• (cs)

    Frist! Eight characters should be enough for everybody!

  • frist (unregistered)

    Thi$P4ssw0rdh4st00much3ntr0py

  • RFoxmich (unregistered)

    Nothing new here...move along

  • (cs)

    i had a similar problem way back when i was a lad and you could get a ".tk" domain for free without adverts.

    they truncated my password to 5 characters.

    this was before security was even remotely a thing.

    apparently this comment was spam, i thought it added a meaningful "me too" anecdote to the discussion, what with it being about a security system in place about 10 years ago on a tiny backwater domain registrar that probably no one else has heard of.

    Akismet clearly knows that I am TRWTF

  • Sam (unregistered)

    Was about to say SBC but the last time I dealt with it, the two passwords were decoupled. You had to choose an 8 character no special symbol password for your PPPoE but could chose a separate one for the Yahoo.

    The Europeans really screwed us over on DSL. ATM, PPPoE, and slow service for the loop lengths you encounter in the US.

  • X (unregistered)

    What the F is this WTFery? Tech support shall NEVER ask specific questions about passwords and you shall NEVER answer to any such questions!

    SUPPORT: How long is your password? LUSER: I will not comment such questions. Why do you ask? SUPPORT: Passwords longer than 8 characters are known to cause problems. LUSER: Ok. Bye.

  • Kool Aided (unregistered)

    TRWTF is the link about Kool Aid giving a 404

  • faoileag (unregistered)

    Mandatory link: Rules for the Selection of Passwords

    No, Akismet, this is not Spam.

  • (cs)

    You really would expect people in charge of such systems, dealing with lots of details on lots of people, to have stumbled across the notion of a salted hash at some point in their careers.

    Personally, I always view policies concerning the number of characters in a password, or permissible characters, as a first rate demonstration that the organisation doesn't know what its doing - and then take my business elsewhere...

  • (cs)

    Right or wrong, protecting access to your account, and potentially your data, was important back then.

  • faoileag (unregistered) in reply to DumbByAssociation
    DumbByAssociation:
    Personally, I always view policies concerning the number of characters in a password, or permissible characters, as a first rate demonstration that the organisation doesn't know what its doing - and then take my business elsewhere...
    It seems to be a common misapprehension that taking possibilities that look "obvious" to a human away from a given set of data enhances security.

    As far as I know the germans started it in WWII - certain wheel settings where not allowed for their enigma machines, because they were considered too obvious. British military intelligence on the other hand knew about those restrictions, thus enabling Turing to crack the communication faster since he could skip combinations he knew not to be allowed.

    And I think I have read somewhere that the same is practiced on ATM pins - you will not get a generated pin like "0000" or "1234".

    So, yeah, let them declare "passwords must at least be 8 characters long". Then any interested hacker can save the cycles to create hashes for character combinations with a length of less than 8 characters.

  • (cs) in reply to faoileag
    faoileag:
    DumbByAssociation:
    Personally, I always view policies concerning the number of characters in a password, or permissible characters, as a first rate demonstration that the organisation doesn't know what its doing - and then take my business elsewhere...
    It seems to be a common misapprehension that taking possibilities that look "obvious" to a human away from a given set of data enhances security.

    As far as I know the germans started it in WWII - certain wheel settings where not allowed for their enigma machines, because they were considered too obvious. British military intelligence on the other hand knew about those restrictions, thus enabling Turing to crack the communication faster since he could skip combinations he knew not to be allowed.

    And I think I have read somewhere that the same is practiced on ATM pins - you will not get a generated pin like "0000" or "1234".

    So, yeah, let them declare "passwords must at least be 8 characters long". Then any interested hacker can save the cycles to create hashes for character combinations with a length of less than 8 characters.

    the data set for 8 characters is large enough that those who used 8 character passwords already are not massively (although it's true they are slightly) less safe, while those who would use fewer characters are significantly safer as a result.

    the average security of your users is higher as a result of the restrictions, and as a company, the average is all you probably care about

  • Snowman25 (unregistered) in reply to martijntje

    8 charac

  • Dee (unregistered) in reply to X

    Some support agents are just the same.

