- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
Admin
Well, if the office space is secure in it self and the place to login to is a publicly reachable site, a complex password on a post-it can be better than a easily remembered and possibly easily guessed or brute forced.
At least as long as you do not protect your self against co-workers.
Admin
I once worked at a company whose password policy, as best I remember it, was:
The dictionary lookup was very thorough. Too thorough. As a result, no password could contain (in either case) the letters A or I, since those were, of course, in the lookup dictionary. I rapidly concluded that vowels simply weren't worth my time. Although passwords were case sensitive (and had required mixed-case), the dictionary check was NOT -- so no thinking that "dUmB" was a valid substring.
The secret substring blacklist wasn't any better. As far as I could ever determine, it included every alphabetically ordered three letter series, regardless of case (so no "FGH" or "PQR") and every three letter numerical series (no "123" or "789"). Also, sometimes, passwords would fail even if they should have been valid, so the blacklist clearly had some other nonsense on it.
Probably already at Security by Post-It levels, the character-position non-reuse rule is what made it a likely violation of the Geneva Convention (with the 45 day expiration timer not helping at all). The story was that originally there was a standard "cannot repeat previous passwords" rule, but the security psychos realized people were just iterating a number at the end of their password. They concluded that was a security risk, because ninja death hackers would be smart enough to conclude that any compromised password was part of a sequence and thus obtain the current password, wreaking havoc and ending civilization. Their solution is just as horrid as it sounds. If you had a password with R as the second character, then for the next 16 passwords, the second character couldn't be R. Every character had to be novel, every time.
The character-position system was also buggy. It was fine with passwords that were less than the maximum length ... sort of. If you always used a constant password length, you never saw the bug. But if you ever once created a password longer than your longest previous password, that became your new minimum length, because the matching code was clearly a WTF all by itself.
And finally, note that the system wouldn't tell you why a password request failed (after the 5-10 minute "testing password" phase), just that it was invalid due a "Rules Exception". Had you stumbled on some secret blacklisted character sequence? Had you accidentally repeated the 14th character of the password you used 9 months ago? Did you discover some Welsh-originated horror lurking in the lookup dictionary ("cwm", for example; it was a pretty good dictionary)? No way to know! Just pound on the keyboard like a monkey and try again!
Admin
I hate it when I see password rules say no words in the dictionary, but they don't rule out the common leet substitutions. I assume a dictionary attacker would have all those in their attack, eg, "d[i1]c[t7][i1][o0]n[a@]ry". Why don't any of those spiffy password creations guidelines ever mention that?
Admin
Believe it or not, there are reasons to enforce a particular password length. Or, more accurately, there have been in the past.
Earlier versions of Windows (particularly in the days before NTLM) split the password into two hashes each containing 7 characters - meaning you couldn't have a password with more than 14 characters. (You were also ill-advised to have too few characters in either half - so the optimum password would be either 7 or 14 characters long).
I wouldn't be too surprised if similar eccentricities have existed in all sorts of password hashing algorithms in popular use over the years - I'd guess that some manager in the dim and distant past invented this rule because it seemed to make sense at the time, and it's never been reviewed since.
The rest of those rules are just absurd. If anyone is in a position to try out a dictionary attack (and if your systems are susceptible to such an attack, you have far bigger issues than password regulation), you're essentially saying to them "Okay, that dictionary you're going to use for your attack? You can rule out many of the possible passwords because they don't meet the rules."
Admin
The primary reason for passwords regularly isn't to try and make it more difficult to crack (i.e. to change it halfway through someone's brute force), it is so that if the password is cracked, the problem will only exist until the next reset.
Resetting a password regularly without sufficient complexity is of limited use, as is having a complex password with no resets
Admin
Plus, you'll just want to store your password in plain-text on the hard-drive, and HTH are you going to access it?
Admin
I have no idea what kind of warped mind comes to that conclusion from that rule as written.
Admin
That's my question - does a cracker return to a cracked password? Or do they just do their thing and go?
Serious question, I really don't know much about typical cracker behavior (insert white people joke here). My naive supposition would be that you would assume a cracked password would be detected, and to return to it would be setting yourself up, but maybe that's not the case.
Any leet warez verdorz here want to clue me in?
Admin
Gee, the valid solution set might be smaller than the invalid.
Admin
Ah, I see TRWTF, they should have also asked users the security question of "what's your favorite book". That way users could automatically reset their passwords if they forget them.
Fixed!
Admin
Or in other words, Muphry right back at ya buddy.
Admin
Ok, The set of rules suggests that the password is stored in clear/plain text and/or the SQL is not guarded against sql injections.
captcha: decet. How nice. :)
Admin
Admin
Admin
Admin
Admin
Eh...
I'd take a sheet of paper over Lastpass or PasswordSafe any day
Admin
I was unfamiliar, but I'm not convinced it was so clearly. The only thing in common between your example and my above suggestion was "choosing a password from a list", which was arguably the least-WTFy aspect of my above suggestion.
Admin
Admin
Admin
Admin
That isn't exclamation. That's logical NOT! It's like a 12 yr old telling you something as if it's gospel then immediately saying "PSYCH"
So... [Must not contain your username... psyche(exclamation)]
Admin
Admin
Admin
Admin
ABCabc123. Are we secure yet?
Admin
Jam of the day - code to generate a password per the rules.
Admin
Make those a little more random (ie, include some digits, capitals, and punctuation) and you'd actually have something reasonable.
TRWTF is expecting users to come up with something that meets security requirements and also seems memorable to them. Just give them a few options that meet security requirements, and let them regenerate the list until they see something they can work with. Humans are pretty good at recognizing "patterns" in random input, and computers are pretty good at giving humans random input to recognize patterns in. Why not play to the strengths of both?
Admin
Admin
ABC, easy as 123, It's like counting up to 3, Or simple as !@#
Admin
Admin
Either way, sounds like a great idea.
Admin
BOFH?
Do you have a lot of elevator and electrical "accidents" at your workplace?
Admin
Admin
That would depend entirely on the system which the password applies for.
If it was a bank account, then perhaps the hacker would drain the account and not come back.
If it was for membership to an adult website, maybe they would go back frequently.
etc
Admin
You work with hoodaticus too?!
Admin
Around here, we just call him the "chair sniffer"...
Admin
Actually I think this scheme would accept most of my passwords.
Unless their dictionary has incredibly obscure words I don't know of in it.
Admin
Admin
That's really a great idea. In fact, I'd like to see the code they actually used to verify the correectness of candidate passwords.
Not that I'd bet there are loads of bugs that allow all sorts of "insecure" passwords. I'm sure they implemented teh codez with l33t accuracy.
Admin
Probably copy-pasted from the shit-pile called Akismet...
Admin
Huh, if it weren't for that 12 character limit, one of my main passwords would work perfectly for this.
Admin
Of course, the biggest reason of all is probably because software uses no hashing method at all and simply stores the password in plaintext in a fixed-length column in their database.
Admin
But even better there's
http://dilbert.com/strips/comic/1998-04-06/
Squeal like a pig... :-)
Admin
Admin
Admin
These intrigue me
That rules out at minimum any of the vowels A, I and O. If you can't include two-letter combinations either am, do, em, en, go, he, etc., then we are going to have a really small set of possible pwds.
Admin
To compensate for BOFH-ish features like that (fortunately, options), at least VMS has a non-stupid intrusion system. A counter keeps track of failed logons, based on a configurable interval, so that three failed logons today and three tomorrow aren't treated the same as six within a minute. Even better, instead of locking out accounts like Windows (although that is still an option), the remote host is blocked. This prevents most DOS situations.