This is on various systems that do not have overly compex rules...guess is speaks volumes about my state of mind <eek!>
  • boog 2011-04-28 11:24
    Dazed:
    boog:
    To answer your first question: longer passwords result in more calls to the helpdesk to reset passwords that users forgot or mistyped more than 3 times.

    The limit of 3 attempts is a WTF itself. It was probably reasonable in the days when people had to remember one password of five or six characters. If you are going to enforce long passwords and make people change them as well, then you should allow 6 attempts at least.
    Can't agree more that locking accounts after 3 failed attempts is a WTF. I've been saying it for years, but my bank still won't listen to me.

    I've heard a great alternative to locking passwords after the "maximum attempts" is to put delays on that account. After n failed attempts, the next n tries each take 10 seconds to submit, then the next n tries each take 30 seconds to submit, after that it takes 1 minute to submit every time.

    Brute force attacks take a lot longer to search the password space, making them virtually useless.
  • William 2011-04-28 11:28
    Bill:
    This is the problem with creating really strigent password rules, people can't remember them and write them down in tremendously insecure ways.

    Rule of security vs. usability

    secure <------------------------------------------> usable

    You can't have both, you get more secure it gets less usable, you get more usable (think Microsoft adding scripting to email) you get less secure.


    You're contradicting yourself here. Think about it. If you increase the security requirements in such a way as to reduce the usability of the system, you're actually *decreasing* the *actual security* of the system, because users respond to the lack of usability with tremendously insecure work-arounds to the dysfunctional system.

    The best security is also very usable. Two factor authentication is quite easy to use when done well. Swipe your smart card, run the fingerprint scanner, etc. and also type in your passphrase with no limits other than a minimum 10 characters, full sentences encouraged.
  • The Penguin 2011-04-28 11:28
    boog:
    Dazed:
    boog:
    To answer your first question: longer passwords result in more calls to the helpdesk to reset passwords that users forgot or mistyped more than 3 times.

    The limit of 3 attempts is a WTF itself. It was probably reasonable in the days when people had to remember one password of five or six characters. If you are going to enforce long passwords and make people change them as well, then you should allow 6 attempts at least.
    Can't agree more that locking accounts after 3 failed attempts is a WTF. I've been saying it for years, but my bank still won't listen to me.

    I've heard a great alternative to locking passwords after the "maximum attempts" is to put delays on that account. After n failed attempts, the next n tries each take 10 seconds to submit, then the next n tries each take 30 seconds to submit, after that it takes 1 minute to submit every time.

    Brute force attacks take a lot longer to search the password space, making them virtually useless.

    I've heard that you're a lazy-ass IT manager that gets tired of resetting passwords forgotten due to you're insanely retarded password requirements.
  • boog 2011-04-28 11:30
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    It's because of people like me who prefer to have a 2GB password (just to be extra secure) which brings the server to its knees.
  • David Martensson 2011-04-28 11:31
    Well, if the office space is secure in it self and the place to login to is a publicly reachable site, a complex password on a post-it can be better than a easily remembered and possibly easily guessed or brute forced.

    At least as long as you do not protect your self against co-workers.
  • Serpentes 2011-04-28 11:34
    I once worked at a company whose password policy, as best I remember it, was:

    * Minimum 10 characters, maximum 24.
    * Must contain at least one each of capital letters, lowercase letters, numbers, punctuation marks.
    * Passwords expire every 45 calendar days.
    * No password may contain a substring that is a valid entry in the system's English lookup dictionary.
    * No password may contain any of an enumerated (but not publicly announced) list of prohibited substrings.
    * No password may repeat any character-position pair that was used in any of your 16 previous passwords.

    The dictionary lookup was very thorough. Too thorough. As a result, no password could contain (in either case) the letters A or I, since those were, of course, in the lookup dictionary. I rapidly concluded that vowels simply weren't worth my time. Although passwords were case sensitive (and had required mixed-case), the dictionary check was NOT -- so no thinking that "dUmB" was a valid substring.

    The secret substring blacklist wasn't any better. As far as I could ever determine, it included every alphabetically ordered three letter series, regardless of case (so no "FGH" or "PQR") and every three letter numerical series (no "123" or "789"). Also, sometimes, passwords would fail even if they should have been valid, so the blacklist clearly had some other nonsense on it.

    Probably already at Security by Post-It levels, the character-position non-reuse rule is what made it a likely violation of the Geneva Convention (with the 45 day expiration timer not helping at all). The story was that originally there was a standard "cannot repeat previous passwords" rule, but the security psychos realized people were just iterating a number at the end of their password. They concluded that was a security risk, because ninja death hackers would be smart enough to conclude that any compromised password was part of a sequence and thus obtain the current password, wreaking havoc and ending civilization. Their solution is just as horrid as it sounds. If you had a password with R as the second character, then for the next 16 passwords, the second character couldn't be R. Every character had to be novel, every time.

    The character-position system was also buggy. It was fine with passwords that were less than the maximum length ... sort of. If you always used a constant password length, you never saw the bug. But if you ever once created a password longer than your longest previous password, that became your new minimum length, because the matching code was clearly a WTF all by itself.

    And finally, note that the system wouldn't tell you why a password request failed (after the 5-10 minute "testing password" phase), just that it was invalid due a "Rules Exception". Had you stumbled on some secret blacklisted character sequence? Had you accidentally repeated the 14th character of the password you used 9 months ago? Did you discover some Welsh-originated horror lurking in the lookup dictionary ("cwm", for example; it was a pretty good dictionary)? No way to know! Just pound on the keyboard like a monkey and try again!
  • BentFranklin 2011-04-28 11:37
    I hate it when I see password rules say no words in the dictionary, but they don't rule out the common leet substitutions. I assume a dictionary attacker would have all those in their attack, eg, "d[i1]c[t7][i1][o0]n[a@]ry". Why don't any of those spiffy password creations guidelines ever mention that?

  • jimicus 2011-04-28 11:37
    Believe it or not, there are reasons to enforce a particular password length. Or, more accurately, there have been in the past.

    Earlier versions of Windows (particularly in the days before NTLM) split the password into two hashes each containing 7 characters - meaning you couldn't have a password with more than 14 characters. (You were also ill-advised to have too few characters in either half - so the optimum password would be either 7 or 14 characters long).

    I wouldn't be too surprised if similar eccentricities have existed in all sorts of password hashing algorithms in popular use over the years - I'd guess that some manager in the dim and distant past invented this rule because it seemed to make sense at the time, and it's never been reviewed since.

    The rest of those rules are just absurd. If anyone is in a position to try out a dictionary attack (and if your systems are susceptible to such an attack, you have far bigger issues than password regulation), you're essentially saying to them "Okay, that dictionary you're going to use for your attack? You can rule out many of the possible passwords because they don't meet the rules."
  • socknet 2011-04-28 11:37
    trtrwtf:
    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security? Wouldn't it make more sense to just require a sufficiently complex and long password and leave it at that? I think just about anyone could memorize a truly random 14-character password if they had to type it every day, but if you have to change it once a month then you have to come up with algorithms for generating "unguessable" passwords. These include things like regular substitutions, which become well known (ie, @ for a, 1 for i or l, and so forth), and the purpose is successfully defeated.


    The primary reason for passwords regularly isn't to try and make it more difficult to crack (i.e. to change it halfway through someone's brute force), it is so that if the password is cracked, the problem will only exist until the next reset.

    Resetting a password regularly without sufficient complexity is of limited use, as is having a complex password with no resets
  • James Q. Muphry 2011-04-28 11:41
    boog:
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    It's because of people like me who prefer to have a 2GB password (just to be extra secure) which brings the server to its knees.

    You really are a moron, aren't you? Any length password will be stored in a hash which will ALWAYS BE THE SAME.

    Plus, you'll just want to store your password in plain-text on the hard-drive, and HTH are you going to access it?
  • Anon 2011-04-28 11:43
    Mark:
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase,
    lowercase, digits and punctuation marks, and may not
    contain your user name or any part of your full name.


    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)

    Then I realized it must mean contains 3 or 4 uppercase, 3 or 4 lowercase, 3 or 4 digits and 3 or 4 punctuation. Of course to follow that rule, your password must be at least 12 characters, so the "must be at least 6 characters" is redundant. Also the punctuation part is difficult when they've already explicitly forbidden several marks.



    Or, more likely, they mean you must use at least 3 of the 4 character classes (uppercase, lowercase, digits, punctuation)


    I have no idea what kind of warped mind comes to that conclusion from that rule as written.
  • trtrwtf 2011-04-28 11:49
    socknet:

    The primary reason for passwords regularly isn't to try and make it more difficult to crack (i.e. to change it halfway through someone's brute force), it is so that if the password is cracked, the problem will only exist until the next reset.


    That's my question - does a cracker return to a cracked password? Or do they just do their thing and go?

    Serious question, I really don't know much about typical cracker behavior (insert white people joke here). My naive supposition would be that you would assume a cracked password would be detected, and to return to it would be setting yourself up, but maybe that's not the case.

    Any leet warez verdorz here want to clue me in?
  • JoC 2011-04-28 11:50
    Gee, the valid solution set might be smaller than the invalid.
  • Anon 2011-04-28 11:52
    Ah, I see TRWTF, they should have also asked users the security question of "what's your favorite book". That way users could automatically reset their passwords if they forget them.

    Fixed!
  • boog 2011-04-28 11:54
    James Q. Muphry:
    boog:
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    It's because of people like me who prefer to have a 2GB password (just to be extra secure) which brings the server to its knees.

    You really are a moron, aren't you? Any length password will be stored in a hash which will ALWAYS BE THE SAME.

    Bullshit; hashed passwords always vary in length. It's the amount of upload time, memory usage, and hash computations that stay consistent regardless of input size.

    Or in other words, Muphry right back at ya buddy.
  • Tony 2011-04-28 11:55
    Ok, The set of rules suggests that the password is stored in clear/plain text and/or the SQL is not guarded against sql injections.

    captcha: decet. How nice. :)
  • dpm 2011-04-28 11:58
    boog:

    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.
    Clearly you are unfamiliar with the following option which has been available to OpenVMS system managers for the last 15 or 20 years:
        MCR AUTHORIZE MODIFY /FLAGS=GENPWD /PWDLIFETIME="30-" JSMITH
    From that instant on, John Smith is required to change his password every thirty days, and each time he is presented with a list of five choices from which he *must* choose. An actual example of a list he would see is
        cehokbej
        eajhaumda
        vufholid
        elfnawwra
        nacseavwoa
  • James Q. Muphry 2011-04-28 12:00
    boog:
    James Q. Muphry:
    boog:
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    It's because of people like me who prefer to have a 2GB password (just to be extra secure) which brings the server to its knees.

    You really are a moron, aren't you? Any length password will be stored in a hash which will ALWAYS BE THE SAME.

    Bullshit; hashed passwords always vary in length. It's the amount of upload time, memory usage, and hash computations that stay consistent regardless of input size.

    Or in other words, Muphry right back at ya buddy.

    Good god, I didn't even consider the fact you were trolling.
  • abcdefg? 2011-04-28 12:02
    trtrwtf:
    I think just about anyone could memorize a truly random 14-character password if they had to type it every day

    Exactly this.
    When I came up with my original password I just bashed on the keyboard until like 12 chars appeared, replaced a few characters. sure took me a month or two to memorize, but once I did, i always remembered it, and was secure because it truly was a random password and didn't mean anything.. But if I was changing it every 2 months I would never remember it.
  • Naresh Kookaburra 2011-04-28 12:04
    boog:
    James Q. Muphry:
    boog:
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    It's because of people like me who prefer to have a 2GB password (just to be extra secure) which brings the server to its knees.

    You really are a moron, aren't you? Any length password will be stored in a hash which will ALWAYS BE THE SAME.

    Bullshit; hashed passwords always vary in length. It's the amount of upload time, memory usage, and hash computations that stay consistent regardless of input size.

    Or in other words, Muphry right back at ya buddy.

    Really boog, you could at least make it challenging.
  • Rob 2011-04-28 12:05
    Eh...

    I'd take a sheet of paper over Lastpass or PasswordSafe any day
  • boog 2011-04-28 12:07
    dpm:
    boog:

    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.
    Clearly you are unfamiliar with the following option which has been available to OpenVMS system managers for the last 15 or 20 years:
        MCR AUTHORIZE MODIFY /FLAGS=GENPWD /PWDLIFETIME="30-" JSMITH
    From that instant on, John Smith is required to change his password every thirty days, and each time he is presented with a list of five choices from which he *must* choose. An actual example of a list he would see is
        cehokbej
        eajhaumda
        vufholid
        elfnawwra
        nacseavwoa

    I was unfamiliar, but I'm not convinced it was so clearly. The only thing in common between your example and my above suggestion was "choosing a password from a list", which was arguably the least-WTFy aspect of my above suggestion.
  • boog 2011-04-28 12:08
    James Q. Muphry:
    Good god, I didn't even consider the fact you were trolling.
    On this site? TRWTF is not assuming the person you're talking to is a troll.
  • hoodaticus 2011-04-28 12:11
    frits:
    We had a similar policy that was implemented at a former employer of mine. Actually, it was more asinine. The original policy madated passwords be 7 characters long, but changed every 3 months. The CFO didn't like changing his password so often. A compromise was struck and users only had to change passwords every 3 months. However, all passwords must be at least 14 characters long. It all made sense, since 6/3 = 14/7...