    SUPPORT: How long is your password? LUSER: I will not comment such questions. Why do you ask? SUPPORT: The computer asks for it. LUSER: I'm not telling you. SUPPORT: I can not proceed with it. LUSER: Fine, it's 14 characters. SUPPORT: That's too long. LUSER: How long can it be? SUPPORT: I can not disclose that information. LUSER: How about 13 characters? SUPPORT: Still too long. LUSER: How about 12 characters? SUPPORT: Still too long. LUSER: How about 11 characters? SUPPORT: Still too long. LUSER: How about 10 characters? SUPPORT: Still too long. LUSER: How about 9 characters? SUPPORT: Still too long. LUSER: How about 8 characters? SUPPORT: That'll work fine.

  • foo AKA fooo (unregistered) in reply to faoileag
    faoileag:
    It seems to be a common misapprehension that taking possibilities that look "obvious" to a human away from a given set of data enhances security.

    As far as I know the germans started it in WWII - certain wheel settings where not allowed for their enigma machines, because they were considered too obvious. British military intelligence on the other hand knew about those restrictions, thus enabling Turing to crack the communication faster since he could skip combinations he knew not to be allowed.

    More precisely, the enigma would never encrypt a character to itself, thereby reducing the number of possible results from 26 to 25 and allowing them to exclude words, e.g. EET could not be encypted from DER, EIN or MIT (3 common German words).

  • (cs)

    TRWTF is storing a password in PLAIN FUCKING TEXT instead of a hashed value like SHA1(salt(password))

  • (cs) in reply to rootkit
    rootkit:
    TRWTF is storing a password in PLAIN FUCKING TEXT instead of a hashed value like SHA1(salt(password))

    This, this, a thousand times this. It should not matter if your password is 14 characters or 400, because they should all hash to a uniform-length string.

  • Not Jim Jones (unregistered) in reply to Kool Aided
    Kool Aided:
    TRWTF is the link about Kool Aid giving a 404
    It drank the Kool-Aid like an obedient cultist.
  • Vindictive (unregistered) in reply to rootkit
    rootkit:
    TRWTF is storing a password in PLAIN FUCKING TEXT instead of a hashed value like SHA1(salt(password))

    Anyone who doesn't do this should be shot (somewhere painful, like the stomach), and then banned from being a programmer for the rest of their lives (about the 30 minutes it will take until they bleed out whilst in constant pain).

    Too much?

  • Zapp Brannigan (unregistered)

    AT&T. I hate them with a fire that burns with the heat of 10,000 suns.

  • Valued Service (unregistered) in reply to Algorythmics
    Algorythmics:
    faoileag:
    DumbByAssociation:
    Personally, I always view policies concerning the number of characters in a password, or permissible characters, as a first rate demonstration that the organisation doesn't know what its doing - and then take my business elsewhere...
    It seems to be a common misapprehension that taking possibilities that look "obvious" to a human away from a given set of data enhances security.

    As far as I know the germans started it in WWII - certain wheel settings where not allowed for their enigma machines, because they were considered too obvious. British military intelligence on the other hand knew about those restrictions, thus enabling Turing to crack the communication faster since he could skip combinations he knew not to be allowed.

    And I think I have read somewhere that the same is practiced on ATM pins - you will not get a generated pin like "0000" or "1234".

    So, yeah, let them declare "passwords must at least be 8 characters long". Then any interested hacker can save the cycles to create hashes for character combinations with a length of less than 8 characters.

    the data set for 8 characters is large enough that those who used 8 character passwords already are not massively (although it's true they are slightly) less safe, while those who would use fewer characters are significantly safer as a result.

    the average security of your users is higher as a result of the restrictions, and as a company, the average is all you probably care about

    Except if it isn't salted. All that goes out the window.

