- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Indeed:
Admin
My former employer had a set of rules for all passwords which including things like having to change the password every 3 months and not reusing the last n (I think it started at 3, eventually 5) passwords. This included not just the enterprise servers, but simple systems like the document store where the employee handbook and cafeteria menu were posted.
Fortunately, there was no minimum time between when you changed the password, so a quick run through my set of five passwords for trivial sites let me know what lunch would be.
Admin
Well this stupid idea in Windows has caused the current mess I have to deal with in UNIX.
Used to be 8 characters was fine, then some idiot higher up found out about that problem in windows and sent out a directive to change X in windows, change Y in windows, Change Z in windows, Don't use the hash before NTLM, etc. And one of the list of 15 or so taskings in he directive was to force all passwords to be a min of 14 characters, at least 2 upper, 2 lower, 2 digits, 2 special and change passwords every 30 days. Now since this last part didn't say for windows only, it had to be applied to everything that took a password. Oh yea, can use one you have used in the past year, and bunch of other things. This policy is still in force today, all because of an old way that windows hashed passwords.
Admin
With so many rules, some users may not have any valid password!
Admin
Yeah, one of my main passwords would also still fulfill these requirements, as long as you were willing to accept vowels other than 'e' and 'u'. Well, and only until they made me change it, of course. I'm happy that here, they may force you to change your work login password every so often, but don't force you to change it to something other than what it already just was.
Also, what exactly is the difference between requiring that a password not contain a dictionary word, and that it not contain an "exact dictionary word match"? They seem fairly equivalent.
Admin
Why should there be such a short MAXIMUM if there's such a MINIMUM? And why say "not THIS character"? Really.
Admin
A better requirement would use the word "shall" instead of "must". But the exclamation points are fine as-is.
Admin
Just as an FYI, >=6 characters and >=8 characters are not mutually exclusive.
captcha: tristique - we went to this place on main street that only sells triscuit crackers.
Admin
Admin
Admin
No need for that last line. "Your pasword must not have repeated characters" is nearly as usefull. (very very nearly...)
Admin
(comment thread tl;dr) Almost all my current passwords satisfy all these requirements, and I remember them perfectly. Well, except those with the letter 'a', which is a dictionary word and thus may not be part of any password?
Admin
Admin
LOL! Adding all those extra constraint probably actually makes these passwords easier to crack by limiting the dictionary an attacker needs to traverse.
Admin
my favorite is the companies that refuse to let me use a secure password:
The sad thing is that I usually come up with ridiculously hard to guess passwords when not forced to follow some goofy set of rules.
When given the chance I do stupid crap like using altcodes in my password... I want to see someone try and hack that! Bet your rainbow tables don't cover 25 character passwords with upper/lowercase, numbers, symbols, and upper code page characters, script kiddie!
Admin
Qwerty00 Qwerty01 ...
Admin
Admin
You forgot the diagonals. No zse, cft, etc.
(Also, you cannot use etc)
Admin
Admin
Must not contain a dictionary word!
I hope "a", and "the" are not dictionary words!
Admin
This and some of the other requirements like not to increase security, but because the system (or some subsystem) can't handle that.
Admin
Changing passwords every "n" days increases security by eliminating servers that somebody forgot to remove access from when someone left. A person has 6 weeks on average to hack. After that, all their passwords will be gone no matter what.
Admin
This list almost certainly was constructed by at least three different people.
The first 18 rules (the ones with exclamation points) were written by some low ranking weenie who thinks he is God's gift to cryptography, and therefore can easily think of all the things that make passwords insecure without consulting any references, which he probably doesn't know where to find anyway.
The next 13 rules were written by the poor shlub who was handed the first 18 and assigned the problem of implementing a filter. Unfamiliar with the writings of J. Zawinski, he decided to use a regular expression. Now he had two problems. So he wrote a second filter, to restrict the password candidates to only those that can be parsed by his first filter.
The last rule was added by the first weenie's PHB because he could not understand the existing list of rules and decided to encode his ignorance into a summary. He probably goes around telling everyone that his weenie always overcomplicates everything, and the last rule is the only one you really need because it includes all the others.
-Harrow.
Admin
Admin
They make the strongest passwords less secure, but only a fraction of people are using a completely random password. If you considered the system to be cracked when a few accounts are compromised, it's a worthwhile to strengthen the weaker passwords at the expense of the stronger passwords.
If they're require leading character to be a letter, that suggests they're using some horrible, horrible way of storing the passwords.
I often use a password manager, and it generated one that had a space at the end. Since it had worked fine when I copied and pasted, I was going nuts trying to figure out why I couldn't type it in. (Probably ought to have filed a bug report...)
Admin
Our room is locked-down so the janitor doesn't steal computers. The only people allowed in are in my department.
Admin
Assuming they lock the accounts as well.
It also allows you to upgrade password storage, since you need a fresh password to calculate a new hash.
Admin
Since JavaScript doesn't have a built-in digest algorithm, most web apps do the hashing on the server side. Transmitting 2GB over TLS and then hashing it would be pretty intensive.
I don't know about Winders, but OS X has a simple command line pasteboard utility:
Or, for ultimate security...
Admin
You must be the only person who hasn't realized you can just change your password to something bogus five times and then reuse the last one.
Admin
Admin
After yesterday's email validation WTF, I'd love to see how these idiots validate passwords.
Admin
qnDrfsgvbm19-!._ nDrfsgvbm19-!._q Drfsgvbm19-!._qn rfsgvbm19-!._qnD ... _qnDrfsgvbm19-!.