    The result, of course was most users had their passwords written somewhere within 2 feet (61 cm.) of their computers. Our director of IT decided to have a crackdown and started threatening to make examples of people who wrote down their passwords. The IT director wasn't a total ogre, however, and actually had a pragmatic workaround: anyone who had trouble remembering the long passwords should just use their old 7 character password typed twice.
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
  • dpm 2011-04-28 12:12
    boog:
    dpm:
    boog:

    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.
    (example of being forced to chooose from a list)
    I was unfamiliar, but I'm not convinced it was so clearly. The only thing in common between your example and my above suggestion was "choosing a password from a list", which was arguably the least-WTFy aspect of my above suggestion.
    You predicted it would happen within ten years, but it already happened twice that far back in the past.
  • WthyrBendragon 2011-04-28 12:13
    dogbrags:
    Adding exclamation marks to the end of each requirement makes them much more exciting than normal requirements. [Must not contain your username!]


    That isn't exclamation. That's logical NOT! It's like a 12 yr old telling you something as if it's gospel then immediately saying "PSYCH"

    So... [Must not contain your username... psyche(exclamation)]
  • boog 2011-04-28 12:14
    Naresh Kookaburra:
    Really boog, you could at least make it challenging.
    Why would I do that? As easy as I'm making it for you, you're still failing miserably.
  • boog 2011-04-28 12:15
    dpm:
    boog:
    dpm:
    boog:

    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.
    (example of being forced to chooose from a list)
    I was unfamiliar, but I'm not convinced it was so clearly. The only thing in common between your example and my above suggestion was "choosing a password from a list", which was arguably the least-WTFy aspect of my above suggestion.
    You predicted it would happen within ten years, but it already happened twice that far back in the past.
    What did I predict exactly?
  • frits 2011-04-28 12:16
    WthyrBendragon:
    dogbrags:
    Adding exclamation marks to the end of each requirement makes them much more exciting than normal requirements. [Must not contain your username!]


    That isn't exclamation. That's comedic NOT! It's like a 12 yr old telling you something as if it's gospel then immediately saying "NOT"

    So... [Must not contain your username... NOT(exclamation)]

    FTFY
  • Zaratustra 2011-04-28 12:16
    ABCabc123. Are we secure yet?
  • Mike 2011-04-28 12:18
    Jam of the day - code to generate a password per the rules.
  • trtrwtf 2011-04-28 12:19
    dpm:
    An actual example of a list he would see is
        cehokbej
        eajhaumda
        vufholid
        elfnawwra
        nacseavwoa


    Make those a little more random (ie, include some digits, capitals, and punctuation) and you'd actually have something reasonable.

    TRWTF is expecting users to come up with something that meets security requirements and also seems memorable to them. Just give them a few options that meet security requirements, and let them regenerate the list until they see something they can work with. Humans are pretty good at recognizing "patterns" in random input, and computers are pretty good at giving humans random input to recognize patterns in. Why not play to the strengths of both?
  • Ken B. 2011-04-28 12:21
    Anne:
    A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    UserPasswordPlaintext as varchar(12);

    Duh!
  • frits 2011-04-28 12:23
    ABC, easy as 123, It's like counting up to 3, Or simple as !@#
  • Ken B. 2011-04-28 12:25
    boog:
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.
    I was going to suggest "goodpasswords dot com", which SamSpade shows as a blank webpage. Unfortunately, IE shows it as an advertising page.

    trtrwtf:
    Don't forget this one: your password can't contain any sequence of 3 adjacent letters on a qwerty keyboard. No asdf, no zxc.
    And "adjacent" includes the rows above and below, and order doesn't matter. (No "oki", "xfd", "tvf", etc.)
  • boog 2011-04-28 12:29
    Ken B.:
    boog:
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.
    I was going to suggest "goodpasswords dot com"...
    Would that be a website listing "good passwords", or a form where users can submit their passwords and it will tell them how "good" the passwords are?

    Either way, sounds like a great idea.
  • C-Octothorpe 2011-04-28 12:31
    hoodaticus:
    frits:
    We had a similar policy that was implemented at a former employer of mine. Actually, it was more asinine. The original policy madated passwords be 7 characters long, but changed every 3 months. The CFO didn't like changing his password so often. A compromise was struck and users only had to change passwords every 3 months. However, all passwords must be at least 14 characters long. It all made sense, since 6/3 = 14/7...

    The result, of course was most users had their passwords written somewhere within 2 feet (61 cm.) of their computers. Our director of IT decided to have a crackdown and started threatening to make examples of people who wrote down their passwords. The IT director wasn't a total ogre, however, and actually had a pragmatic workaround: anyone who had trouble remembering the long passwords should just use their old 7 character password typed twice.
    I've long promoted the notion that the secret to securing any system is to eliminate its users.


    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
  • boog 2011-04-28 12:34
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
  • socknet 2011-04-28 12:35
    trtrwtf:
    socknet:

    The primary reason for passwords regularly isn't to try and make it more difficult to crack (i.e. to change it halfway through someone's brute force), it is so that if the password is cracked, the problem will only exist until the next reset.


    That's my question - does a cracker return to a cracked password? Or do they just do their thing and go?

    Serious question, I really don't know much about typical cracker behavior (insert white people joke here). My naive supposition would be that you would assume a cracked password would be detected, and to return to it would be setting yourself up, but maybe that's not the case.

    Any leet warez verdorz here want to clue me in?


    That would depend entirely on the system which the password applies for.

    If it was a bank account, then perhaps the hacker would drain the account and not come back.

    If it was for membership to an adult website, maybe they would go back frequently.

    etc
  • C-Octothorpe 2011-04-28 12:37
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.


    You work with hoodaticus too?!
  • C-Octothorpe 2011-04-28 12:37
    C-Octothorpe:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.


    You work with hoodaticus too?!


    Around here, we just call him the "chair sniffer"...
  • E 2011-04-28 12:43
    Actually I think this scheme would accept most of my passwords.

    Unless their dictionary has incredibly obscure words I don't know of in it.
  • Anachronda 2011-04-28 12:45
    Dazed:
    boog:
    To answer your first question: longer passwords result in more calls to the helpdesk to reset passwords that users forgot or mistyped more than 3 times.

    The limit of 3 attempts is a WTF itself. It was probably reasonable in the days when people had to remember one password of five or six characters. If you are going to enforce long passwords and make people change them as well, then you should allow 6 attempts at least.

    I keep waiting for someone to decide that not having occasional missed attempts implies that your password is insufficiently complex and needs to be changed.
  • ih8u 2011-04-28 12:45
    Mike:
    Jam of the day - code to generate a password per the rules.


    That's really a great idea. In fact, I'd like to see the code they actually used to verify the correectness of candidate passwords.

    Not that I'd bet there are loads of bugs that allow all sorts of "insecure" passwords. I'm sure they implemented teh codez with l33t accuracy.
  • C-Octothorpe 2011-04-28 12:47
    ih8u:
    Mike:
    Jam of the day - code to generate a password per the rules.


    That's really a great idea. In fact, I'd like to see the code they actually used to verify the correectness of candidate passwords.

    Not that I'd bet there are loads of bugs that allow all sorts of "insecure" passwords. I'm sure they implemented teh codez with l33t accuracy.


    Probably copy-pasted from the shit-pile called Akismet...
  • forgottenlord 2011-04-28 12:47
    Huh, if it weren't for that 12 character limit, one of my main passwords would work perfectly for this.
  • snover 2011-04-28 12:49
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?

    Depending upon the way the password is stored, there is a maximum length beyond which any more data input is superfluous, and allowing it can give a false sense of security. For instance, using the original Unix crypt function, the password "HELLOWORLD" would work the same as "HELLOWOR", because it only supports passwords up to 8 characters. LM hash only supported up to 14 characters, and bcrypt only supports up to 55 characters (though if you have a password longer than 55 characters, you might be overdoing it a little).

    Of course, the biggest reason of all is probably because software uses no hashing method at all and simply stores the password in plaintext in a fixed-length column in their database.
  • Ol' Bob 2011-04-28 12:49
    DCRoss:
    andres:
    The can still do better:

    http://www.dilbert.com/strips/comic/2005-09-10/


    Or even http://www.dilbert.com/fast/2011-04-28/.

    But that would be spamming, so I'm going to complain a bit here.


    But even better there's

    http://dilbert.com/strips/comic/1998-04-06/

    Squeal like a pig... :-)
  • Kuba 2011-04-28 12:55
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase,
    lowercase, digits and punctuation marks, and may not
    contain your user name or any part of your full name.
    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)

    Then I realized it must mean contains 3 or 4 uppercase, 3 or 4 lowercase, 3 or 4 digits and 3 or 4 punctuation. Of course to follow that rule, your password must be at least 12 characters, so the "must be at least 6 characters" is redundant. Also the punctuation part is difficult when they've already explicitly forbidden several marks.
    It looks like something taken from the GRE's defunct analytical section ;)
  • boog 2011-04-28 12:55
    C-Octothorpe:
    boog:
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.

    You work with hoodaticus too?!
    Not for much longer. That guy gives me the heebie-jeebies.
  • Gary 2011-04-28 12:57
    These intrigue me


    • not contain a dictionary word!
    • not contain an exact dictionary word match!


    That rules out at minimum any of the vowels A, I and O. If you can't include two-letter combinations either am, do, em, en, go, he, etc., then we are going to have a really small set of possible pwds.
  • operagost 2011-04-28 13:00
    dpm:
    boog:

    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.
    Clearly you are unfamiliar with the following option which has been available to OpenVMS system managers for the last 15 or 20 years:
        MCR AUTHORIZE MODIFY /FLAGS=GENPWD /PWDLIFETIME="30-" JSMITH
    From that instant on, John Smith is required to change his password every thirty days, and each time he is presented with a list of five choices from which he *must* choose. An actual example of a list he would see is
        cehokbej
        eajhaumda
        vufholid
        elfnawwra
        nacseavwoa

    To compensate for BOFH-ish features like that (fortunately, options), at least VMS has a non-stupid intrusion system. A counter keeps track of failed logons, based on a configurable interval, so that three failed logons today and three tomorrow aren't treated the same as six within a minute. Even better, instead of locking out accounts like Windows (although that is still an option), the remote host is blocked. This prevents most DOS situations.
  • Anon 2011-04-28 13:00
    boog:
    Ken B.:
    boog:
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.
    I was going to suggest "goodpasswords dot com"...
    Would that be a website listing "good passwords", or a form where users can submit their passwords and it will tell them how "good" the passwords are?

    Either way, sounds like a great idea.


    Indeed:

    1) Create a website where people enter their passwords to see how "good" they are. Insist they tell you their username and what website it is for so you can check for their username and the name of the website in the password (because that would clearly be insecure)
    2) ??????
    3) Profit!
  • vic 2011-04-28 13:04
    My former employer had a set of rules for all passwords which including things like having to change the password every 3 months and not reusing the last n (I think it started at 3, eventually 5) passwords. This included not just the enterprise servers, but simple systems like the document store where the employee handbook and cafeteria menu were posted.

    Fortunately, there was no minimum time between when you changed the password, so a quick run through my set of five passwords for trivial sites let me know what lunch would be.
  • PG4 2011-04-28 13:04
    jimicus:

    Earlier versions of Windows (particularly in the days before NTLM) split the password into two hashes each containing 7 characters


    Well this stupid idea in Windows has caused the current mess I have to deal with in UNIX.

    Used to be 8 characters was fine, then some idiot higher up found out about that problem in windows and sent out a directive to change X in windows, change Y in windows, Change Z in windows, Don't use the hash before NTLM, etc. And one of the list of 15 or so taskings in he directive was to force all passwords to be a min of 14 characters, at least 2 upper, 2 lower, 2 digits, 2 special and change passwords every 30 days. Now since this last part didn't say for windows only, it had to be applied to everything that took a password. Oh yea, can use one you have used in the past year, and bunch of other things. This policy is still in force today, all because of an old way that windows hashed passwords.
  • informatimago 2011-04-28 13:05
    With so many rules, some users may not have any valid password!
  • neminem 2011-04-28 13:06
    Yeah, one of my main passwords would also still fulfill these requirements, as long as you were willing to accept vowels other than 'e' and 'u'. Well, and only until they made me change it, of course. I'm happy that here, they may force you to change your work login password every so often, but don't force you to change it to something other than what it already just was.

