- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Sorry just had to do this.. [image]
Sadly this over-compensating-defeats-the-object isn't uncommon in corporate and even small businesses.
Admin
. . . because everyone knows that passwords longer than 12 characters are easier to guess.
Admin
So the password has to be at least 8 characters, and must be over 6 characters long. Got it.
Admin
The can still do better:
http://www.dilbert.com/strips/comic/2005-09-10/
Admin
Adding exclamation marks to the end of each requirement makes them much more exciting than normal requirements. [Must not contain your username!]
Admin
Yeah, between 8 and 12 chars, at no more than 8 letters, no more than 8 digits, no scpecial character, no repeating character.
That makes for an EASY AS HELL password to crack.
Admin
"be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks"
Does this mean a password must be 75% upper case, 75% lowercase, 75% digits, and 75% punctuation?
Or does it mean that the 75% of the password must be one of [uppercase, lowercase, digit, or punctuation]?
Admin
These rules should be in Comic Sans.
Admin
(continued ... see next post)
"and may not contain your user name or any part of your full name."
Oh. So if my name is James Q. Smithers, the letters [list of letters deleted] are disallowed? That's good, I like that. My buddy Charles "Zippy" Quanstrom-Peebles likes it a lot, too.
Admin
When I was working on a project for a major government agency we were in a meeting with the client when she needed her latest password (they had very stringent password rules), she pulled up her calendar, navigated to a certain date and pulled out her password.
I was floored. She has this password stored in a public calendar (at least within her organization) and in plain text.
This is the problem with creating really strigent password rules, people can't remember them and write them down in tremendously insecure ways.
Rule of security vs. usability
secure <------------------------------------------> usable
You can't have both, you get more secure it gets less usable, you get more usable (think Microsoft adding scripting to email) you get less secure.
Admin
Or even http://www.dilbert.com/fast/2011-04-28/.
But that would be spamming, so I'm going to complain a bit here.
Admin
Notes to self while trying to post a simple comment:
***I don't know why this post might be considered spam. Any guesses? Is "Quanstrom-Peebles" some sort of slang I don't know about? Will this note fix it?
***No, that didn't do it. Maybe I should put in a link to some dodgy erection-peddler, just to see if that helps?
*** Okay, copy the comment text into a new comment, let's see if that does it.
*** No. What if I take out the quote markup?
*** different name?
*** Maybe akismet is just on the rag today.
*** AH! It's the list of the letters in "James Q. Smithers" that it doesn't like!
Admin
You did check the other requirements, or didn't you?
I'd like to see this captured in a regex...
Admin
I think I figured it out. If no password is valid, then nobody can hack into the system. They get 100% system security, at the low cost of 0% system usage. A security analyst's dream come true.
CAPTCHA: facilisi (not a valid password)
Admin
First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
Then I realized it must mean contains 3 or 4 uppercase, 3 or 4 lowercase, 3 or 4 digits and 3 or 4 punctuation. Of course to follow that rule, your password must be at least 12 characters, so the "must be at least 6 characters" is redundant. Also the punctuation part is difficult when they've already explicitly forbidden several marks.
Admin
I'm sorry, that is not a valid FRIST, as it doesn't contain lower-case letters or digits!
Please change your FRIST as soon as possible, or your FRIST privileges will be locked out!
Thank you!
Admin
Also, more rules restricting stating what your password can't be = less entropy = less secure.
Admin
OK, seriously, where is the WTF? Other than the restrictions on symbols and max. length, I've had numerous (memorized) passwords over the years that would satisfy these requirements.
Admin
abcdEFGH
maybe?
Admin
Admin
With all those rules an attacker would have an easy task at hand.
Everything is so restricted so the password space should probably be reduced to something responding to 6 characters or so.
Admin
Or, more likely, they mean you must use at least 3 of the 4 character classes (uppercase, lowercase, digits, punctuation)
Admin
We had a similar policy that was implemented at a former employer of mine. Actually, it was more asinine. The original policy madated passwords be 7 characters long, but changed every 3 months. The CFO didn't like changing his password so often. A compromise was struck and users only had to change passwords every 3 months. However, all passwords must be at least 14 characters long. It all made sense, since 6/3 = 14/7...
