- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Frist! Eight characters should be enough for everybody!
Admin
Thi$P4ssw0rdh4st00much3ntr0py
Admin
Nothing new here...move along
Admin
i had a similar problem way back when i was a lad and you could get a ".tk" domain for free without adverts.
they truncated my password to 5 characters.
this was before security was even remotely a thing.
apparently this comment was spam, i thought it added a meaningful "me too" anecdote to the discussion, what with it being about a security system in place about 10 years ago on a tiny backwater domain registrar that probably no one else has heard of.
Akismet clearly knows that I am TRWTF
Admin
Was about to say SBC but the last time I dealt with it, the two passwords were decoupled. You had to choose an 8 character no special symbol password for your PPPoE but could chose a separate one for the Yahoo.
The Europeans really screwed us over on DSL. ATM, PPPoE, and slow service for the loop lengths you encounter in the US.
Admin
What the F is this WTFery? Tech support shall NEVER ask specific questions about passwords and you shall NEVER answer to any such questions!
SUPPORT: How long is your password? LUSER: I will not comment such questions. Why do you ask? SUPPORT: Passwords longer than 8 characters are known to cause problems. LUSER: Ok. Bye.
Admin
TRWTF is the link about Kool Aid giving a 404
Admin
Mandatory link: Rules for the Selection of Passwords
No, Akismet, this is not Spam.
Admin
You really would expect people in charge of such systems, dealing with lots of details on lots of people, to have stumbled across the notion of a salted hash at some point in their careers.
Personally, I always view policies concerning the number of characters in a password, or permissible characters, as a first rate demonstration that the organisation doesn't know what its doing - and then take my business elsewhere...
Admin
Right or wrong, protecting access to your account, and potentially your data, was important back then.
Admin
As far as I know the germans started it in WWII - certain wheel settings where not allowed for their enigma machines, because they were considered too obvious. British military intelligence on the other hand knew about those restrictions, thus enabling Turing to crack the communication faster since he could skip combinations he knew not to be allowed.
And I think I have read somewhere that the same is practiced on ATM pins - you will not get a generated pin like "0000" or "1234".
So, yeah, let them declare "passwords must at least be 8 characters long". Then any interested hacker can save the cycles to create hashes for character combinations with a length of less than 8 characters.
Admin
the data set for 8 characters is large enough that those who used 8 character passwords already are not massively (although it's true they are slightly) less safe, while those who would use fewer characters are significantly safer as a result.
the average security of your users is higher as a result of the restrictions, and as a company, the average is all you probably care about
Admin
8 charac
Admin
Some support agents are just the same.
SUPPORT: How long is your password? LUSER: I will not comment such questions. Why do you ask? SUPPORT: The computer asks for it. LUSER: I'm not telling you. SUPPORT: I can not proceed with it. LUSER: Fine, it's 14 characters. SUPPORT: That's too long. LUSER: How long can it be? SUPPORT: I can not disclose that information. LUSER: How about 13 characters? SUPPORT: Still too long. LUSER: How about 12 characters? SUPPORT: Still too long. LUSER: How about 11 characters? SUPPORT: Still too long. LUSER: How about 10 characters? SUPPORT: Still too long. LUSER: How about 9 characters? SUPPORT: Still too long. LUSER: How about 8 characters? SUPPORT: That'll work fine.
Admin
Admin
TRWTF is storing a password in PLAIN FUCKING TEXT instead of a hashed value like SHA1(salt(password))
Admin
This, this, a thousand times this. It should not matter if your password is 14 characters or 400, because they should all hash to a uniform-length string.
Admin
Admin
Anyone who doesn't do this should be shot (somewhere painful, like the stomach), and then banned from being a programmer for the rest of their lives (about the 30 minutes it will take until they bleed out whilst in constant pain).
Too much?
Admin
AT&T. I hate them with a fire that burns with the heat of 10,000 suns.
Admin
Except if it isn't salted. All that goes out the window.
Admin
TRWTF is that we still can't use pass phrases rather than passwords on most services.
Admin
Some password hashing algorithms truncate passwords before calculating their hash. The old "crypt" algorithm used on Unix truncates passwords to... 8 characters.
So a password truncation does not necessarily means that no password hashing is used. It may mean that bad password hashing is used.
Admin
I think I can see what you mean.
Captcha: nibh. Bah. Too short.
Admin
I'll do you one further on PINs:
The obvious, 0000/1111/2222/etc. and 1234, aren't allowed.
At many banks, there are additional restrictions:
a) No sequential digits (1238 is right out, as are 7589, 0235) b) No REVERSE-sequential digits (2138, 0325) c) No repeating digits (0225, 1883)
At some banks, ALL of these restrictions are in place, which means cracking a PIN can become trivial (as though the space wasn't small enough by itself!).
Admin
Except those restrictions actually reduce security -- each additional restriction results in a less-computationally-complex password than the user would likely have chosen by themselves.
Beyond a certain point, password restrictions and expirations just cause users to start writing down passwords on post-it notes at their desks.
Admin
The modem has to be able to provide the password to the ISP, so it can't be hashed, but it should be stored ENCRYPTED. If you pass a hashed password in order to create a connection, the hashed value becomes the password.
