- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
whew just in time too. This post makes me want to watch Futurama.
Admin
I wish my passwords didn't expire for 50 billion eons...
Admin
How can I go about getting password at work that don't expire for that long? Ya know its a hassle to have to change them every 90 days, at least there you change them once every couple centuries or so.
Admin
Use the Calc contest winner, to work out the answer!!
Admin
Is my math completely WTF'd, or is that a few thousand eons over 50.5 quadrillion years?
Admin
For the record, that's about 5.05 E+16 years. For reference purposes, the current age of the universe is estimated at roughly 2.0 E+10 years.
Admin
Twofer Thursday? That's a WTF.
/ Firefox's spell checker actually recognizes "twofer" as a real word.
Admin
Wow ... so much time !!! the user must be godlike at least ..
Admin
Not according the Kansas Board of Education; they say its only around 10,000 years old.
Admin
For anyone who can't be bothered to check, 18446744073709551541 works out as -75 signed.
Admin
Either eons in the future, or -181 days ...
Admin
Ta.
Admin
90 days???? you should be thankful, we must change our passwords every month. and we can't use any of the last 24 passwords typed before.
Admin
The real WTF is that this discount application is probably not 'Year 3000 safe"... ;-)
Admin
Admin
Admin
It only says it will expire within B days. If it expired tomorrow, that would be within B days. So they should change the error to "the password will expire in the future".
Admin
Admin
W.t.f. is "New Every Two Pricing"?
Admin
I like how it's "Copyright (C) 1982, 2005, Oracle." as opposed to "Copyright (C) 1982 - 2005, Oracle." As if they coded it in 82 and decided to dust it off in 05 for kicks.
Admin
It's a Verizon policy. Every 2 years (when you're contract is up) they graciously offer a discount on a new phone (which happens to come with a new 2 year contract!). Isn't that nice of them?
Admin
Admin
Maybe the word "Copyright" is copyrighted...?
Mark B! Don't post your passwords on the net! =P
Admin
Oh YEAH? When I was a kid, our passwords expired on the first use, and our password requirements were a 64-bit non-ASCII string!
Admin
Yeah well when I was a kid we not only had that, but we also had to type them in reverse, while blindfolded!
You young guys have it easy.
Admin
You had passwords? We had to hire a guard with a handgun to stand by the terminal.
-Harrow.
Admin
A handgun?! All we had was harsh language!
Admin
Grog have stick. Grog bash head.
Admin
Yeah, I wonder if the guy behind the "must change password every XXX days" policy every thought about unintended consequences... like the policy resulting in less security due to everyone not being able to actually remember their damn password!
I've had secure passwords, but when forced to change them, even after 90 days, I use less secure ones but at least I can remember them.
(I believe studies have shown the average person can remember a password within a couple of weeks, no matter the complexity if they're forced to enter it several times a day. So why not give them some long secure password, have them write it down for a couple of weeks, then let them be?)
Admin
Well, (C) is not a copyright symbol. The sequence '(', 'C', ')' does not really mean anything but capital c in parens. Of course, by international copyright law which is signed by most countries everything people make is implicitly copyrighted. The older version of the law that was signed by a good number of other countries too required either the word 'Copyright' or the copyright symbol. Which is not (C) but that little c-in-a-ring.
At least so I've been told. Who knows, perhaps they lied.
Admin
Sadly, the password-overwatcher thingla where I work is too smart for that. Every 90 days it requires a new password with:
* ...8 or more characters
* ...at least one non-alphanumeric symbol
* ...no strings of identical characters 3 or more characters long (banshee!, but not bansheee!)
* ... no 4 or more character correspondence with any prior 100 passwords (no p@largh!, o#largh@)
* ...no exact match or 4 or more character correspondence to the user name or description or full name (so, Jon Smith can't use !@#$jon23 and Marcus Welby can't use d4xr!Marc)
So, you just have to be a little more creative. I am also lazy, and hate having to think about typing my password, and want to be able to type it very quickly.
So, I use a pattern that generates unique-enough 9-character passwords requiring no tricky shift-work that can be entered in about 1 second, with no errors.
Even tougher passwords can be generated and still entered quickly and accurately, e.g. 24 character password entered in no more than 4 seconds. The bonus? I only need to remember the first character--the rest flows readily from it.
So, I choose a shift mode, start key, roll-direction, and row-direction. By roll-direction, I mean, rolling my index-middle-ring fingers across the keys, either left to right, or right-to-left. By "row-direction," I mean either up or down. For example: "shifted, ;, right-to-left, up" produces:
Want tougher passwords? Add more rows, and/or a second pattern (such as, same pattern, shifted one to the left).
So: no-shift, 8, L-R, down, then to the left and reverse, shifted, you get:
Again, all I need to remember is the starting key, the rest flows from that.