  • verto (unregistered)

    TRWTF is that we still can't use pass phrases rather than passwords on most services.

  • (cs) in reply to Mason Wheeler
    Mason Wheeler:
    rootkit:
    TRWTF is storing a password in PLAIN FUCKING TEXT instead of a hashed value like SHA1(salt(password))

    This, this, a thousand times this. It should not matter if your password is 14 characters or 400, because they should all hash to a uniform-length string.

    Some password hashing algorithms truncate passwords before calculating their hash. The old "crypt" algorithm used on Unix truncates passwords to... 8 characters.

    So a password truncation does not necessarily means that no password hashing is used. It may mean that bad password hashing is used.

  • faoileag (unregistered) in reply to verto
    verto:
    TRWTF is that we still can't use pass phrases rather than passwords on most services.
    "Long live sesquipedalianism!" "What do you mean, my onomatopoeia password is too short???" "Um diddle diddle diddle um diddle ay Supercalifragilisticexpialidocious!"

    I think I can see what you mean.

    Captcha: nibh. Bah. Too short.

  • Anon (unregistered) in reply to faoileag
    faoileag:
    DumbByAssociation:
    Personally, I always view policies concerning the number of characters in a password, or permissible characters, as a first rate demonstration that the organisation doesn't know what its doing - and then take my business elsewhere...
    It seems to be a common misapprehension that taking possibilities that look "obvious" to a human away from a given set of data enhances security.

    As far as I know the germans started it in WWII - certain wheel settings where not allowed for their enigma machines, because they were considered too obvious. British military intelligence on the other hand knew about those restrictions, thus enabling Turing to crack the communication faster since he could skip combinations he knew not to be allowed.

    And I think I have read somewhere that the same is practiced on ATM pins - you will not get a generated pin like "0000" or "1234".

    So, yeah, let them declare "passwords must at least be 8 characters long". Then any interested hacker can save the cycles to create hashes for character combinations with a length of less than 8 characters.

    I'll do you one further on PINs:

    The obvious, 0000/1111/2222/etc. and 1234, aren't allowed.

    At many banks, there are additional restrictions:

    a) No sequential digits (1238 is right out, as are 7589, 0235) b) No REVERSE-sequential digits (2138, 0325) c) No repeating digits (0225, 1883)

    At some banks, ALL of these restrictions are in place, which means cracking a PIN can become trivial (as though the space wasn't small enough by itself!).

  • Anon (unregistered) in reply to Algorythmics
    Algorythmics:
    faoileag:
    DumbByAssociation:
    Personally, I always view policies concerning the number of characters in a password, or permissible characters, as a first rate demonstration that the organisation doesn't know what its doing - and then take my business elsewhere...
    It seems to be a common misapprehension that taking possibilities that look "obvious" to a human away from a given set of data enhances security.

    As far as I know the germans started it in WWII - certain wheel settings where not allowed for their enigma machines, because they were considered too obvious. British military intelligence on the other hand knew about those restrictions, thus enabling Turing to crack the communication faster since he could skip combinations he knew not to be allowed.

    And I think I have read somewhere that the same is practiced on ATM pins - you will not get a generated pin like "0000" or "1234".

    So, yeah, let them declare "passwords must at least be 8 characters long". Then any interested hacker can save the cycles to create hashes for character combinations with a length of less than 8 characters.

    the data set for 8 characters is large enough that those who used 8 character passwords already are not massively (although it's true they are slightly) less safe, while those who would use fewer characters are significantly safer as a result.

    the average security of your users is higher as a result of the restrictions, and as a company, the average is all you probably care about

    Except those restrictions actually reduce security -- each additional restriction results in a less-computationally-complex password than the user would likely have chosen by themselves.

    Beyond a certain point, password restrictions and expirations just cause users to start writing down passwords on post-it notes at their desks.