    Also, what exactly is the difference between requiring that a password not contain a dictionary word, and that it not contain an "exact dictionary word match"? They seem fairly equivalent.
  • Jouva 2011-04-28 13:06
    Why should there be such a short MAXIMUM if there's such a MINIMUM? And why say "not THIS character"? Really.
  • Poptart 2011-04-28 13:11
    A better requirement would use the word "shall" instead of "must". But the exclamation points are fine as-is.
  • a flaming pineapple 2011-04-28 13:14
    pippin:
    have at least 8 character(s)

    or
    be at least 6 characters long

    Not only is it absurd, but it's contradictory! (exclamation included to give my comment added umpfh ;)


    Just as an FYI, >=6 characters and >=8 characters are not mutually exclusive.

    captcha: tristique - we went to this place on main street that only sells triscuit crackers.
  • PendaticCurmudgeon 2011-04-28 13:20
    trtrwtf:
    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security? Wouldn't it make more sense to just require a sufficiently complex and long password and leave it at that? I think just about anyone could memorize a truly random 14-character password if they had to type it every day, but if you have to change it once a month then you have to come up with algorithms for generating "unguessable" passwords. These include things like regular substitutions, which become well known (ie, @ for a, 1 for i or l, and so forth), and the purpose is successfully defeated.
    Please feature this comment.
  • boog 2011-04-28 13:24
    The Corrector:
    boog:
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase,
    lowercase, digits and punctuation marks, and may not
    contain your user name or any part of your full name.

    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
    12 quarters = 3 passwords dollars.

    So in other words, your password must be worth at least three dollars? I'm guessing most users' passwords probably aren't valid then.
  • Mcoder 2011-04-28 13:28
    boog:
    Anon:
    Also, more rules restricting stating what your password can't be = less entropy = less secure.
    I keep wondering when "security experts" (or whatever managers like to call themselves) will create that one password rule that really limits the password space.

    - your password may not contain adjacent letters or adjacent numbers (they must alternate: S2t3u8p1d)
    - your password may not contain letters/numbers from your username (I can't use b, o, g, B, O, or G)
    - your password may not contain any consecutive letters/numbers (if you use C, you can't use B or D anywhere)
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.


    No need for that last line. "Your pasword must not have repeated characters" is nearly as usefull. (very very nearly...)
  • Yuval 2011-04-28 13:29
    (comment thread tl;dr)
    Almost all my current passwords satisfy all these requirements, and I remember them perfectly.
    Well, except those with the letter 'a', which is a dictionary word and thus may not be part of any password?
  • . 2011-04-28 13:32
    boog:
    The Corrector:
    boog:
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase,
    lowercase, digits and punctuation marks, and may not
    contain your user name or any part of your full name.

    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
    12 quarters = 3 passwords dollars.

    So in other words, your mom must be worth at least three dollars? I'm guessing most users' moms probably aren't valid then.

    FTFY
  • Josiah 2011-04-28 13:36
    LOL! Adding all those extra constraint probably actually makes these passwords easier to crack by limiting the dictionary an attacker needs to traverse.
  • kastein 2011-04-28 13:39
    my favorite is the companies that refuse to let me use a secure password:
    * one of my financial accounts insists that I use NO symbols, and that my password be no more than 6 characters long. Thanks guys, glad no one can get into my stock account now!
    * another requires that my password be ridiculously long and complex, be different from my last ten passwords, and get changed every 60 days. I finally ran out of good passwords I could remember and started just changing one digit when asked for a new password. You win guys, too secure for me...

    The sad thing is that I usually come up with ridiculously hard to guess passwords when not forced to follow some goofy set of rules.

    When given the chance I do stupid crap like using altcodes in my password... I want to see someone try and hack that! Bet your rainbow tables don't cover 25 character passwords with upper/lowercase, numbers, symbols, and upper code page characters, script kiddie!
  • Buzer 2011-04-28 13:44
    Qwerty00
    Qwerty01
    ...
  • Ken B. 2011-04-28 13:49
    TheCPUWizard:
    Ironic... I just compared passwords I use (from memory) for a number of secure systems, and over 90% of them met the requirements [1 out of 17 failed].

    This is on various systems that do not have overly compex rules...guess is speaks volumes about my state of mind <eek!>
    I still use the 6-letter passwords from back in high school (1970's) as the root of many of my online passwords today. (By "root", I mean using them as the first 6 characters, and follow them by a new suffix.)
  • Lorne Kates 2011-04-28 13:54
    trtrwtf:

    Don't forget this one: your password can't contain any sequence of 3 adjacent letters on a qwerty keyboard. No asdf, no zxc.


    You forgot the diagonals. No zse, cft, etc.

    (Also, you cannot use etc)
  • frits 2011-04-28 13:54
    Ken B.:
    TheCPUWizard:
    Ironic... I just compared passwords I use (from memory) for a number of secure systems, and over 90% of them met the requirements [1 out of 17 failed].

    This is on various systems that do not have overly compex rules...guess is speaks volumes about my state of mind <eek!>
    I still use the 6-letter passwords from back in high school (1970's) as the root of many of my online passwords today. (By "root", I mean using them as the first 6 characters, and follow them by a new suffix.)

    hunter20110401 ?
  • gizmore 2011-04-28 13:58
    Must not contain a dictionary word!

    I hope "a", and "the" are not dictionary words!
  • mackenziema 2011-04-28 14:06
    This and some of the other requirements like not to increase security, but because the system (or some subsystem) can't handle that.
  • PRMan 2011-04-28 14:06
    Changing passwords every "n" days increases security by eliminating servers that somebody forgot to remove access from when someone left. A person has 6 weeks on average to hack. After that, all their passwords will be gone no matter what.
  • Harrow 2011-04-28 14:14
    This list almost certainly was constructed by at least three different people.

    The first 18 rules (the ones with exclamation points) were written by some low ranking weenie who thinks he is God's gift to cryptography, and therefore can easily think of all the things that make passwords insecure without consulting any references, which he probably doesn't know where to find anyway.

    The next 13 rules were written by the poor shlub who was handed the first 18 and assigned the problem of implementing a filter. Unfamiliar with the writings of J. Zawinski, he decided to use a regular expression. Now he had two problems. So he wrote a second filter, to restrict the password candidates to only those that can be parsed by his first filter.

    The last rule was added by the first weenie's PHB because he could not understand the existing list of rules and decided to encode his ignorance into a summary. He probably goes around telling everyone that his weenie always overcomplicates everything, and the last rule is the only one you really need because it includes all the others.

    -Harrow.
  • frits 2011-04-28 14:18
    Harrow:
    This list almost certainly was constructed by at least three different people.

    The first 18 rules (the ones with exclamation points) were written by some low ranking weenie who thinks he is God's gift to cryptography, and therefore can easily think of all the things that make passwords insecure without consulting any references, which he probably doesn't know where to find anyway.

    The next 13 rules were written by the poor shlub who was handed the first 18 and assigned the problem of implementing a filter. Unfamiliar with the writings of J. Zawinski, he decided to use a regular expression. Now he had two problems. So he wrote a second filter, to restrict the password candidates to only those that can be parsed by his first filter.

    The last rule was added by the first weenie's PHB because he could not understand the existing list of rules and decided to encode his ignorance into a summary. He probably goes around telling everyone that his weenie always overcomplicates everything, and the last rule is the only one you really need because it includes all the others.

    -Harrow.

    Your analysis is more entertaining than the article itself.
  • Meep 2011-04-28 14:21
    Anne:
    Worse than that, all these rules actually make the passwords less secure.


    They make the strongest passwords less secure, but only a fraction of people are using a completely random password. If you considered the system to be cracked when a few accounts are compromised, it's a worthwhile to strengthen the weaker passwords at the expense of the stronger passwords.

    The same goes for "leading character must be a letter"? Why can't it be a number? Why are characters forbidden? You're actually reducing the number of possible passwords here.


    If they're require leading character to be a letter, that suggests they're using some horrible, horrible way of storing the passwords.

    I often use a password manager, and it generated one that had a space at the end. Since it had worked fine when I copied and pasted, I was going nuts trying to figure out why I couldn't type it in. (Probably ought to have filed a bug report...)
  • Spivonious 2011-04-28 14:22
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.


    FTFY


    Our room is locked-down so the janitor doesn't steal computers. The only people allowed in are in my department.
  • Meep 2011-04-28 14:24
    PRMan:
    Changing passwords every "n" days increases security by eliminating servers that somebody forgot to remove access from when someone left. A person has 6 weeks on average to hack. After that, all their passwords will be gone no matter what.


    Assuming they lock the accounts as well.

    It also allows you to upgrade password storage, since you need a fresh password to calculate a new hash.
  • Meep 2011-04-28 14:34
    James Q. Muphry:
    boog:
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    It's because of people like me who prefer to have a 2GB password (just to be extra secure) which brings the server to its knees.

    You really are a moron, aren't you? Any length password will be stored in a hash which will ALWAYS BE THE SAME.


    Since JavaScript doesn't have a built-in digest algorithm, most web apps do the hashing on the server side. Transmitting 2GB over TLS and then hashing it would be pretty intensive.

    Plus, you'll just want to store your password in plain-text on the hard-drive, and HTH are you going to access it?


    I don't know about Winders, but OS X has a simple command line pasteboard utility:

    cat mypassword | pbcopy


    Or, for ultimate security...

    openssl enc -aes256 -d -in mypassword -kfile /secretplace/passwordkey | pbcopy
  • Meep 2011-04-28 14:36
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the hacker has access to my desk, he deserves access to my PC.


    You must be the only person who hasn't realized you can just change your password to something bogus five times and then reuse the last one.
  • Design Pattern 2011-04-28 14:41
    Deh Rules:

    not conatain &
    • not contain #
    • not contain ,
    • not conatain ;
    not contain "
    • not contain >
    not contain <

    Looks like they're storing the password in cleartext in a XML-file and those rules avoid issues with the encoding!
  • Ã 2011-04-28 14:47
    After yesterday's email validation WTF, I'd love to see how these idiots validate passwords.
  • drusi 2011-04-28 14:48
    Serpentes:
    Probably already at Security by Post-It levels, the character-position non-reuse rule is what made it a likely violation of the Geneva Convention (with the 45 day expiration timer not helping at all). The story was that originally there was a standard "cannot repeat previous passwords" rule, but the security psychos realized people were just iterating a number at the end of their password. They concluded that was a security risk, because ninja death hackers would be smart enough to conclude that any compromised password was part of a sequence and thus obtain the current password, wreaking havoc and ending civilization. Their solution is just as horrid as it sounds. If you had a password with R as the second character, then for the next 16 passwords, the second character couldn't be R. Every character had to be novel, every time.

    Both stupid and easily defeated:

    qnDrfsgvbm19-!._
    nDrfsgvbm19-!._q
    Drfsgvbm19-!._qn
    rfsgvbm19-!._qnD
    ...
    _qnDrfsgvbm19-!.
  • Ken B. 2011-04-28 14:49
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    Same thing with getting rid of an apartment building full of bad tenants. (Which you just bought at a bargain price, due to said tenants.)

    Tenant "protection" laws make it very difficult / costly / time-consuming to evict them. So...

    Pay "creepy guy" to move into a vacant apartment. Let CG indulge his "hobbies", such as running up and down the hallway in the middle of the night wearing his ski boots, playing his "Hooked on Polka" CDs all day long, cooking with Nam Pla / Padaek, and so on. Tenants spontaneously decide to move elsewhere.

    Easy / inexpensive / efficient.
  • ÃƆ2011-04-28 14:50
    Meep:


    I don't know about Winders, but OS X smug hipstersheep.


    FTFY
  • Ken B. 2011-04-28 14:52
    Anachronda:
    I keep waiting for someone to decide that not having occasional missed attempts implies that your password is insufficiently complex and needs to be changed.
  • BLs 2011-04-28 15:00
    Imagine... a couple years down the road when hackers get even more sophisticated and security managers get even more insane...

    Attention All:
    Due to recent security breaches, all employees will be required to log in using a sample of their DNA. To ensure this cannot be cloned in any way and therefore compromise our security some restrictions will be placed on the DNA that can be used for system access. Specifically, every DNA sample must contain at least 5 each of capital, lowercase, and numeric chromosomes. In addition, your chromosomes cannot contain repeating values, your name, or two X chromosomes.

    Thank you for your compliance.
  • ÃÆâ€℠2011-04-28 15:06
    BLs:
    two X chromosomes

    As if Klinefelter's sufferers didn't have enough to worry about
  • frits 2011-04-28 15:12
    ÃÆâ€â„Â:
    BLs:
    two X chromosomes

    As if women didn't have enough to worry about

    FTFY
  • HappyEngineer 2011-04-28 15:16
    Buzer:
    Qwerty00
    Qwerty01
    ...