Now, I expect that the result-space of this pattern is probably small enough that a system that knows about this specific kind of pattern could crack it pretty quickly, given unlimited retries. But this is a Windows domain password, where 3 bad attempts locks out the account for an hour. So, not a huge worry, I hope.
Admin
Yes, please see The Berne Convention.
"(C)" was/is used as a perfectly adequate substitute for the circled-c: © on systems that did not have the circle-c in their character set.
I believe the "hey, that's not a 'circled-c,' only 'C-in-parens,' so the work isn't copyrighted!" defense was tried and failed in a copyright infringement suit, but that may be a coder's urban legend.
To get circle-c: in html:
in Windows:in osX/Linux/etc:Admin
Admin
Yeah, I tend to make secure passwords. Then one system forced me to change every few weeks. As it doesn't have a way to check my past used passwords, I flip back and forth between two: Word1TwoChars and TwoCharsWord1
Is it secure? In a sense... it follows the guidelines of secure passwords. Does it fit in with what they were expecting? Highly doubt it. But I couldn't be arsed to remember multiple confusing passwords that change every X number of days.
-- Seejay
Admin
O_O This is genius! I love the idea. And I think I'm deifnitely going to keep it in mind if my work passwords start to get more anal retentive to the point that I can't put band names into leet speak without busting a blood vessel trying to get it to correspond with a bunch of mucked up rules!
-- Seejay
Admin
Admin
No matter the complexity, eh? Excellent. Forget backups - each of my employees will get a password every two weeks which is equivalent to a UUEncoded tarball of our data. Two birds with one stone!
Admin
The longest word in the English language with no repeating characters is: UNCOPYRIGHTABLE !!
Admin
A requirement of "no 4 character correspondence with any previous 100 passwords" is a real WTF, because it means that the passwords must be stored in PLAINTEXT somewhere on the server.
Many systems outlaw direct matches with previous passwords, but this can be accomplished by keeping the hash value of the password, not the plaintext, and checking the hash of the new password against the hash of the old one. This only works if you check for exact identicalness, since even one different char between old and new passwords would produce a completely different hash.
Admin
Hint for all you clueless people about (C) vs c-in-a-cirlce debate.
The presence, or lack thereof, of any particular symbol before a piece of text has NO LEGAL MEANING WHATSOEVER on whether the text is copyrighted.
If I write something, the copyright belongs to me, period. I can put (C), c-in-a-circle, or nothing at all in front of it, and that does not change the copyright status of the text in question, nor what you are allowed or not allowed to do with that text.
The symbol is purely informative, design to warn or scare off people, or accent the fact the text is copyrighted if the user otherwise might not have known that. But again, it does not have legal meaning. Ignorance is no defence in court, so someone can't say "well this text had no (C) symbol so I yanked it".
In other words, the (C) symbol is like a sign saying "PRIVATE PROPERTY: NO TRESPASSING". It is only there to warn you. Even if the sign wasn't there, you'd still break the law by entering my property.
Admin
Admin
(opt-c is taken: lowercase c-cedilla)
Admin
Admin
Admin
All computer security is managed by people who are too stupid to get a real job. One security professional somewhere, sometime thought it would be a good idea to require passwords to be periodically changed, hopefully more often than the time it would take to brute-force guess it. Since then, about 50 better ways to deal with brute-force attacks have been invented, yet everyone in the world is still forced to change their password at ridiculously small intervals. Why? See first sentence.
Admin
You had the Aussie Navy guarding your terminals from Iranians? Cool!
Admin
18446744073709551541 is 0xFFFFFFFFFFFFFFB5
Which is (2^64)-75. Which someone already stated, but I thought I'd show how easy it is to use the nonWTF Windows Calculator to work this out. Similar tricks with (2^32)-1 4294967295 (FFFFFFFF), or the more ubiquitous (2^31)-1, 2147483647.
But I really wanted to comment on the futility of stupid password policies. Our stupid organisation went for super-harsh passwords -- three of the four groups, lower case, upper case, numeric, special, 8 character minimum, none of previous 13 passwords, password cannot be changed until it is 24 hours old (to stop people 'cycling' through a list of passwords), max password age is 30 days NO EXCEPTIONS, and a lockout policy of 3 bad attempts (which is only 1.5 bad attempts if you try your password between Windows domains, and Kerberos gets upset), with a 0 minute lockout (Admin only unlock). The '3 of 4' groups and 8 char minimum was 'too hard' so now it's 6 characters minimum with no strict enforcement of groups, but still with the 3 retries before permanent lockout. STUPIDITY.
Ex
Admin
permanent lockout is actualy a good idea. i used to work IT helpdesk and with a 1hr lock period you'd be amazed at the amount of people that would just blow off the hour doing jack shit instead of calling the help desk to get it fixed.
stupid american workers with no sense of ethics!
Admin
Admin