  • JAPH (unregistered) in reply to Mason Wheeler
    Mason Wheeler:
    rootkit:
    TRWTF is storing a password in PLAIN FUCKING TEXT instead of a hashed value like SHA1(salt(password))

    This, this, a thousand times this. It should not matter if your password is 14 characters or 400, because they should all hash to a uniform-length string.

    The modem has to be able to provide the password to the ISP, so it can't be hashed, but it should be stored ENCRYPTED. If you pass a hashed password in order to create a connection, the hashed value becomes the password.

  • (cs) in reply to Anon
    Anon:
    I'll do you one further on PINs:

    The obvious, 0000/1111/2222/etc. and 1234, aren't allowed.

    At many banks, there are additional restrictions:

    a) No sequential digits (1238 is right out, as are 7589, 0235) b) No REVERSE-sequential digits (2138, 0325) c) No repeating digits (0225, 1883)

    At some banks, ALL of these restrictions are in place, which means cracking a PIN can become trivial (as though the space wasn't small enough by itself!).

    You can trivially show that this reduces the number space by a factor (crudely) of (7.0/10)**3 == 0.343, thus eliminating two-thirds of the number space...

    (The combinatorics are more complex than that, of course, unless they feel like eliminating 90 as being consecutive digits. Note that the all-same combinations are barred by case (c), while combinations like 1234 or 4321 are eliminated respectively by (a) and (b). The abc rules don't block 2468, 3141 and other patterny combinations.)

  • (cs) in reply to JAPH
    JAPH:
    Mason Wheeler:
    rootkit:
    TRWTF is storing a password in PLAIN FUCKING TEXT instead of a hashed value like SHA1(salt(password))

    This, this, a thousand times this. It should not matter if your password is 14 characters or 400, because they should all hash to a uniform-length string.

    The modem has to be able to provide the password to the ISP, so it can't be hashed, but it should be stored ENCRYPTED. If you pass a hashed password in order to create a connection, the hashed value becomes the password.

    Go forth and sin no more. The modem has to be able to answer a challenge from the ISP, usually by using the password and the challenge to calculate an answer. Sending the password anywhere is a big no-no, even if it is just the hash.

  • MrBig (unregistered) in reply to Kool Aided
    Kool Aided:
    TRWTF is the link about Kool Aid giving a 404

    Oh Yeah!

  • MrBig (unregistered)

    My password is much bigger than yours!

  • (cs)
  • Sir Robin-The-Not-So-Brave (unregistered)

    This story is about the Belgian ISP Telenet.

    Evidence: http://klantenservice.telenet.be/content/hoe-kan-ik-het-wachtwoord-van-mijn-mailbox-website-mijn-telenet-aanpassen http://klantenservice.telenet.be/content/ik-ben-mijn-wachtwoord-van-mijn-telenet-login-of-gebruikersnaam-e-mailadres-vergeten-wat-nu

    It's in Dutch so you may need to run it through Google Translate.

  • (cs)

    Tried to log in to an ancient Yahoo Mail account the other day to clear it out and make it auto-file all new mail into Trash. Password didn't work. So I went through the password reset process, got to the Enter New Password screen, got KeePass to make me a nice new 20 character random password, and drag-dropped it into place.

    Drag and drop doesn't work in the Yahoo password reset window. As soon as you bring it to the front, whatever you've dragged and dropped gets cleared. Fuck.

    OK, so I'll copy and paste it. That works - but trying to submit it makes Yahoo tell me that my password is not strong enough. WTF? It's randomly generated and has 120 bits of entropy. It's greening all the checklist items (length >= 8, contains lowercase, contains uppercase, contains digits). No clue what Yahoo thinks is wrong with it.

    Try another new password; maybe this one has too many occurrences of uppercase Q or some shit. Copy, paste, same deal: not strong enough.

    Try copy, paste, click in text box, left arrow, right arrow (having seen text boxes that don't recognize password lengths properly immediately after pasting; thanks Apple). Nope.

    Turns out Yahoo's password reset box fails if you have Adblock Plus turned on. WTF?