    Sorry, that doesn't work. Your name contains "er", so you can't have "er" in your password. Of course, if your real name doesn't include those letters then that may be ok.

    Here is the smallest set of condensed rules I could come up with by eliminating redundant rules:

    Your password:
    • must have between 8 and 12 characters.
    • must have between 1 and 8 uppercase letter(s)
    • must have between 1 and 8 lowercase letter(s)
    • must have at least 1 digit
    • may also contain any of the following:
    !@$%*(-_+\':`~./?]{}
    • must have a leading letter
    • must have at least 2 letter(s)
    • must not CONTAIN more than 1 pair of repeating characters
    • must not CONTAIN 3 occurences of the same character
    • must not CONTAIN an exact dictionary word match
    (does this include all the 2 letter scrabble words?)
    • must not CONTAIN your username or your username backwards
    • must not BE your username with the letters rearranged
    • must not BE an old password
    • must not CONTAIN any part of your full name.
    (does this include individual letters from your name?)
  • Ken B. 2011-04-28 15:18
    Gary:
    These intrigue me


    • not contain a dictionary word!
    • not contain an exact dictionary word match!


    That rules out at minimum any of the vowels A, I and O. If you can't include two-letter combinations either am, do, em, en, go, he, etc., then we are going to have a really small set of possible pwds.
    Sorry, "wds" is a sequence of three neighboring keys on the keyboard.
  • Kiss me I'm Polish 2011-04-28 15:23
    Oh, that's nothing. Somebody here decided that we needed a different password for every domain or standalone server we log into. All these servers have somewhat random rules regarding password expiration, length, past, character set, etc. There are a few hundred servers here.
    Don't make me laugh with your post-it notes. They're good for one, maximum 4 passwords. We have a Excel template file that every new coworker just gets unofficially from us with all the servers listed, along with a "keep it password-protected" notice and a how-to. The system hasn't failed us yet.
  • smxlong 2011-04-28 15:24
    If you exclude the rules involving username, this password ruleset reduces the keyspace by 92%, compared to a baseline of any combination of printable ASCII characters, 8 to 12 characters in length.

    I calculated it statistically with the following program:


    #include <stdio.h>
    #include <stdlib.h>
    #include <ctype.h>
    #include <string.h>

    int CheckValidPassword(const char *pw)
    {
    int nUpper = 0;
    int nLower = 0;
    int nDigit = 0;
    int nRepeat = 0;

    int charCount[95];

    memset(charCount, 0, sizeof(charCount));

    const char *pwe = pw;

    // First character must be a letter
    if (!isalpha(*pwe)) return 0;
    if (isupper(*pwe)) ++nUpper; else ++nLower;

    // Overall count of characters
    ++charCount[*pwe-32];

    for (++pwe; *pwe; ++pwe)
    {
    // Overall count of characters
    ++charCount[*pwe-32];

    // No more than 1 pair of repeating characters
    if (*pwe == pwe[-1])
    {
    ++nRepeat;
    if (nRepeat > 1)
    return 0;
    }

    if (isupper(*pwe)) ++nUpper;
    else if (islower(*pwe)) ++nLower;
    else if (isdigit(*pwe)) ++nDigit;

    // Forbidden chars
    else if (strchr("^ =&#,;\"<>[|)", *pwe)) return 0;
    }

    // Must have at least two letters
    if (nUpper + nLower < 2) return 0;

    // Must have a mixture of cases
    if (nUpper == 0 || nLower == 0) return 0;

    // Must have no more than 8 uppercase or 8 lowercase letters, and at least 1 digit
    if (nUpper > 8 || nLower > 8 || nDigit < 1) return 0;

    // No triples or more of any character
    for (int n = 0; n < 95; ++n)
    if (charCount[n] > 2) return 0;

    return 1;
    }

    int Chance()
    {
    // Each chance is 1/95th the preceding chance
    return (rand() % 96) != 0;
    }

    void GenPasswordN(char *buffer, int n)
    {
    for (int i = 0; i < n; ++i)
    buffer[i] = rand() % 95 + 32;
    buffer[n] = 0;
    }

    void GenPassword(char *buffer)
    {
    // 8, 9, 10, 11, or 12 characters? Weight it properly.
    if (Chance())
    GenPasswordN(buffer, 12);
    else if (Chance())
    GenPasswordN(buffer, 11);
    else if (Chance())
    GenPasswordN(buffer, 10);
    else if (Chance())
    GenPasswordN(buffer, 9);
    else
    GenPasswordN(buffer, 8);
    }

    int main()
    {
    unsigned long long int valid = 0;
    unsigned long long int total = 0;

    char buffer[13];
    for( ;; )
    {
    GenPassword(buffer);
    if (CheckValidPassword(buffer))
    ++valid;
    ++total;
    printf("%f\n", (double)valid / (double)total);
    }
    }
  • boog 2011-04-28 15:24
    Meep:
    Since JavaScript doesn't have a built-in digest algorithm, most web apps do the hashing on the server side.
    Also, doesn't submitting the hashed password defeats the purpose of hashing? Since you no longer need to know the user's password in order to break in, just what it hashes to.
  • danielpauldavis 2011-04-28 15:24
    No problem! My method of using Old Testament names fits that criteria (all of it) nicely. It has the added benefit of my being one of the few who actually know how to spell the names.
  • socknet 2011-04-28 15:38
    Spivonious:
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.


    FTFY


    Our room is locked-down so the janitor doesn't steal computers. The only people allowed in are in my department.


    Who vacuums?
  • socknet 2011-04-28 15:39
    not if the server is doing the hashing, since you need to know what value to submit to get the same hash - i.e. what is the password.

    Anyone who hashed the password client side is committing a rather large wtf - I'd agree.
  • Nagesh 2011-04-28 15:39
    Simple function to check for valid passwords!

    while (true) {
    pass = getStrSys();
    if (pass.length() < 7) {
    System.out.println("must be at least 7 characters long");
    } else {
    boolean upper = false;
    boolean lower = false;
    boolean number = false;
    for (char c : pass.toCharArray()) {
    if (Character.isUpperCase(c)) {
    upper = true;
    } else if (Character.isLowerCase(c)) {
    lower = true;
    } else if (Character.isDigit(c)) {
    number = true;
    }
    }
    if (!upper) {
    System.out.println("must contain at least one uppercase character");
    } else if (!lower) {
    System.out.println("must contain at least one lowercase character");
    } else if (!number) {
    System.out.println("must contain at least one number");
    } else {
    break;
    }
    }
    }


  • chron3 2011-04-28 15:53
    Halfway through that list, did anyone else have images of Eric Idle and Michael Plain in medieval gear running through their heads...
  • Anon 2011-04-28 15:53
    PSN Admin:
    Oh, that's nothing. Somebody here decided that we needed a different password for every domain or standalone server we log into. All these servers have somewhat random rules regarding password expiration, length, past, character set, etc. There are a few hundred servers here.
    Don't make me laugh with your post-it notes. They're good for one, maximum 4 passwords. We have a Excel template file that every new coworker just gets unofficially from us with all the servers listed, along with a "keep it password-protected" notice and a how-to. The system has just failed spectacularly.


    FTFY
  • Anon 2011-04-28 15:54
    chron3:
    Halfway through that list, did anyone else have images of Eric Idle and Michael Plain in medieval gear running through their heads...


    When don't I?
  • Nagesh 2011-04-28 15:54
    How entire industry came to built with concept of security is beyond my understanding nature.

    There are companies that require you to download several softwares to make your pc running well. My thought process tell me that this should be the OS maker's job.

    Point of favor to Apple who does this right. You don't need anti-virus tool for Apple Macintosh
  • Zapp Brannigan 2011-04-28 15:57
    Meep:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the hacker has access to my desk, he deserves access to my PC.


    You must be the only person who hasn't realized you can just change your password to something bogus five times and then reuse the last one.
    Shhh, or they say we can't use any of the last 10 passwords.
  • Seth 2011-04-28 15:59
    I'd love to see the code that validates these rules.
  • Machtyn 2011-04-28 16:02
    I know it has been mentioned before, but with that many restrictions it appears like the password is between 8-12 characters, characters can only be alphanumeric, and the use of certain characters relating to the user are excluded... this makes for a rather narrow "dictionary" of characters to test on. (Yikes! I'm getting flashbacks from my Automata class.)
  • Brian White 2011-04-28 16:06
    That rule isn't hard at all. Just replace some of the letters in your username with corresponding digits. And tack on digits to the end, so you can just cycle the last 2 of the password.
  • Brian White 2011-04-28 16:09
    Zapp Brannigan:
    Meep:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the hacker has access to my desk, he deserves access to my PC.


    You must be the only person who hasn't realized you can just change your password to something bogus five times and then reuse the last one.
    Shhh, or they say we can't use any of the last 10 passwords.


    Um, that's why sane organizations only let your change your password once a day.

    Annoyingly our company had a "you can't re-use any of your last 12 passwords" rule. It was just about to roll around to where I would be able to reuse the first one after 11 months, and then they doubled it to last 24 passwords.
  • Brian White 2011-04-28 16:13
    kastein:
    my favorite is the companies that refuse to let me use a secure password:
    * one of my financial accounts insists that I use NO symbols, and that my password be no more than 6 characters long. Thanks guys, glad no one can get into my stock account now!
    * another requires that my password be ridiculously long and complex, be different from my last ten passwords, and get changed every 60 days. I finally ran out of good passwords I could remember and started just changing one digit when asked for a new password. You win guys, too secure for me...

    The sad thing is that I usually come up with ridiculously hard to guess passwords when not forced to follow some goofy set of rules.

    When given the chance I do stupid crap like using altcodes in my password... I want to see someone try and hack that! Bet your rainbow tables don't cover 25 character passwords with upper/lowercase, numbers, symbols, and upper code page characters, script kiddie!


    Hi kastein, purely out of curiosity, what stock site is that?
  • boog 2011-04-28 16:15
    Ken B.:
    boog:
    Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    Same thing with getting rid of an apartment building full of bad tenants... Pay "creepy guy" to move into a vacant apartment. Let CG indulge his "hobbies", such as running up and down the hallway in the middle of the night wearing his ski boots, playing his "Hooked on Polka" CDs all day long, cooking with Nam Pla / Padaek, and so on.
    Science help you if your building is already full of tenants that fit such a description.
  • Alex 2011-04-28 16:17
    How else are they supposed to recover the password if a user forgets it?
  • boog 2011-04-28 16:21
    Brian White:
    Zapp Brannigan:
    Meep:
    Spivonious:
    My company doesn't let you use any of the last five passwords.

    ...just change your password to something bogus five times and then reuse the last one.
    Shhh, or they say we can't use any of the last 10 passwords.

    Annoyingly our company had a "you can't re-use any of your last 12 passwords" rule... then they doubled it to last 24 passwords.
    I do scoff at the arbitrary doubling method of increasing security. It's a pretty sure sign that the guys in charge of security have no idea how to improve it.

    Go ahead, double your weak security. It only means you'll have twice as much weak security.
  • Philip Newton 2011-04-28 16:24
    I'm surprised that \ and ' were allowed - the former is a popular metacharacter not only in regular expressions, and the second one can get you into problems with SQL.

    CAPTCHA: suscipit - reminds me of the _Magnificat_ which I sang in choir once.
  • profke 2011-04-28 16:26
    policy where i work:

    *3 out of 4 categorys required: capitals,lowercase,numbers,digits

    * Lockup after 3 consecutive failures

    * must change after 30 days

    * CANNOT CHANGE VOLUNTARILY within 6 days from a previous passwordchange

    * Previous 13 Passwords cannot be re-used.

    * Minimum 8 characters


    current password used at my work (a lot)


    "default password on account creation": Welcome01

    A lot of users use
    January2011
    February2011 (in feb)
    at this moment they are at , depending on which date they have to change their pw:March2011 or April2011

    No doubt that I will receive within a few days some calls about their "new" password not being accepted. (May2011 is shorter than 8 chars. Somehow they find it something IT must fix)

    Last year i received similar calls from about 25 different users... on a company with 600 users

    P.S: the "cannot change within 6 days" was to prevent some idiot who used allways the same password, and , at time to change it, immediatly changed it 14 times... (ending up with the same one he started with)

    On my question what i had to do when i noticed that someone saw me typing my password, they still have to give me an answer

  • Herby 2011-04-28 16:37
    The problem is that some people just want to annoy you (BOFH types). They are the ones who insist on super complex passwords for such things as tomorrow's lunch menu (as if it were an atomic secret!). The rules continue to confound me, as the need for security is NEVER the same as ACTUAL security implemented. Cue up Dilbert cartoon here!
  • Todd Lewis 2011-04-28 16:39
    No joke: below is the text from our password management page, which I readily admit that I maintain.

