- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
For example if users with read-write access to the most sensitive data in your system would choose a password with only four characters (if you would let them), then enforcing a minimum length cannot reduce security. That does not mean it is guaranteed to help, but it does not hurt.
I propose that moving forward any password policy satisfying the following criteria be officially known as lame.
Let m be the maximum length of passwords. Let r be the total number of alphanumeric strings of length m or less, which are rejected by the policy.
Then if r > 3^m, the password policy is lame.
Admin
Admin
In 1998, a friend of mine had a laptop at high-school. Knowing his friends like to play pranks, he used the BIOS settings to require a password on boot. He typed in his 9-character password and saved it to the BIOS.
The computer restarted and asked for his password. He typed the same 9-character password. Rejected. Okay, was there a capital letter? Rejected. Did I make a typo? Rejected. Rejected. Rejected.
Finally he caved, realising he must have made a completely random error in his password that would be near impossible to find. He called up tech support expecting to have to send his laptop in to have the BIOS reflashed. When he explained the situation, they immediately fixed the problem for him, over the phone.
"The password can only be 7 characters long."
Admin
My mother worked at a bank in the late 80s when banks still had monochrome green terminals.
She set up her password for her login. She quickly typed 6 characters and hit ENTER. Nothing happened, so she hit ENTER again and the password was accepted. And every time she entered her password she would have to hit ENTER twice for the password to be accepted.
It turned out that passwords were 7 characters fixed length. Her password included a CR as the last character.
Admin
Unfortunately EA's Origin is pretty much the same, except 16 characters. Makes me scared to use the service...
Admin
http://www.passwordmeter.com/
although seriously, the password you use depends on the application.... Let's keep in mind that lockout after X attempts makes brute force vcery difficult (if you're absolutely certain that someone logs on in a certain interval successfully, you could try X-1 combinations in that interval, but it's slow and likely to cause them to lock themselves out which might have them reset their password). If you're worried about people using rainbow tables and the like, they'd have to had access to them in the first place - which would mean a breach somewhere - which is not always likely - and the likelihood of this happeneing depends on the use (and you'd hope the most critical places where you use a password it would be well salted and hashed).
For example, I tend to use a more obscure password for my bank (which has extra factors of identification anyway) than for my email account. My work passwords tend to be less obscure again, because our systems aren't available to the outside world - so I simply have to deter my colleagues....etc.....
That said, I would probably avoid anything appearing in a list of "10 most common passwords" (and probably even 100)....
Admin
Admin
Admin
Admin
Ok, so you do know the N in "PIN" means "number", right?
Admin
Admin
Admin
I honestly expected to hear a "WHOOSH" when reading that comment.
Admin
The reality is though minimum password lengths and hell even divulging the length of your password does not materially weaken the security. If I tell you my password is 14 characters long, yes you save some time not having to computer hashes for lengths 1-13, but the number of hashes you will need to brute the entire 14 char keyspace is bigger than 1-13 combined anyway.
Admin
As usual, TRWTF is the commentators, especially ones who think that hashing a password with any form of SHA is a Good Idea™.
Go learn you some education: http://codahale.com/how-to-safely-store-a-password/
(I had this with nice URL linking and everything, but Askimet in it's great wisdom decided it didn't like it)
Admin
Never trust someone to properly block 11 and -also- properly block 111*, *111, and 1111.
Admin
If they haven't blocked 111*, *111, or 1111, how can they have properly blocked 11?
Admin
No, you have to binary search it; 12 6 9 8
Admin
Admin
Remembering all of them is a PITA arse.
Admin
Admin
Admin
Admin
That's one of those weird situations they've done studies on, and have proven that the only users that will take any steps to make sure the written passwords are protected to a sane degree are the ones who would already be secure with their password to begin with.
Admin
Admin
Foo O. Fooo, CEO Officer, Department of Redundancy Department
Admin
Admin
They only result in a weaker password than a random password generator would have chosen.
People pick memorable passwords, and the set of memorable symbols is small. By forcing people to add additional sets of symbols, you increase the overall complexity of the password.
Why not write them down? If someone can break into your office, they can install a keylogger on the system anyway.
Admin
All that fancy secret stuff you remember? That is just something you give to your browser to allow it to calculate your "real" password.