  • Calli Arcale (unregistered)

    Impressive. That might be the stupidest use of a single password scheme I've ever seen.

  • SI (unregistered)

    My cellphone provider (vodafone) sets up a password to contact phone tech support that you then must provide to access account settings. They silently truncate this during web login and password changes, but if you call support they then refuse to help if you tell them the full password.

  • (cs) in reply to foo AKA fooo
    foo AKA fooo:
    faoileag:
    It seems to be a common misapprehension that taking possibilities that look "obvious" to a human away from a given set of data enhances security.

    As far as I know the germans started it in WWII - certain wheel settings where not allowed for their enigma machines, because they were considered too obvious. British military intelligence on the other hand knew about those restrictions, thus enabling Turing to crack the communication faster since he could skip combinations he knew not to be allowed.

    More precisely, the enigma would never encrypt a character to itself, thereby reducing the number of possible results from 26 to 25 and allowing them to exclude words, e.g. EET could not be encypted from DER, EIN or MIT (3 common German words).

    One of the rules was that no wheel could be in the same place it had been before, and for a while a letter not only couldn't map to itself, but also to the letter before or after it.

    It didn't hurt that almost every message began with a common header followed by a weather report in exactly the same format every time. Standing orders to spell out every number meant that "Eins" (one) appeared in almost every message, and every now and then an Enigma operator would decide to do Bletchley Park a big favour by sending "LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL" as a test, creating a long ciphertext containing every letter in the alphabet except for 'L'.

    No matter how complicated you make the encryption scheme, there's always somebody who is going to go out of their way to use it wrong and mess it up for you.

  • Geraden (unregistered) in reply to JAPH

    No passwords should not be encrypted. They should be hashed.

    Encryption is when you take some input, and a key, and you create a new output that is related to the input by that key.

    If hackers break in to your system and can see your software, they can see the key you are using, since you must keep that key on hand for whenever you want to decrypt the password to do a check.

    Hashing is an algorithm that takes an input and generates an output. Hashing algorithms are designed with advanced mathmatics to be extraordinarily hard to go in reverse. So HASHING a password is easy, but DEHASHING is assumed to be impossible.

    A modern challenge-response password check scheme would use hashing. Assuming the user has already created an account and wants to log in, he visits the log in page. When he visits the page, he types in his password. His password never leaves his computer.

    Instead, his client (usually a browser in the case of websites) takes his password, hashes it, then uses it as a key to encrypt a randomly generated challenge string from the server. His client sends that encrypted string, and NOT his password, to the server. Since the challenge string is random each time, the response should be different each time to. And your password is never transmitted. The server will compare your response to what it thinks the right answer is (it will encrypt the challenge string with your password hash to know what to expect) and provide authentication or access denied behaviour.

    Basically, encryption is to protect data by using a password. Hashes are to protect passwords themselves. But both are generally used together in certain challenge-response models.

  • Wayne (unregistered)

    I fired a bank over this. They put in a new online banking system, I set my new password using my standard scheme which gave me a 12 character or so password. I did what I needed to do online, signed out, couldn't get back in. Called their techs, they reset me, signed in again, set the same password, same thing happened: once I signed out, couldn't get back in.

    Turned out that they truncated the password to eight characters. Fired them immediately and went to a much better bank.

    It also turned out that their online system ran on Borland's Paradox database, I pray the rest of their bank ran on something more reasonable, like an iSeries or something.

  • John (unregistered)

    ISP support line once told me I couldn't connect because my password was too old.

    Not that their old authentication system was being upgraded or anything like that, just "too old".

  • (cs) in reply to flabdablet
    flabdablet:
    Tried to log in to an ancient Yahoo Mail account the other day to clear it out and make it auto-file all new mail into Trash. Password didn't work. So I went through the password reset process, got to the Enter New Password screen, got KeePass to make me a nice new 20 character random password, and drag-dropped it into place.