    Thinking up a new password can be hard. May we suggest one of the following:
    HAstjog<7 drY<4muCh sepgroW4} raP&9fEnD
    'TWitkIn6 $Moo3wrap 2#fociSEP

    * It can't be a password you've used in the last year.
    * It must be at least 8 characters long.
    * It must contain at least one letter and at least one digit.
    * It must contain at least one of these characters: !@#$%&*+={}?<>"'
    * It and your userid must share fewer than six (or length of your userid) consecutive common characters.
    * It must not:
    start with a hyphen,
    end with a backslash (\), or
    start or end with a space, or
    contain a double-quote (") anywhere except as the last character.

    Needless to say, I'm not always popular around work.
  • Gunslinger 2011-04-28 16:58
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.


    FTFY


    Desk has a key lock. Janitor doesn't have key. Also, hacker is more inclusive, as the hacker can be a janitor but the janitor doesn't need to be a hacker.
  • gratuitous_arp 2011-04-28 17:14
    * The exclamation marks made the first half of that reminder exciting!
    * But I started glossing them over when they stopped the punctuation
    * and the period ending the last sentence made me feel a bit dismal.
  • Gunslinger 2011-04-28 17:18
    socknet:
    Spivonious:
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.


    FTFY


    Our room is locked-down so the janitor doesn't steal computers. The only people allowed in are in my department.


    Who vacuums?


    The robot, of course. Your office doesn't have one?
  • Gunslinger 2011-04-28 17:20
    Nagesh:
    How entire industry came to built with concept of security is beyond my understanding nature.

    There are companies that require you to download several softwares to make your pc running well. My thought process tell me that this should be the OS maker's job.

    Point of favor to Apple who does this right. You don't need anti-virus tool for Apple Macintosh


    When you graduate from junior high, then you'll learn the truth young grasshopper.
  • JW 2011-04-28 17:33
    This makes my job much easier. There are only a handful of passwords that match all of those critera. Now I just need to figure them out.
  • Fred 2011-04-28 17:37
    Surely you mean 12 character(s)!
  • Niten 2011-04-28 17:38
    I once used a password safe and made all my passwords randomly generated guids. I figured the sun would consume the earth in a raging inferno before a brute force attack could crack my password. That lasted all of until the first time I tried to sign into something on my phone. Security is nice, but I prefer a little bit of usability over an obscene amount of security.
  • foo 2011-04-28 17:38
    Mike:
    Jam of the day - code to generate a password per the rules.

    return "Frist123";  // chosen by fair draw etc.
  • OMG 2011-04-28 17:54
    Dazed:
    I don't think the problem is so much being able to remember your password as trying to find a valid one in the first place. I can see it now:

    - (shout) "WTF can I use for a password?"
    - (shout from another cubicle) "QWErty123$%^ seems to work*"
    - everyone in the office now uses the same password.

    * This is a hypothesis on my part, not a promise.


    I just realised that's why we all use summer99
  • e john 2011-04-28 17:57
    you are right ! i'm going to try that on my memoranda !
  • Jimmy 2011-04-28 18:05
    [quote user="article]
    • not contain a dictionary word!
    • not contain an exact dictionary word match!
    [/quote]

    Uh oh, can't use 'a', 'A', 'I' and 'O' can't be used in a password. Assuming they do their dictionary check case-insensitive (that is, that something like caPSiCum would still match as a dictionary word), this excludes 'i' and 'o' as well...

    I could see the potential password space being quite small here...
  • Mr Big 2011-04-28 18:14
    abcdefg?:
    trtrwtf:
    I think just about anyone could memorize a truly random 14-character password if they had to type it every day

    Exactly this.
    When I came up with my original password I just bashed on the keyboard until like 12 chars appeared, replaced a few characters. sure took me a month or two to memorize, but once I did, i always remembered it, and was secure because it truly was a random password and didn't mean anything.. But if I was changing it every 2 months I would never remember it.


    When it comes to passwords nothing is totally secure.
    Randomness does not necessarily make a password any more or less secure. (and a pedant will probably tell you that mashing the keyboard does not produce a random series of characters)
  • Ape D. Ant 2011-04-28 18:25
    abcdefg?:
    When I came up with my original password I just bashed on the keyboard until like 12 chars appeared, replaced a few characters. sure took me a month or two to memorize, but once I did, i always remembered it, and was secure because it truly was a random password and didn't mean anything.. But if I was changing it every 2 months I would never remember it.

    Just bashing on the keyboard doesn't make for a random password.
  • June 2011-04-28 18:31
    Ken B.:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    Same thing with getting rid of an apartment building full of bad tenants. (Which you just bought at a bargain price, due to said tenants.)

    Tenant "protection" laws make it very difficult / costly / time-consuming to evict them. So...

    Pay "creepy guy" to move into a vacant apartment. Let CG indulge his "hobbies", such as running up and down the hallway in the middle of the night wearing his ski boots, playing his "Hooked on Polka" CDs all day long, cooking with Nam Pla / Padaek, and so on. Tenants spontaneously decide to move elsewhere.

    Easy / inexpensive / efficient.


    How do you get 'creepy guy' to move out? Find someone more sinister, perhaps?
  • C.K. 2011-04-28 18:37
    Pat:
    The real WTF is the validation code they'll use to enforce that policy...


    TRRWTF is that they'll probably store the passwords in clear text and have somebody audit them.


    Captcha: eros; Why do I always get this captcha? Is the site commenting on my sex life?
  • June 2011-04-28 18:41
    Brian White:
    Zapp Brannigan:
    Meep:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the hacker has access to my desk, he deserves access to my PC.


    You must be the only person who hasn't realized you can just change your password to something bogus five times and then reuse the last one.
    Shhh, or they say we can't use any of the last 10 passwords.


    Um, that's why sane organizations only let your change your password once a day.

    Annoyingly our company had a "you can't re-use any of your last 12 passwords" rule. It was just about to roll around to where I would be able to reuse the first one after 11 months, and then they doubled it to last 24 passwords.


    I can see a patter here
    Perhaps people used:
    Jan
    Feb
    Mar
    ....

    It was doubled to force them to include the year too...
    Jan11
    Feb11
    Mar11
    ....

    This must be more secure, right?

    On a more serious note, I've never understood why people want to reuse passwords (and I thought the reason they stop you reusing the last X because they've worked out that you won't remember any before that).

    The whole idea of changing passwords is to minimise unknown security breaches (that is, someone has been using your account but you never noticed). Changing it back to something it was in the past kind of defeats the purpose (especially given that the hacker presumably has been on the system, and most likely has access to at least the rules...."Hmm...this password doesn't work anymore, let me see, 6 rotations at somewhere between 25-30 days....I'll try again in 6 months".
  • Yummy yummy, salted hashes 2011-04-28 19:20
    kastein:
    my favorite is the companies that refuse to let me use a secure password:
    * one of my financial accounts insists that I use NO symbols, and that my password be no more than 6 characters long. Thanks guys, glad no one can get into my stock account now!
    * another requires that my password be ridiculously long and complex, be different from my last ten passwords, and get changed every 60 days. I finally ran out of good passwords I could remember and started just changing one digit when asked for a new password. You win guys, too secure for me...

    The sad thing is that I usually come up with ridiculously hard to guess passwords when not forced to follow some goofy set of rules.

    When given the chance I do stupid crap like using altcodes in my password... I want to see someone try and hack that! Bet your rainbow tables don't cover 25 character passwords with upper/lowercase, numbers, symbols, and upper code page characters, script kiddie!


    (I couldn't decide whether you were trolling or not. After writing my essay, I decided you were, but I didn't want a good lecture to go to waste)

    You know what rainbow tables are, right? they require hackers to have access to the hash of passwords, and they then look for a string that creates a particular hash.
    Now, password->Hash is a many to 1 relationship, so the strength of your password is irrelevant in a rainbow lookup (you might be unfortunate enough to have the same hash as "abc123".

    Password complexity combats brute force attacks, not rainbow tables.

    [boring detail - not about food]
    Of course, we oversimplified
    In an attempt to combat rainbow tables, people started to salt their hashes. What this meant was that they would add something else to the hash as well (I think they often used the website name, for instance).
    Obviously, this now meant that 1 rainbow table did not fit all, but the hackers soon realised that it simply meant that (provided they knew the salt) they needed one (actually two - the salt could be placed before or after the password, although if a hacker knew the salt, they would probably know the order) rainbow table for each website. Something more was needed.
    Somebody (citation needed) decided that adding more salt using a more dynamic string might be the solution. Thus, in some cases the hash is actually made of [dynamic salt][password][static salt]. I think the username is (or was) commonly used. Suddenly, the hackers needed a rainbow table for each username on each website (and if they didn't know the order of the salts, 6 each). To further complicate matters, I believe people started to use data that was more dynamic than the username (eg password changed date).

    Basically (AFAIK, happy to be corrected) well salted hashes are not only good to eat, but rende Rainbow Tables virtually useless.
    [/boring detail]
  • Stiggy 2011-04-28 19:37
    boog:
    Meep:
    Since JavaScript doesn't have a built-in digest algorithm, most web apps do the hashing on the server side.
    Also, doesn't submitting the hashed password defeats the purpose of hashing? Since you no longer need to know the user's password in order to break in, just what it hashes to.


    For better security, you should also ensure that the hashed value is also subject to complexity requirements.
  • Herby 2011-04-28 19:44
    Why did I suddenly realize that given these password rules, it is quite easy for the TV characters to hack at various accounts. It must be the reason that they have the rules, to make TV scripts believable!

    Yeah, that's the ticket!
  • Smiddy 2011-04-28 19:47
    Point 1 says at least 8 character(s)
    And then the last point is at least 6 characters long... WTF..
  • smxlong 2011-04-28 20:27
    Smiddy:
    Point 1 says at least 8 character(s)
    And then the last point is at least 6 characters long... WTF..


    I think the last point used to be the entire policy, then all of the preceding points got tacked on -- the last point should have been deleted but was kept. Because somebody's stupid.
  • Jex 2011-04-28 20:31
    Smiddy:
    Point 1 says at least 8 character(s)
    And then the last point is at least 6 characters long... WTF..


    Oh wow!! You're the first tp noptice that!
  • foo 2011-04-28 20:59
    smxlong:
    Smiddy:
    Point 1 says at least 8 character(s)
    And then the last point is at least 6 characters long... WTF..


    I think the last point used to be the entire policy, then all of the preceding points got tacked on -- the last point should have been deleted but was kept. Because somebody's stupid.

    Rather because somebody didn't dare deleting one rule. A manager might think they made the policy less secure and fire them. CYA design at work.
  • foo 2011-04-28 21:03
    Yummy yummy, salted hashes:

    In an attempt to combat rainbow tables, people started to salt their hashes. What this meant was that they would add something else to the hash as well (I think they often used the website name, for instance).
    Obviously, this now meant that 1 rainbow table did not fit all, but the hackers soon realised that it simply meant that (provided they knew the salt) they needed one (actually two - the salt could be placed before or after the password, although if a hacker knew the salt, they would probably know the order) rainbow table for each website. Something more was needed.
    Somebody (citation needed) decided that adding more salt using a more dynamic string might be the solution. Thus, in some cases the hash is actually made of [dynamic salt][password][static salt]. I think the username is (or was) commonly used. Suddenly, the hackers needed a rainbow table for each username on each website (and if they didn't know the order of the salts, 6 each). To further complicate matters, I believe people started to use data that was more dynamic than the username (eg password changed date).

    Unix password hashes were dynamically salted long before web sites even existed. The salt was random and stored with the hash, but still an attacker would need separate tables for each account.

    Why didn't some (citation needed) web site authors do the same from the start? I know I did.
  • JustAskin 2011-04-28 21:13
    Todd Lewis:
    No joke: below is the text from our password management page, which I readily admit that I maintain.

    Thinking up a new password can be hard. May we suggest one of the following:
    HAstjog<7 drY<4muCh sepgroW4} raP&9fEnD
    'TWitkIn6 $Moo3wrap 2#fociSEP

    * It can't be a password you've used in the last year.
    * It must be at least 8 characters long.
    * It must contain at least one letter and at least one digit.
    * It must contain at least one of these characters: !@#$%&*+={}?<>"'
    * It and your userid must share fewer than six (or length of your userid) consecutive common characters.
    * It must not:
    start with a hyphen,
    end with a backslash (\), or
    start or end with a space, or
    contain a double-quote (") anywhere except as the last character.

    Needless to say, I'm not always popular around work.


    It may make you unpopular, but *most* of those rules aren't all that unreasonable.