The result, of course was most users had their passwords written somewhere within 2 feet (61 cm.) of their computers. Our director of IT decided to have a crackdown and started threatening to make examples of people who wrote down their passwords. The IT director wasn't a total ogre, however, and actually had a pragmatic workaround: anyone who had trouble remembering the long passwords should just use their old 7 character password typed twice.
Admin
One of the hospitals around here had a complex password rule, with a "do not reuse passwords that were used before, for the last X amount of time" rule added in.
This caused a lot of post-it notes on monitors.
Admin
Upper, lower, digits, punctuation are 4 different classes of characters. your password must contain characters from 3 out of 4 classes.
Admin
I don't think the problem is so much being able to remember your password as trying to find a valid one in the first place. I can see it now:
Admin
We don't even have that luxury at work. you can't imagine how many passwords end up having a pair of repeating characters.
Plus, TRWTF is having a cap on password length. Is there a reason to that? Do longer password hashes take more space than normal ones?
Admin
I think this might have been a former client of mine. I remember having to change my password and have some full-page list of crazy-ass requirements, some of which were redundant ("must be at least 8 characters" then further down the page "must be at least 6 characters").
I'm guessing the way they come up with this list is every time they hear of a potential risk or breach (such as passwords written on post-its) they get IT managers in a room to review the list to figure out what they're doing wrong, and what rule they can add to the list to quick-fix it.
Admin
Admin
That is a bit excessive.
Admin
Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security? Wouldn't it make more sense to just require a sufficiently complex and long password and leave it at that? I think just about anyone could memorize a truly random 14-character password if they had to type it every day, but if you have to change it once a month then you have to come up with algorithms for generating "unguessable" passwords. These include things like regular substitutions, which become well known (ie, @ for a, 1 for i or l, and so forth), and the purpose is successfully defeated.
Admin
The real WTF is the validation code they'll use to enforce that policy...
Admin
In other words, the excuse for a cap on password length could just be outright laziness.
Admin
My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the hacker has access to my desk, he deserves access to my PC.
Admin
Still searching for that elusive tipping point where the rules become so stringent that the typical user will only be able to think of one or two passwords that the system will accept.
At which point you find that three quarters of your user population are using the same password.
Admin
FTFY
Admin
Hmm. Aside from that last requirement my password would work if I trimmed some characters off the end...
Is that good or bad?
Admin
With this many restrictions, wouldn't it be easier to just circulate a whitelist of passwords that will pass the rules?
Admin
HA!
Admin
Admin
My second conjecture is that a regular expression was being used. The length between 8-12 characters was so that the regular expression would not get too big (the writer was not good at regular expressions, which is indicated by not allowing characters that are regex-special characters).
Admin
Oh yeah, I do see that last one happening somewhere in the next 10 years.
Admin
Worse than that, all these rules actually make the passwords less secure.
One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
The same goes for "leading character must be a letter"? Why can't it be a number? Why are characters forbidden? You're actually reducing the number of possible passwords here.
Admin
Admin
Admin
Don't forget this one: your password can't contain any sequence of 3 adjacent letters on a qwerty keyboard. No asdf, no zxc.
Admin
TRWTF is the guy in charge of the CAPTCHAs making fun of other people's security methods.
Admin
Ironic... I just compared passwords I use (from memory) for a number of secure systems, and over 90% of them met the requirements [1 out of 17 failed].
This is on various systems that do not have overly compex rules...guess is speaks volumes about my state of mind <eek!>
Admin
I've heard a great alternative to locking passwords after the "maximum attempts" is to put delays on that account. After n failed attempts, the next n tries each take 10 seconds to submit, then the next n tries each take 30 seconds to submit, after that it takes 1 minute to submit every time.
Brute force attacks take a lot longer to search the password space, making them virtually useless.
Admin
You're contradicting yourself here. Think about it. If you increase the security requirements in such a way as to reduce the usability of the system, you're actually decreasing the actual security of the system, because users respond to the lack of usability with tremendously insecure work-arounds to the dysfunctional system.
The best security is also very usable. Two factor authentication is quite easy to use when done well. Swipe your smart card, run the fingerprint scanner, etc. and also type in your passphrase with no limits other than a minimum 10 characters, full sentences encouraged.