An attacker doesn't need to know the fancy secret stuff to log in as you. They only need the hash. Sure, they can't use the hash to figure out the fancy secret stuff, but they don't need that. When the server sends them the challenge, they use the hash to calculate the response, and send that back. So the hash is your real password, and your fancy secret stuff is just the easy password you give your computer to have it figure out your real password.
Oh, and it gets worse, now: your real password (the hash of the fancy stuff you're remembering) is stored in the clear on the server. No salting, no hashing, nothing. If I can see the stored hash, I can log in as you.
Congratulations, you've just learned the first rule of crypto: don't roll your own crypto. Even if you think you know what you're doing, you're probably wrong.
Admin
Admin
and I've locked up the T-bones so the meatspace burglar can't get them.
Admin
Many, many websites and services truncate passwords when you set them but do not truncate them when you try to use them. On the same system. Made by the same people. It's gotten to the point where I've encountered this often enough that if my password fails after two attempts I just start clipping characters off the end until it works.
Admin
I'm starting to think a lot of people are going around with boogie board bags full of hash......
Admin
One more, just for fun:
https://www.grc.com/haystack.htm
Admin
So,
with DES?Admin
Excellent point sir. But then, how should it be done?
If the database stores the salt and hashed salted password, and the connection is over HTTPS, the client would need to send the password without any hashing and have the server validate using the salt and hashed salted password.
Or was that the whole point, that the outlined Challenge system is fundamentally flawed against database breaches in terms of preventing masquerading?
I'm looking at it from the point of defense in depth. If HTTPS is somehow broken or bypassed, the challenge system ensures that the password is still not in the clear, at the cost of the weakness you noted?
Admin
Excellent point sir. But then, how should it be done?
If the database stores the salt and hashed salted password, and the connection is over HTTPS, the client would need to send the password without any hashing and have the server validate using the salt and hashed salted password.
Or was that the whole point, that the outlined Challenge system is fundamentally flawed against database breaches in terms of preventing masquerading?
I'm looking at it from the point of defense in depth. If HTTPS is somehow broken or bypassed, the challenge system ensures that the password is still not in the clear, at the cost of the weakness you noted?
(Sorry for the double post... it didn't get quoted in the first one)
Admin
I have my salt wife, thank you very much.
Admin
Admin
Admin
Another useful link http://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
Admin
Don't forget that you have only THREE tries to crack that pin before the pin card is locked.
Not so "trivial" anymore, huh?
Admin
Joke's on you, I have a CRT tube.
CAPTCHA: odio. CRTs certainly are odious.
Admin
Joke's on you, I have a CRT tube.
CAPTCHA: odio. CRTs certainly are odious.
Joke's on you, I have a CRT tube.
CAPTCHA: odio. CRTs certainly are odious.
Admin
[quote user="chubertdev"][quote user="flabdablet"] are you really complaining that a free service won't let you use it if you block their ads?[/quote]
No, but maybe they could just tell you that instead of making you sit there for an hour trying to figure out why you can't reset your own password.
Admin
I assume you don't use any of Microsoft's services then? Your MSN/Live/etc account passwords are truncated to 16 (or 12?) characters. That was a fun one to debug when I used to have a long password and all official logins, such as via MSN Messenger, worked fine (they truncate before sending) but all third-party apps, such as Pidgin, were complaining about my password being wrong. These days the Live website at least warns you about it if you try to sign in with a long password (it still lets you sign up with one though).
Admin
Only for online ATMs. Offline ones (e.g. those in foreign banks/countries, only transmitting once per day or every few hours what you did) just store the number of tries on the card. Older ones only on the magnetic stripe. Which can easily be reset...
Admin
Here? No chance.
Admin
Chance would be a fine thing. My university has the following requirements for passwords:
. Exactly 8 characters long. . At least three types of characters (uppercase, lowercase, numbers, symbols) but NOT the following symbols £ : | \ ~ @ . Passwords cannot start with whitespace or "
And no, I'm not changing university no matter how stupid the password requirements.
Admin
It's not a proof, but here the number of 14 character passwords as well as 1-13 character passwords for both a 62-character choice (alphanum) and an 85-character choice:
For both, the number of 14 character passwords is two orders of magnitude higher than the number of 1-through-13 character passwords.
Yep, like that.Theoretically you could have the client hash the password and the server salt&hash that hash, but that doesn't buy much.