    Except the ones in bold. Why on earth are they in there? Would allowing those somehow break the code? That sounds like a WTF if true. Or do they just somehow cause a lot of support calls? (I can see where \ might, maybe do that, being so close to the enter key, but even that is a stretch.)
  • trtwtf 2011-04-28 21:49
    Mr Big:

    When it comes to passwords nothing is totally secure.
    Randomness does not necessarily make a password any more or less secure. (and a pedant will probably tell you that mashing the keyboard does not produce a random series of characters)


    A password randomly selected from a sufficiently large space offers fewer clues than one predictably selected from the same space, and therefore fewer ways to make their brute force attack more efficient. For example, it is considered worth reducing the total search space by eliminating some combinations in order to prevent certain too-predictable combinations.

    This seems useful.

  • Shit Stirrer Supreme 2011-04-28 21:57
    trtwtf:
    Mr Big:

    When it comes to passwords nothing is totally secure.
    Randomness does not necessarily make a password any more or less secure. (and a pedant will probably tell you that mashing the keyboard does not produce a random series of characters)


    A password randomly selected from a sufficiently large space offers fewer clues than one predictably selected from the same space, and therefore fewer ways to make their brute force attack more efficient. For example, it is considered worth reducing the total search space by eliminating some combinations in order to prevent certain too-predictable combinations.

    This seems useful.



    Yes, a password gtenerated randomly might be more secure, however a password generated randomly could result in a weak password (such as qwert123).
    Mashing keys would make such a combination more likely...

    A sensible person generating a genuinely random password would probably regenerate if something shyte did get generated, however this sort of selectiveness actually makes the result less random...
  • trtwtf 2011-04-28 22:06
    Shit Stirrer Supreme:
    trtwtf:
    Mr Big:

    When it comes to passwords nothing is totally secure.
    Randomness does not necessarily make a password any more or less secure. (and a pedant will probably tell you that mashing the keyboard does not produce a random series of characters)


    A password randomly selected from a sufficiently large space offers fewer clues than one predictably selected from the same space, and therefore fewer ways to make their brute force attack more efficient. For example, it is considered worth reducing the total search space by eliminating some combinations in order to prevent certain too-predictable combinations.

    This seems useful.



    Yes, a password gtenerated randomly might be more secure, however a password generated randomly could result in a weak password (such as qwert123).
    Mashing keys would make such a combination more likely...

    A sensible person generating a genuinely random password would probably regenerate if something shyte did get generated, however this sort of selectiveness actually makes the result less random...


    I agree that people don't generate random passwords - whether it's by mashing the keys or thinking about randomness or whatever it is. I'm talking about the user being presented with a finite set of well-generated random passwords, say 5, and required to pick one. That takes a bit of the randomness out of it, but still that password is likely to be much stronger against a brute force attack than anything the user is likely to generate - even if they're clever enough to think of using alt codes or something.

    Oddly enough, qwerty123 was exactly my example of a non-random password generated by a user, but I deleted that part of the post. So we can certainly agree that it's the most random of random passwords - it's so random, it's obviously the one to pick.
  • Naresh Kookaburra 2011-04-28 22:53
    Wow. I can see we have a lot of experts on here today. Let me get this straight: The hive mind concurs that requiring special characters and numbers reduces the search space for passwords? Also, why don't we stop beating around the bush and just agree that a randomly generated UUID would be the ideal password.
    KTHXBAI
  • trtwtf 2011-04-28 23:17
    Naresh Kookaburra:
    Wow. I can see we have a lot of experts on here today. Let me get this straight: The hive mind concurs that requiring special characters and numbers reduces the search space for passwords?


    No, the hive mind does not agree. The hive mind agrees that restraints on the placement of certain classes of characters reduces the search space for passwords, but that this is sometimes a good tradeoff if it prohibits easily-guessed passwords. For example, prohibiting "qwerty123" would reduce the search space by 1, but eliminating it might force more complexity into the overall set of passwords, and therefore increase the effective search space.

    Also, why don't we stop beating around the bush and just agree that a randomly generated UUID would be the ideal password.


    If it's short enough to be remembered and not subject to frequent required changes, yes it probably would be much more secure than a user-generated password and still memorable without the clever use of post-it notes under the desk.
  • kktkkr 2011-04-28 23:44
    Without further ado, the code:


    bool isValidPwd(Pwdstring stringToTest){
    return Math.floor(0.08/Math.random());
    }
  • Matt 2011-04-29 00:21
    So it has to have 8 characters minimum, and at least 6 characters?

    Technically correct, but surely there's a better way of phrasing it.
  • Bradley 2011-04-29 00:26
    The best thing is that the ! itself is actually allowed in the password. Clearly they didn't have a problem with it! (pun intended)
  • Master Yoda 2011-04-29 01:37
    Your username contain must not, young padawan!
  • subanark 2011-04-29 01:51
    When I worked at a place that cared about security, they let us pick any password we wanted... from a list of 10 randomly generated ones (this was to make it harder for someone to record the password if they were looking over our shoulder). We only needed to change it every month.
  • Dahpluth 2011-04-29 02:21
    not be longer than 12 characters!

    So basically any password I've made up in the last 10 years is to long... That's also a weird constraint for password security.
  • Matt Westwood 2011-04-29 03:38
    Serpentes:
    I once worked at a company whose password policy, as best I remember it, was:

    * Minimum 10 characters, maximum 24.
    * Must contain at least one each of capital letters, lowercase letters, numbers, punctuation marks.
    * Passwords expire every 45 calendar days.
    * No password may contain a substring that is a valid entry in the system's English lookup dictionary.
    * No password may contain any of an enumerated (but not publicly announced) list of prohibited substrings.
    * No password may repeat any character-position pair that was used in any of your 16 previous passwords.

    The dictionary lookup was very thorough. Too thorough. As a result, no password could contain (in either case) the letters A or I, since those were, of course, in the lookup dictionary. I rapidly concluded that vowels simply weren't worth my time. Although passwords were case sensitive (and had required mixed-case), the dictionary check was NOT -- so no thinking that "dUmB" was a valid substring.

    The secret substring blacklist wasn't any better. As far as I could ever determine, it included every alphabetically ordered three letter series, regardless of case (so no "FGH" or "PQR") and every three letter numerical series (no "123" or "789"). Also, sometimes, passwords would fail even if they should have been valid, so the blacklist clearly had some other nonsense on it.

    Probably already at Security by Post-It levels, the character-position non-reuse rule is what made it a likely violation of the Geneva Convention (with the 45 day expiration timer not helping at all). The story was that originally there was a standard "cannot repeat previous passwords" rule, but the security psychos realized people were just iterating a number at the end of their password. They concluded that was a security risk, because ninja death hackers would be smart enough to conclude that any compromised password was part of a sequence and thus obtain the current password, wreaking havoc and ending civilization. Their solution is just as horrid as it sounds. If you had a password with R as the second character, then for the next 16 passwords, the second character couldn't be R. Every character had to be novel, every time.

    The character-position system was also buggy. It was fine with passwords that were less than the maximum length ... sort of. If you always used a constant password length, you never saw the bug. But if you ever once created a password longer than your longest previous password, that became your new minimum length, because the matching code was clearly a WTF all by itself.

    And finally, note that the system wouldn't tell you why a password request failed (after the 5-10 minute "testing password" phase), just that it was invalid due a "Rules Exception". Had you stumbled on some secret blacklisted character sequence? Had you accidentally repeated the 14th character of the password you used 9 months ago? Did you discover some Welsh-originated horror lurking in the lookup dictionary ("cwm", for example; it was a pretty good dictionary)? No way to know! Just pound on the keyboard like a monkey and try again!


    Sounds like a job for ... Superprogram!

    "Just" write a program which automatically generates a random string which adheres to the rules above. (Except that it doesn't know what the "prohibited substrings" are.) Then you need to carry a little (black) book with your passwords in. (Don't carry the account for which the password accesses in case you're mugged on the way to the station and it gets stolen by manic hackers.)

    Actually, those password rules miss a trick: they should also disallow passwords whose letters are on alternate sides of the keyboard to disallow those flights of frustrated randomness like Kz03ksupdywn (oops that won't work it has "up" and "dywn" in it) generated by frantic bashing of keyboard by index fingers in turn. After all, that's how the Enigma code was broken.
  • Matt Westwood 2011-04-29 04:05
    trtrwtf:
    socknet:

    The primary reason for passwords regularly isn't to try and make it more difficult to crack (i.e. to change it halfway through someone's brute force), it is so that if the password is cracked, the problem will only exist until the next reset.


    That's my question - does a cracker return to a cracked password? Or do they just do their thing and go?

    Serious question, I really don't know much about typical cracker behavior (insert white people joke here). My naive supposition would be that you would assume a cracked password would be detected, and to return to it would be setting yourself up, but maybe that's not the case.

    Any leet warez verdorz here want to clue me in?


    If a cracker cracks a pwd then I would have thought an entertaining thing to do would be to change it. By the time the original user has managed to persuade the company "hey this really is me, some blighter has impersonated me" you can off and run with significant quantities of assets.

    Making the pwd rules diffficult to intuit would limit the cracker's ability to change that pwd.
  • Simon 2011-04-29 04:32
    What's with those "not more than 12 characters and must not contain any special characters" requirements anyway?
  • Piotr Tramosky 2011-04-29 05:07
    I loled at many of the comments...

    I notice that
    have at least 2 letter(s)!

    is redundant with
    have upper and lower case characters!

    not to talk about the "must not contain" + "must not be" nonsense, + the last one which is probably the old rules, left here for history...

    TRWTF here is with all the "special characters" madness. It screams something like "I inject passwords in regexes in a horrible way and can't be bothered with escaping them before".
    Would be fun if their system used regexes on login too.
    login : admin
    
    password : .*
  • attroneys 2011-04-29 05:39
    ell its a great post
  • Grey 2011-04-29 05:46
    So TRWTF is my gmail password conforms to all of these requirements. I feel shame, huh...
  • Sten 2011-04-29 06:49
    My user name is “abcdefghijklmnopqrstuvwxyz”. I’m so screwed!
  • Harrow 2011-04-29 06:56
    Gunslinger:
    socknet:
    Spivonious:
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.


    FTFY


    Our room is locked-down so the janitor doesn't steal computers. The only people allowed in are in my department.


    Who vacuums?


    The robot, of course. Your office doesn't have one?

    We never use ours any more. It did a great job cleaning, but we could never stop it going through the cabinets and drawers looking for passwords.

    -Harrow.
  • derp 2011-04-29 07:12
    By knowing what to put or not put inside it is way easier to bruteforce. If i know the password should be 8 characters long and have at least 2 upper case letters it reduces the possibilities.

    This is how it should be:
    Digits, upper and lower case characters and special characters, not your username, not yout username backwards, not your or any other birthdate, at least 20 characters long
  • nobulate 2011-04-29 07:19
    Forgot:

    • not contain )
  • ziemas 2011-04-29 07:45
    trtrwtf:
    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security? Wouldn't it make more sense to just require a sufficiently complex and long password and leave it at that? I think just about anyone could memorize a truly random 14-character password if they had to type it every day, but if you have to change it once a month then you have to come up with algorithms for generating "unguessable" passwords. These include things like regular substitutions, which become well known (ie, @ for a, 1 for i or l, and so forth), and the purpose is successfully defeated.


    Good point! I can think of no reason.
  • ziemas 2011-04-29 07:54
    socknet:
    trtrwtf:
    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security? Wouldn't it make more sense to just require a sufficiently complex and long password and leave it at that? I think just about anyone could memorize a truly random 14-character password if they had to type it every day, but if you have to change it once a month then you have to come up with algorithms for generating "unguessable" passwords. These include things like regular substitutions, which become well known (ie, @ for a, 1 for i or l, and so forth), and the purpose is successfully defeated.


    The primary reason for passwords regularly isn't to try and make it more difficult to crack (i.e. to change it halfway through someone's brute force), it is so that if the password is cracked, the problem will only exist until the next reset.

    Resetting a password regularly without sufficient complexity is of limited use, as is having a complex password with no resets

    BS! On any proper system trying to guess a password is prevented by only allowing 3 entries.

    So there's is no reason to prevent brute force attacks with a password changin policy.

    Furthermore with a 12 chars password containing upper lowercase digits and other characters. The average time with a billion guesses a second is about 90000 years.
  • Sock Puppets R Us 2011-04-29 08:05
    frits:
    ÃÆâ€â„Â:
    BLs:
    two X chromosomes

    As if women didn't have enough to worry about

    FTFY

    For anyone who didn't know, we're having a 3-for-1 sale down here.
  • Anne McGee 2011-04-29 08:14
    Serpentes:
    I once worked at a company whose ******** policy, as best I remember it, was:

    * Minimum 10 characters, maximum 24.
    * Must contain at least one each of capital letters, lowercase letters, numbers, punctuation marks.
    * ********s expire every 45 calendar days.
    * No ******** may contain a substring that is a valid entry in the system's English lookup dictionary.
    * No ******** may contain any of an enumerated (but not publicly announced) list of prohibited substrings.
    * No ******** may repeat any character-position pair that was used in any of your 16 previous ********s.