Admin
Tenant "protection" laws make it very difficult / costly / time-consuming to evict them. So...
Pay "creepy guy" to move into a vacant apartment. Let CG indulge his "hobbies", such as running up and down the hallway in the middle of the night wearing his ski boots, playing his "Hooked on Polka" CDs all day long, cooking with Nam Pla / Padaek, and so on. Tenants spontaneously decide to move elsewhere.
Easy / inexpensive / efficient.
Admin
FTFY
Admin
Admin
Imagine... a couple years down the road when hackers get even more sophisticated and security managers get even more insane...
Attention All: Due to recent security breaches, all employees will be required to log in using a sample of their DNA. To ensure this cannot be cloned in any way and therefore compromise our security some restrictions will be placed on the DNA that can be used for system access. Specifically, every DNA sample must contain at least 5 each of capital, lowercase, and numeric chromosomes. In addition, your chromosomes cannot contain repeating values, your name, or two X chromosomes.
Thank you for your compliance.
Admin
Admin
Admin
Sorry, that doesn't work. Your name contains "er", so you can't have "er" in your password. Of course, if your real name doesn't include those letters then that may be ok.
Here is the smallest set of condensed rules I could come up with by eliminating redundant rules:
Your password:
Admin
Admin
Oh, that's nothing. Somebody here decided that we needed a different password for every domain or standalone server we log into. All these servers have somewhat random rules regarding password expiration, length, past, character set, etc. There are a few hundred servers here. Don't make me laugh with your post-it notes. They're good for one, maximum 4 passwords. We have a Excel template file that every new coworker just gets unofficially from us with all the servers listed, along with a "keep it password-protected" notice and a how-to. The system hasn't failed us yet.
Admin
If you exclude the rules involving username, this password ruleset reduces the keyspace by 92%, compared to a baseline of any combination of printable ASCII characters, 8 to 12 characters in length.
I calculated it statistically with the following program:
#include <stdio.h> #include <stdlib.h> #include <ctype.h> #include <string.h> int CheckValidPassword(const char *pw) { int nUpper = 0; int nLower = 0; int nDigit = 0; int nRepeat = 0; int charCount[95]; memset(charCount, 0, sizeof(charCount)); const char *pwe = pw; // First character must be a letter if (!isalpha(*pwe)) return 0; if (isupper(*pwe)) ++nUpper; else ++nLower; // Overall count of characters ++charCount[*pwe-32]; for (++pwe; *pwe; ++pwe) { // Overall count of characters ++charCount[*pwe-32]; // No more than 1 pair of repeating characters if (*pwe == pwe[-1]) { ++nRepeat; if (nRepeat > 1) return 0; } if (isupper(*pwe)) ++nUpper; else if (islower(*pwe)) ++nLower; else if (isdigit(*pwe)) ++nDigit; // Forbidden chars else if (strchr("^ =&#,;\"<>[|)", *pwe)) return 0; } // Must have at least two letters if (nUpper + nLower < 2) return 0; // Must have a mixture of cases if (nUpper == 0 || nLower == 0) return 0; // Must have no more than 8 uppercase or 8 lowercase letters, and at least 1 digit if (nUpper > 8 || nLower > 8 || nDigit < 1) return 0; // No triples or more of any character for (int n = 0; n < 95; ++n) if (charCount[n] > 2) return 0; return 1; } int Chance() { // Each chance is 1/95th the preceding chance return (rand() % 96) != 0; } void GenPasswordN(char *buffer, int n) { for (int i = 0; i < n; ++i) buffer[i] = rand() % 95 + 32; buffer[n] = 0; } void GenPassword(char *buffer) { // 8, 9, 10, 11, or 12 characters? Weight it properly. if (Chance()) GenPasswordN(buffer, 12); else if (Chance()) GenPasswordN(buffer, 11); else if (Chance()) GenPasswordN(buffer, 10); else if (Chance()) GenPasswordN(buffer, 9); else GenPasswordN(buffer, 8); } int main() { unsigned long long int valid = 0; unsigned long long int total = 0; char buffer[13]; for( ;; ) { GenPassword(buffer); if (CheckValidPassword(buffer)) ++valid; ++total; printf("%f\n", (double)valid / (double)total); } }Admin
Admin
No problem! My method of using Old Testament names fits that criteria (all of it) nicely. It has the added benefit of my being one of the few who actually know how to spell the names.
Admin
Who vacuums?
Admin
not if the server is doing the hashing, since you need to know what value to submit to get the same hash - i.e. what is the password.
Anyone who hashed the password client side is committing a rather large wtf - I'd agree.
Admin
Simple function to check for valid passwords!
while (true) { pass = getStrSys(); if (pass.length() < 7) { System.out.println("must be at least 7 characters long"); } else { boolean upper = false; boolean lower = false; boolean number = false; for (char c : pass.toCharArray()) { if (Character.isUpperCase(c)) { upper = true; } else if (Character.isLowerCase(c)) { lower = true; } else if (Character.isDigit(c)) { number = true; } } if (!upper) { System.out.println("must contain at least one uppercase character"); } else if (!lower) { System.out.println("must contain at least one lowercase character"); } else if (!number) { System.out.println("must contain at least one number"); } else { break; } } }Admin
Halfway through that list, did anyone else have images of Eric Idle and Michael Plain in medieval gear running through their heads...
Admin
FTFY
Admin
When don't I?