    Drag and drop doesn't work in the Yahoo password reset window. As soon as you bring it to the front, whatever you've dragged and dropped gets cleared. Fuck.

    OK, so I'll copy and paste it. That works - but trying to submit it makes Yahoo tell me that my password is not strong enough. WTF? It's randomly generated and has 120 bits of entropy. It's greening all the checklist items (length >= 8, contains lowercase, contains uppercase, contains digits). No clue what Yahoo thinks is wrong with it.

    Try another new password; maybe this one has too many occurrences of uppercase Q or some shit. Copy, paste, same deal: not strong enough.

    Try copy, paste, click in text box, left arrow, right arrow (having seen text boxes that don't recognize password lengths properly immediately after pasting; thanks Apple). Nope.

    Turns out Yahoo's password reset box fails if you have Adblock Plus turned on. WTF?

    are you really complaining that a free service won't let you use it if you block their ads?

  • (cs) in reply to John
    John:
    ISP support line once told me I couldn't connect because my password was too old.

    Not that their old authentication system was being upgraded or anything like that, just "too old".

    expired password? that's normal. how can you have an issue with that?

  • (cs)

    Hooo HP-UX DES encoded password, how many times did i curse your 8 characters truncations? I can't remember.

  • gnasher729 (unregistered) in reply to X
    X:
    What the F is this WTFery? Tech support shall NEVER ask specific questions about passwords and you shall NEVER answer to any such questions!

    SUPPORT: How long is your password? LUSER: I will not comment such questions. Why do you ask? SUPPORT: Passwords longer than 8 characters are known to cause problems. LUSER: Ok. Bye.

    Let me fix that for you:

    LOSER: How long is your password? CUSTOMER: I will not comment such questions. Why do you ask? LOSER: Passwords longer than 8 characters are known to cause problems. CUSTOMER: Ok. Bye.

  • Lucent (unregistered)

    What else could "same" mean?

  • Evan (unregistered) in reply to Anon
    Anon:
    Except those restrictions actually reduce security -- each additional restriction results in a less-computationally-complex password than the user would likely have chosen by themselves.
    Those restrictions reduce security assuming that your users chose passwords uniformly randomly from the keyspace of strings up to some fixed number of characters, which is a brain-dead assumption.
  • (cs) in reply to Evan
    Evan:
    Anon:
    Except those restrictions actually reduce security -- each additional restriction results in a less-computationally-complex password than the user would likely have chosen by themselves.
    Those restrictions reduce security assuming that your users chose passwords uniformly randomly from the keyspace of strings up to some fixed number of characters, which is a brain-dead assumption.
    In the case of ATM PIN codes - which are usually exactly 4 characters and these characters are digits only - it is a reasonable assumption.
  • Stuart (unregistered) in reply to Sir Robin-The-Not-So-Brave
    Sir Robin-The-Not-So-Brave:
    This story is about the Belgian ISP Telenet.
    Like I was saying, sucks to be Belgian.
    no laughing matter:
    In the case of ATM machine PIN numbers - which are usually exactly 4 characters and these characters are digits only - it is a reasonable assumption.
    FTFY
  • (cs) in reply to Stuart
    Stuart:
    no laughing matter:
    In the case of ATM machine PIN numbers - which are usually exactly 4 characters and these characters are digits only - it is a reasonable assumption.
    FTFY
    You're aware that the M in ATM stands for "machine", right? However prevalent a colloquialism, redundancy is still redundant.
  • (cs) in reply to Loose Bree
    Loose Bree:
    Stuart:
    no laughing matter:
    In the case of ATM machine PIN numbers - which are usually exactly 4 characters and these characters are digits only - it is a reasonable assumption.
    FTFY
    You're aware that the M in ATM stands for "machine", right? However prevalent a colloquialism, redundancy is still redundant.

    It's almost like he was being sarcastic!

Leave a comment on “Security by Password”

Log In or post as a guest

Replying to comment #:

« Return to Article