    The dictionary lookup was very thorough. Too thorough. As a result, no ******** could contain (in either case) the letters A or I, since those were, of course, in the lookup dictionary. I rapidly concluded that vowels simply weren't worth my time. Although ********s were case sensitive (and had required mixed-case), the dictionary check was NOT -- so no thinking that "dUmB" was a valid substring.

    The secret substring blacklist wasn't any better. As far as I could ever determine, it included every alphabetically ordered three letter series, regardless of case (so no "FGH" or "PQR") and every three letter numerical series (no "123" or "789"). Also, sometimes, ********s would fail even if they should have been valid, so the blacklist clearly had some other nonsense on it.

    Probably already at Security by Post-It levels, the character-position non-reuse rule is what made it a likely violation of the Geneva Convention (with the 45 day expiration timer not helping at all). The story was that originally there was a standard "cannot repeat previous ********s" rule, but the security psychos realized people were just iterating a number at the end of their ********. They concluded that was a security risk, because ninja death hackers would be smart enough to conclude that any compromised ******** was part of a sequence and thus obtain the current ********, wreaking havoc and ending civilization. Their solution is just as horrid as it sounds. If you had a ******** with R as the second character, then for the next 16 ********s, the second character couldn't be R. Every character had to be novel, every time.

    The character-position system was also buggy. It was fine with ********s that were less than the maximum length ... sort of. If you always used a constant ******** length, you never saw the bug. But if you ever once created a ******** longer than your longest previous ********, that became your new minimum length, because the matching code was clearly a WTF all by itself.

    And finally, note that the system wouldn't tell you why a ******** request failed (after the 5-10 minute "testing ********" phase), just that it was invalid due a "Rules Exception". Had you stumbled on some secret blacklisted character sequence? Had you accidentally repeated the 14th character of the ******** you used 9 months ago? Did you discover some Welsh-originated horror lurking in the lookup dictionary ("cwm", for example; it was a pretty good dictionary)? No way to know! Just pound on the keyboard like a monkey and try again!

    I'm having trouble understanding this. Why is everyone typing stars everywhere?
  • Resu 2011-04-29 08:14
    Your password must:
    • have at least 8 character(s)!
    <snip>
    • be at least 6 characters long,


    Lol, which is it? :)
  • Not of this Earth 2011-04-29 08:28
    derp:
    By knowing what to put or not put inside it is way easier to bruteforce. If i know the password should be 8 characters long and have at least 2 upper case letters it reduces the possibilities.

    This is how it should be:
    Digits, upper and lower case characters and special characters, not your username, not yout username backwards, not your or any other birthdate, at least 20 characters long


    Freedom to passwords! All are equal before the God, even 1-letter passwords!
  • hoodaticus 2011-04-29 08:32
    Resu:
    Your password must:
    • have at least 8 character(s)!
    <snip>
    • be at least 6 characters long,


    Lol, which is it? :)
    Maybe it's a typo, and your password has to be at least 8 bytes and no fewer than 6 UTF-8 characters.
  • frits 2011-04-29 08:45
    Sock Puppets R Us:
    frits:
    ÃÆâ€â„Â:
    BLs:
    two X chromosomes

    As if women didn't have enough to worry about

    FTFY

    For anyone who didn't know, we're having a 3-for-1 sale down here.


    Nice try, but neither of those are my sockpuppets. I usually don't use sockpuppets to talk to meself, just to make lame(r) jokes.

    It's actually flattering because those two guys were actually being funny and not stupid. Now if you accused me of being Nagesh...
  • drusi 2011-04-29 09:14
    June:
    Ken B.:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    Same thing with getting rid of an apartment building full of bad tenants. (Which you just bought at a bargain price, due to said tenants.)

    Tenant "protection" laws make it very difficult / costly / time-consuming to evict them. So...

    Pay "creepy guy" to move into a vacant apartment. Let CG indulge his "hobbies", such as running up and down the hallway in the middle of the night wearing his ski boots, playing his "Hooked on Polka" CDs all day long, cooking with Nam Pla / Padaek, and so on. Tenants spontaneously decide to move elsewhere.

    Easy / inexpensive / efficient.


    How do you get 'creepy guy' to move out? Find someone more sinister, perhaps?

    You stop paying him.
  • Todd Lewis 2011-04-29 09:48
    JustAskin:
    Todd Lewis:
    No joke: below is the text from our password management page, which I readily admit that I maintain.

    Thinking up a new password can be hard. May we suggest one of the following:
    HAstjog<7 drY<4muCh sepgroW4} raP&9fEnD
    'TWitkIn6 $Moo3wrap 2#fociSEP

    * It can't be a password you've used in the last year.
    * It must be at least 8 characters long.
    * It must contain at least one letter and at least one digit.
    * It must contain at least one of these characters: !@#$%&*+={}?<>"'
    * It and your userid must share fewer than six (or length of your userid) consecutive common characters.
    * It must not:
    start with a hyphen,
    end with a backslash (\), or
    start or end with a space, or
    contain a double-quote (") anywhere except as the last character.

    Needless to say, I'm not always popular around work.


    It may make you unpopular, but *most* of those rules aren't all that unreasonable.

    Except the ones in bold. Why on earth are they in there? Would allowing those somehow break the code? That sounds like a WTF if true. Or do they just somehow cause a lot of support calls? (I can see where \ might, maybe do that, being so close to the enter key, but even that is a stretch.)


    When the policy was crafted, we wanted to come up with passwords that would work on various UNIX systems, Windows (of the time), Novell Netware, RACF, and a couple of others I can't think of at the moment. The weird ones ('"' at the end, '\' and '-'; your bold didn't come through, but Im guessing these are the ones you meant) were problems with old Windows systems.

    We also expire them every 90 days.
  • NoAstronomer 2011-04-29 09:52
    Seth:
    I'd love to see the code that validates these rules.


    public boolean IsPasswordValid(String password)
    {
    return false;
    }

    How's that?



  • Matt 2011-04-29 09:52
    Old job changed the password requirement for SAP.

    Password had to have two lower case characters, two upper case characters, two special characters and two numbers.

    It's not a mistake that I've left "at least" out of there. Password had to be EXACTLY eight characters long, with that make up. Everyone's passwords became something like 33££EEee.
  • hoodaticus 2011-04-29 09:53
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?
  • Jochem 2011-04-29 10:01
    Actually, that's the default Windows 2003/2008 password policy, pretty much. It means that your password must include exactly three out of the four types of characters mentioned.

    So it has to have (for example) upper- and lower case letters, and a number, but not also a punctuation mark.

    so abDE12,. doesn't qualify, but abcDE1 does... silly microsoft...
  • PedanticCurmudgeon 2011-04-29 10:02
    Mr Big:
    When it comes to passwords nothing is totally secure.
    Randomness does not necessarily make a password any more or less secure. (and a pedant will probably tell you that mashing the keyboard does not produce a random series of characters)
    Actually, a pedant will tell you that mashing the keyboard does not even produce a pseudo-random series of characters.
  • Duh 2011-04-29 10:30
    Gunslinger:
    Nagesh:
    My thought process tell me that this should be the OS maker's job.


    When you graduate from junior high, then you'll learn the truth young grasshopper.

    It's okay. He thinks that the contractors that built his home should take care of keeping the alarm and theft insurance up to date and that the car company that made his car should provide him with free Lo-Jack for life. Oh, wait, he lives in a shitty basement apartment with nothing worth stealing and rides a stolen bicycle.
  • Nagesh 2011-04-29 11:07
    Duh:
    Gunslinger:
    Nagesh:
    My thought process tell me that this should be the OS maker's job.


    When you graduate from junior high, then you'll learn the truth young grasshopper.

    It's okay. He thinks that the contractors that built his home should take care of keeping the alarm and theft insurance up to date and that the car company that made his car should provide him with free Lo-Jack for life. Oh, wait, he lives in a shitty basement apartment with nothing worth stealing and rides a stolen bicycle.


    madarchod,
    i am driving top motor-cycle for past two years. Take look at motor-cycles made in India on Hero Honda's website.

    *akismet, moronoc bufoon, this is not spam...
  • hoodaticus 2011-04-29 11:11
    I did a stint once as an AS/400 admin at a bank. I also did the offsite backups (big reels of tape. I'm 30 years old, so it's the bank that was antiquated, not me).

    I stored the offsite backups in a random bank vault at a random branch. Invariably, the combinations to the vault were always written on a post-it note or business card in the top desk drawer closest to the vault.

    And lest I forget, some of the branches' alarm systems were never completed by the security contractors, meaning they were never armed.
  • C-Octothorpe 2011-04-29 11:17
    hoodaticus:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?


    So boog does work with you!

    Yeah, I think at that point the only thing that'll get rid of Creepy Guy (TM) is to cut off any reason for him to stay there, and from the sound of it, it's the wobbly-pops.

    Or another thought I had is this: if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.
  • hoodaticus 2011-04-29 11:20
    C-Octothorpe:
    hoodaticus:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?


    So boog does work with you!

    Yeah, I think at that point the only thing that'll get rid of Creepy Guy (TM) is to cut off any reason for him to stay there, and from the sound of it, it's the wobbly-pops.

    Or another thought I had is this: if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.
    Everyone surfs porn here. I freely tell the owners of the company that surfing porn is required under IT department policy.
  • frits 2011-04-29 11:21
    C-Octothorpe:
    hoodaticus:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?


    So boog does work with you!

    Yeah, I think at that point the only thing that'll get rid of Creepy Guy (TM) is to cut off any reason for him to stay there, and from the sound of it, it's the wobbly-pops.

    Or another thought I had is this: if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.


    Does it hurt or help to do an hour of Muay Thai training on the heavy bag a couple days a week at the company gym?
  • frits 2011-04-29 11:22
    hoodaticus:
    C-Octothorpe:
    hoodaticus:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?


    So boog does work with you!

    Yeah, I think at that point the only thing that'll get rid of Creepy Guy (TM) is to cut off any reason for him to stay there, and from the sound of it, it's the wobbly-pops.

    Or another thought I had is this: if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.
    Everyone surfs porn here. I freely tell the owners of the company that surfing porn is required under IT department policy.

    How else would you verify that the site-blocker is effective?
  • C-Octothorpe 2011-04-29 11:29
    frits:
    C-Octothorpe:
    hoodaticus:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?


    So boog does work with you!

    Yeah, I think at that point the only thing that'll get rid of Creepy Guy (TM) is to cut off any reason for him to stay there, and from the sound of it, it's the wobbly-pops.

    Or another thought I had is this: if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.


    Does it hurt or help to do an hour of Muay Thai training on the heavy bag a couple days a week at the company gym?


    Are you asking or braging?

    I would say it's fine, unless you have a "special" outfit you wear that, when seen from behind, makes you look like someone hog-tied a goat. And as long as you don't make fight sounds like "thwack", "bam", "zwap", etc, you're alright...
  • Satanicpuppy 2011-04-29 11:41
    I was at a place like this once, and we ran a collision test against the hashed password file on the plaintext password: ABCabc,123 and got nearly 4000 hits on a system with only 80,000 registered accounts. Ooops.

    Putting aside the whole "ZOMG how complicated!" what they don't understand is how constrained they've made the possible passwords. We know it must be between 8 and 12 characters long, for example, so the entire domain of 1-7, and 13-> character passwords is gone. Don't even need to check them. No dictionary words, so we can skip anything that contains a stupid string like "is", for example. Can't have three occurrences of the same character!!!! HAHAHA! That strips out an ungodly HUGE number of combinations. A secure password like "Ar9Bv4A.frA" would be rejected because it's "too easy" because it has 3 A's. Hah.

    So stupid.
  • frits 2011-04-29 11:43
    C-Octothorpe:
    frits:
    C-Octothorpe:
    hoodaticus:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.

    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?
    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?


    So boog does work with you!

    Yeah, I think at that point the only thing that'll get rid of Creepy Guy (TM) is to cut off any reason for him to stay there, and from the sound of it, it's the wobbly-pops.

    Or another thought I had is this: if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.


    Does it hurt or help to do an hour of Muay Thai training on the heavy bag a couple days a week at the company gym?


    Are you asking or braging?

    I would say it's fine, unless you have a "special" outfit you wear that, when seen from behind, makes you look like someone hog-tied a goat. And as long as you don't make fight sounds like "thwack", "bam", "zwap", etc, you're alright...


    I guess I was bragging a little. BTW- As engineers and/or IT folks, aren't we all "the creepy guy"?
  • Mr. Keith 2011-04-29 12:01
    Sten:
    My user name is “abcdefghijklmnopqrstuvwxyz”. I’m so screwed!