Admin
(The combinatorics are more complex than that, of course, unless they feel like eliminating 90 as being consecutive digits. Note that the all-same combinations are barred by case (c), while combinations like 1234 or 4321 are eliminated respectively by (a) and (b). The abc rules don't block 2468, 3141 and other patterny combinations.)
Admin
Admin
Oh Yeah!
Admin
My password is much bigger than yours!
Admin
Obligatory xkcd!
Admin
This story is about the Belgian ISP Telenet.
Evidence: http://klantenservice.telenet.be/content/hoe-kan-ik-het-wachtwoord-van-mijn-mailbox-website-mijn-telenet-aanpassen http://klantenservice.telenet.be/content/ik-ben-mijn-wachtwoord-van-mijn-telenet-login-of-gebruikersnaam-e-mailadres-vergeten-wat-nu
It's in Dutch so you may need to run it through Google Translate.
Admin
Tried to log in to an ancient Yahoo Mail account the other day to clear it out and make it auto-file all new mail into Trash. Password didn't work. So I went through the password reset process, got to the Enter New Password screen, got KeePass to make me a nice new 20 character random password, and drag-dropped it into place.
Drag and drop doesn't work in the Yahoo password reset window. As soon as you bring it to the front, whatever you've dragged and dropped gets cleared. Fuck.
OK, so I'll copy and paste it. That works - but trying to submit it makes Yahoo tell me that my password is not strong enough. WTF? It's randomly generated and has 120 bits of entropy. It's greening all the checklist items (length >= 8, contains lowercase, contains uppercase, contains digits). No clue what Yahoo thinks is wrong with it.
Try another new password; maybe this one has too many occurrences of uppercase Q or some shit. Copy, paste, same deal: not strong enough.
Try copy, paste, click in text box, left arrow, right arrow (having seen text boxes that don't recognize password lengths properly immediately after pasting; thanks Apple). Nope.
Turns out Yahoo's password reset box fails if you have Adblock Plus turned on. WTF?
Admin
Impressive. That might be the stupidest use of a single password scheme I've ever seen.
Admin
My cellphone provider (vodafone) sets up a password to contact phone tech support that you then must provide to access account settings. They silently truncate this during web login and password changes, but if you call support they then refuse to help if you tell them the full password.
Admin
One of the rules was that no wheel could be in the same place it had been before, and for a while a letter not only couldn't map to itself, but also to the letter before or after it.
It didn't hurt that almost every message began with a common header followed by a weather report in exactly the same format every time. Standing orders to spell out every number meant that "Eins" (one) appeared in almost every message, and every now and then an Enigma operator would decide to do Bletchley Park a big favour by sending "LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL" as a test, creating a long ciphertext containing every letter in the alphabet except for 'L'.
No matter how complicated you make the encryption scheme, there's always somebody who is going to go out of their way to use it wrong and mess it up for you.
Admin
No passwords should not be encrypted. They should be hashed.
Encryption is when you take some input, and a key, and you create a new output that is related to the input by that key.
If hackers break in to your system and can see your software, they can see the key you are using, since you must keep that key on hand for whenever you want to decrypt the password to do a check.
Hashing is an algorithm that takes an input and generates an output. Hashing algorithms are designed with advanced mathmatics to be extraordinarily hard to go in reverse. So HASHING a password is easy, but DEHASHING is assumed to be impossible.
A modern challenge-response password check scheme would use hashing. Assuming the user has already created an account and wants to log in, he visits the log in page. When he visits the page, he types in his password. His password never leaves his computer.
Instead, his client (usually a browser in the case of websites) takes his password, hashes it, then uses it as a key to encrypt a randomly generated challenge string from the server. His client sends that encrypted string, and NOT his password, to the server. Since the challenge string is random each time, the response should be different each time to. And your password is never transmitted. The server will compare your response to what it thinks the right answer is (it will encrypt the challenge string with your password hash to know what to expect) and provide authentication or access denied behaviour.
Basically, encryption is to protect data by using a password. Hashes are to protect passwords themselves. But both are generally used together in certain challenge-response models.
Admin
I fired a bank over this. They put in a new online banking system, I set my new password using my standard scheme which gave me a 12 character or so password. I did what I needed to do online, signed out, couldn't get back in. Called their techs, they reset me, signed in again, set the same password, same thing happened: once I signed out, couldn't get back in.
Turned out that they truncated the password to eight characters. Fired them immediately and went to a much better bank.
It also turned out that their online system ran on Borland's Paradox database, I pray the rest of their bank ran on something more reasonable, like an iSeries or something.
Admin
ISP support line once told me I couldn't connect because my password was too old.
Not that their old authentication system was being upgraded or anything like that, just "too old".
Admin
are you really complaining that a free service won't let you use it if you block their ads?
Admin
expired password? that's normal. how can you have an issue with that?
Admin
Hooo HP-UX DES encoded password, how many times did i curse your 8 characters truncations? I can't remember.
Admin
Let me fix that for you:
LOSER: How long is your password? CUSTOMER: I will not comment such questions. Why do you ask? LOSER: Passwords longer than 8 characters are known to cause problems. CUSTOMER: Ok. Bye.
Admin
What else could "same" mean?
Admin
Admin
Admin
Admin
Admin
It's almost like he was being sarcastic!