    It appears your username is "Sten", so you're OK.
  • C-Octothorpe 2011-04-29 12:16
    frits:
    I guess I was bragging a little. BTW- As engineers and/or IT folks, aren't we all "the creepy guy"?


    I think this is a chicken/egg question...

    Does the IT industry create creepy guys (long hours, death march projects, radiation from monitors slowly cooking our brains, etc.) or are there a lot of creepy guys attracted to IT related roles?

    I'd say the latter because anybody "normal" that I met in the IT industry usually gives it up and goes into marketing/sales/management after failing horribly.
  • boog 2011-04-29 12:25
    C-Octothorpe:
    hoodaticus:
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?

    So boog does work with you!

    If I get free alcohol? Sure, I can be Raunchy Fart Guy.
  • boog 2011-04-29 12:34
    frits:
    C-Octothorpe:
    ...if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.


    Does it hurt or help to do an hour of Muay Thai training on the heavy bag a couple days a week at the company gym?
    It depends on how frequently and how intensely you tell your co-workers about it. Then again, that's probably true for just about any activity.
  • boog 2011-04-29 12:45
    frits:
    As engineers and/or IT folks, aren't we all "the creepy guy"?
    Absolutely. See my previous comment explaining why.
  • Alex268 2011-04-29 13:22
    I wouldn't have to write it down on a post-it as
    Qwerty123
    works just fine.

  • socknet 2011-04-29 13:34
    Jimmy:

    Uh oh, can't use 'a', 'A', 'I' and 'O' can't be used in a password. Assuming they do their dictionary check case-insensitive (that is, that something like caPSiCum would still match as a dictionary word), this excludes 'i' and 'o' as well...


    Thanks for teaching us what case insensitive means. We will all be better programmers for it.

    Could you do a course on Hungarian notation next?
  • trtrwtf 2011-04-29 14:10
    frits:
    How else would you verify that the site-blocker is effective?


    And someone's got to go out and find the sites that need to be blocked. That's research, buddy.
  • Chad 2011-04-29 15:13
    Even better looking at the restricted characters makes me think that SQL injection shall grant me access... at least until i replace all of their content with pictures or puppies.
  • Frank Wales 2011-04-29 16:21
    They forgot:

    * must have a prime MD5 hash !
  • carrot ? 2011-04-29 16:41
    Can it contain carat(^), carrot(^), or caret(^) or neither of? And what if I give you one (captcha:) dolor ?
  • jbrains 2011-04-29 18:15
    It'll just be a lookup table, so no big deal.
  • some dude 2011-04-29 18:18
    Bill:
    When I was working on a project for a major government agency we were in a meeting with the client when she needed her latest password (they had very stringent password rules), she pulled up her calendar, navigated to a certain date and pulled out her password.

    I was floored. She has this password stored in a public calendar (at least within her organization) and in plain text.

    This is the problem with creating really strigent password rules, people can't remember them and write them down in tremendously insecure ways.

    Rule of security vs. usability

    secure <------------------------------------------> usable

    You can't have both, you get more secure it gets less usable, you get more usable (think Microsoft adding scripting to email) you get less secure.

    My password is "IthinKthatbilLsmellSlikEguacamolEanD2sweatYgorillAscroteS"

    It's quite easy to remember. How long would that take to crack?

    And Facebook's "who is this person?" authentication is pretty tight and doesn't match your rule either. Nor do "draw your login photo here" schemes. Etc.

    That rule only works when you limit yourself to outdated username/password schemes.
  • some dude 2011-04-29 18:22
    trtrwtf:
    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security?

    The original idea was that if it takes three months to crack a password, then if you change your password every three months then the cracker will never have a valid login. I'm surprised at how many people don't know this.
  • Andrew 2011-04-30 00:47
    Excellent!

    Now if I need to brute force the login screen, I have a list of criteria I can follow to reduce the amount of passwords I need to try.
  • dfcowell 2011-04-30 05:53
    On the plus side, I can have a password ending in "!" for extra excitement!
  • lawyer 2011-04-30 06:46
    Well its great post...


    http://lawyer.laws.com/
  • Torre Lasley 2011-04-30 16:03
    It's mandatory to change your password every month, so this exercise is a frequent event :-(
  • Gibbon1 2011-04-30 19:13
    Anne:
    Worse than that, all these rules actually make the passwords less secure.

    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?

    The same goes for "leading character must be a letter"? Why can't it be a number? Why are characters forbidden? You're actually reducing the number of possible passwords here.


    Can't be more than 12 characters because they are using a fixed length field in the password database to store them.

    If the password has a leading digit then the perl script used to validate passwords treats it as a number.

    My take on writing passwords on posit notes is that there is nothing wrong with it as long as you don't write down the whole password. So if your password is H6eczlom;fr_doobiE, then writing down rf;H6eczlom on a posit note isn't likely to be helpful to someone who is casually snooping.
  • allo 2011-05-01 15:40
    once you created it, its not that complicated, because it is between 8 and 12 chars. only creating one is hard
  • derp 2011-05-02 04:47
    Well if god is ok with it, then I am too ... I guess
  • M 2011-05-02 05:38
    socknet:
    Spivonious:
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.


    FTFY


    Our room is locked-down so the janitor doesn't steal computers. The only people allowed in are in my department.


    Who vacuums?


    Their system sucks :)
  • Maurizio 2011-05-02 09:05
    For encouraging migration to a full post it based solution, add also the mandatory change of the password each three month.

    A useful information: if you know more than one (human) language,
    try dictionary words from you secondary language, it may works (it does here :).

    Maurizio
  • DWalker59 2011-05-02 14:21
    some dude:
    trtrwtf:
    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security?

    The original idea was that if it takes three months to crack a password, then if you change your password every three months then the cracker will never have a valid login. I'm surprised at how many people don't know this.


    Are you kidding? Your chosen password AND a test password chosen in the cracker's next thousand attempts (or the next attempt) can be the same.

    Taking "three months to crack a password" means ON AVERAGE, not all of the time. A cracker could (with a small probability) guess your password on the first try, no matter how complex your password is.

    Think about moving your passwords around in password-space while a cracker is also moving his attempts around in the same password-space: You could happen to move your password to the same place that the cracker is about to try.

    That is not really more secure than leaving your password in the same place while the cracker is moving his attempts around in the same space.

    IF the space is large enough, that is.
  • -doug 2011-05-02 14:34
    Does anybody know what "conatain" means? Normally, I would assume it was a typo, but in a list like this...
  • Pecos Bill 2011-05-02 20:26
    Serpentes:
    I once worked at a company whose password policy, as best I remember it, was:

    * Minimum 10 characters, maximum 24.
    * Must contain at least one each of capital letters, lowercase letters, numbers, punctuation marks.
    * Passwords expire every 45 calendar days.
    * No password may contain a substring that is a valid entry in the system's English lookup dictionary.
    * No password may contain any of an enumerated (but not publicly announced) list of prohibited substrings.
    * No password may repeat any character-position pair that was used in any of your 16 previous passwords
    ....
    And finally, note that the system wouldn't tell you why a password request failed (after the 5-10 minute "testing password" phase), just that it was invalid due a "Rules Exception". Had you stumbled on some secret blacklisted character sequence? Had you accidentally repeated the 14th character of the password you used 9 months ago? Did you discover some Welsh-originated horror lurking in the lookup dictionary ("cwm", for example; it was a pretty good dictionary)? No way to know! Just pound on the keyboard like a monkey and try again!


    Oh the horror! The agony. Did they have a special accounting "center" to track all the time spent guessing what password would work? How utterly vile.
  • Ditto 2011-05-03 10:01
    Please, please please .. post the code that enforces this ... I want to see it!! :o
    I think that would be worth the laugh ...
  • Pecos Bill 2011-05-03 16:33
    -doug:
    Does anybody know what "conatain" means? Normally, I would assume it was a typo, but in a list like this...


    This ought to define it plainly: It's here (then click the link to fix the autocorrect).

    HTH
  • frits 2011-05-03 16:49
    Pecos Bill:
    -doug:
    Does anybody know what "conatain" means? Normally, I would assume it was a typo, but in a list like this...


    This ought to define it plainly: It's here (then click the link to fix the autocorrect).

    HTH


    It doesn't.
  • anonanon 2011-05-04 11:17
    This reminds me of one I ran in to the other day. I forget what the site was...but they wanted me to generate a 4 digit a "PIN" for security. So I picked a number and entered it. Rejected. Picked another. Reject. Huh? It's a 4 digit number between 0000 and 9999, how many rules could there be?

    Then I found the "rules"...no consecutive digits, no duplicate digits, can't start with 0, can't use the same digit more than once, blaa blaa blaa... So I sat down and did the math...from 10,000 possible combinations (not terribly secure to begin with), their rules took the possible valid choices down to something like 3000. Not to mention the amount of time you had to spend just trying to think of a number that met all the rules...

    I guess they were afraid a hacker might tie up the system too long trying to crack your pin, so they improved efficiency by cutting the possibilities down by about 2/3.
  • xyourfacekillerx 2011-05-04 13:18
    Mark:
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase,
    lowercase, digits and punctuation marks, and may not
    contain your user name or any part of your full name.


    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)

    Then I realized it must mean contains 3 or 4 uppercase, 3 or 4 lowercase, 3 or 4 digits and 3 or 4 punctuation. Of course to follow that rule, your password must be at least 12 characters, so the "must be at least 6 characters" is redundant. Also the punctuation part is difficult when they've already explicitly forbidden several marks.



    Or, more likely, they mean you must use at least 3 of the 4 character classes (uppercase, lowercase, digits, punctuation)


    It's amusing watching that ambiguous specification being clarified over and over here in different ways. My take was that, since spec described first the length then the kind of characters, that the 3/4 quantified the number of characters (six characters OF WHICH 3/4 must be characters OF THIS KIND).

    But, yea, the spec is ambiguous, so its meaning can't be known for certain, without either knowing the implementation of the password validation, or without throwing test cases consistent with each interpretation of the spec. The latter won't be too much help, though, because I can already see our respective interpretations aren't necessarily mutually exclusive: meaning it could be my rule AND your rule AND the other rules... what a nightmare that would be!
  • GsT 2011-05-04 19:09
    When password requirements are this stringent, brute-force attacks can be highly successful just by trying keyboard patterns, which is what people end up resorting to. (e.g. all 8-character strings of horizontally adjacent keys, etc.)
  • Uplink 2011-05-05 11:03
    Steps to generate password:

    1. Pick a dictionary
    2. Pick a word from the dictionary. The word must be at least 6 letters long.
    3. Think of your two- or three-digit lucky number.
    4. Split dictionary word in the middle.
    5. Put lucky number in the middle of word.
    6. Capitalize the first letter of the word.
    7. Congratulations, you now have a compliant password.

    Actually, you may only have a easy to remember but hard to guess and attack password, but you'll fail the "not have 3 occurrences of the same character" because of how frequent the letter "e" is in English. Add an extra e at the end if you have three "e"-s in the word, to make it 4, which is compliant.

    Use this: http://watchout4snakes.com/CreativityTools/RandomWord/RandomWordPlus.aspx

    Example:
    Word = Clergy
    Lucky number = 42
    New password: Cler42gy

    If this is your password, you may want to change it now :P
  • Dal90 2011-05-07 21:39
    Obsolete rules, mostly.

    First you had folks who don't / didn't hash passwords...so they had field length limitations where to store them.

    Second you had poorly designed hashes. Old Windows NT LAN MAN (w00t! Netbui everywhere!) had a weaknesses that they used 14 character passwords -- if you typed more then 14, it was simply ignored. More over, it divided the 14 into two sets of 7 characters.

    If you had a 7 character password, it just added a pad of 7 more to make 14.

    The key weakness being this: If you had a 10 character password, it was like have 7 + 3 character passwords. Hackers would attack the 2nd 3 character part first, and once they decoded characters in that, those same ones would be decoded in the first part. So in a simple example ABCABCABCA if you decoded the last three "BCA" portion, you had all you needed to know the first part was ABCABCA.

    So an 8 character password was theoretically the more vulnerable to hacking then 7; and indeed anything between 8 and 13 characters was considered weaker then 7 or 14.
  • Dok Jones 2011-06-07 21:20
    I'm also not sure how to tell whether my password "conatains" the specified characters. "Contains", I understand -- those characters shouldn't be in my password... but how do those "conatained" characters pertain to my password?
  • Todd Eddy 2011-07-07 16:38
    So if I understand that right (the last one confuses me a bit) the password "Abcdefg1" (that's a one at the end) would be perfectly valid
  • nodog 2011-09-17 11:20
    provided that the screen is completely covered with (unremoveable) post-its security may be acceptable...