• Anon (unregistered) in reply to boog
    boog:
    Ken B.:
    boog:
    - your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.

    I was going to suggest "goodpasswords dot com"...

    Would that be a website listing "good passwords", or a form where users can submit their passwords and it will tell them how "good" the passwords are?

    Either way, sounds like a great idea.

    Indeed:

    1. Create a website where people enter their passwords to see how "good" they are. Insist they tell you their username and what website it is for so you can check for their username and the name of the website in the password (because that would clearly be insecure)
    2. ??????
    3. Profit!
  • vic (unregistered)

    My former employer had a set of rules for all passwords which including things like having to change the password every 3 months and not reusing the last n (I think it started at 3, eventually 5) passwords. This included not just the enterprise servers, but simple systems like the document store where the employee handbook and cafeteria menu were posted.

    Fortunately, there was no minimum time between when you changed the password, so a quick run through my set of five passwords for trivial sites let me know what lunch would be.

  • PG4 (unregistered) in reply to jimicus
    jimicus:
    Earlier versions of Windows (particularly in the days before NTLM) split the password into two hashes each containing 7 characters

    Well this stupid idea in Windows has caused the current mess I have to deal with in UNIX.

    Used to be 8 characters was fine, then some idiot higher up found out about that problem in windows and sent out a directive to change X in windows, change Y in windows, Change Z in windows, Don't use the hash before NTLM, etc. And one of the list of 15 or so taskings in he directive was to force all passwords to be a min of 14 characters, at least 2 upper, 2 lower, 2 digits, 2 special and change passwords every 30 days. Now since this last part didn't say for windows only, it had to be applied to everything that took a password. Oh yea, can use one you have used in the past year, and bunch of other things. This policy is still in force today, all because of an old way that windows hashed passwords.

  • informatimago (unregistered)

    With so many rules, some users may not have any valid password!

  • (cs)

    Yeah, one of my main passwords would also still fulfill these requirements, as long as you were willing to accept vowels other than 'e' and 'u'. Well, and only until they made me change it, of course. I'm happy that here, they may force you to change your work login password every so often, but don't force you to change it to something other than what it already just was.

    Also, what exactly is the difference between requiring that a password not contain a dictionary word, and that it not contain an "exact dictionary word match"? They seem fairly equivalent.

  • Jouva (unregistered)

    Why should there be such a short MAXIMUM if there's such a MINIMUM? And why say "not THIS character"? Really.

  • Poptart (unregistered) in reply to dogbrags

    A better requirement would use the word "shall" instead of "must". But the exclamation points are fine as-is.

  • a flaming pineapple (unregistered) in reply to pippin
    pippin:
    have at least 8 character(s)
    or
    be at least 6 characters long
    Not only is it absurd, but it's contradictory! (exclamation included to give my comment added umpfh ;)

    Just as an FYI, >=6 characters and >=8 characters are not mutually exclusive.

    captcha: tristique - we went to this place on main street that only sells triscuit crackers.

  • PendaticCurmudgeon (unregistered) in reply to trtrwtf
    trtrwtf:
    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security? Wouldn't it make more sense to just require a sufficiently complex and long password and leave it at that? I think just about anyone could memorize a truly random 14-character password if they had to type it every day, but if you have to change it once a month then you have to come up with algorithms for generating "unguessable" passwords. These include things like regular substitutions, which become well known (ie, @ for a, 1 for i or l, and so forth), and the purpose is successfully defeated.
    Please feature this comment.
  • (cs) in reply to The Corrector
    The Corrector:
    boog:
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks, and may not contain your user name or any part of your full name.
    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
    12 quarters = 3 passwords dollars.
    So in other words, your password must be worth at least three dollars? I'm guessing most users' passwords probably aren't valid then.
  • (cs) in reply to boog
    boog:
    Anon:
    Also, more rules restricting stating what your password can't be = less entropy = less secure.
    I keep wondering when "security experts" (or whatever managers like to call themselves) will create that one password rule that really limits the password space.
    • your password may not contain adjacent letters or adjacent numbers (they must alternate: S2t3u8p1d)
    • your password may not contain letters/numbers from your username (I can't use b, o, g, B, O, or G)
    • your password may not contain any consecutive letters/numbers (if you use C, you can't use B or D anywhere)
    • your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

    Oh yeah, I do see that last one happening somewhere in the next 10 years.

    No need for that last line. "Your pasword must not have repeated characters" is nearly as usefull. (very very nearly...)

  • Yuval (unregistered)

    (comment thread tl;dr) Almost all my current passwords satisfy all these requirements, and I remember them perfectly. Well, except those with the letter 'a', which is a dictionary word and thus may not be part of any password?

  • . (unregistered) in reply to boog
    boog:
    The Corrector:
    boog:
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks, and may not contain your user name or any part of your full name.
    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
    12 quarters = 3 passwords dollars.
    So in other words, your mom must be worth at least three dollars? I'm guessing most users' moms probably aren't valid then.
    FTFY
  • Josiah (unregistered)

    LOL! Adding all those extra constraint probably actually makes these passwords easier to crack by limiting the dictionary an attacker needs to traverse.

  • kastein (unregistered)

    my favorite is the companies that refuse to let me use a secure password:

    • one of my financial accounts insists that I use NO symbols, and that my password be no more than 6 characters long. Thanks guys, glad no one can get into my stock account now!
    • another requires that my password be ridiculously long and complex, be different from my last ten passwords, and get changed every 60 days. I finally ran out of good passwords I could remember and started just changing one digit when asked for a new password. You win guys, too secure for me...

    The sad thing is that I usually come up with ridiculously hard to guess passwords when not forced to follow some goofy set of rules.

    When given the chance I do stupid crap like using altcodes in my password... I want to see someone try and hack that! Bet your rainbow tables don't cover 25 character passwords with upper/lowercase, numbers, symbols, and upper code page characters, script kiddie!

  • (cs)

    Qwerty00 Qwerty01 ...

  • Ken B. (unregistered) in reply to TheCPUWizard
    TheCPUWizard:
    Ironic... I just compared passwords I use (from memory) for a number of secure systems, and over 90% of them met the requirements [1 out of 17 failed].

    This is on various systems that do not have overly compex rules...guess is speaks volumes about my state of mind <eek!>

    I still use the 6-letter passwords from back in high school (1970's) as the root of many of my online passwords today. (By "root", I mean using them as the first 6 characters, and follow them by a new suffix.)

  • (cs) in reply to trtrwtf
    trtrwtf:
    Don't forget this one: your password can't contain any sequence of 3 adjacent letters on a qwerty keyboard. No asdf, no zxc.

    You forgot the diagonals. No zse, cft, etc.

    (Also, you cannot use etc)

  • (cs) in reply to Ken B.
    Ken B.:
    TheCPUWizard:
    Ironic... I just compared passwords I use (from memory) for a number of secure systems, and over 90% of them met the requirements [1 out of 17 failed].

    This is on various systems that do not have overly compex rules...guess is speaks volumes about my state of mind <eek!>

    I still use the 6-letter passwords from back in high school (1970's) as the root of many of my online passwords today. (By "root", I mean using them as the first 6 characters, and follow them by a new suffix.)
    hunter20110401 ?

  • gizmore (unregistered)

    Must not contain a dictionary word!

    I hope "a", and "the" are not dictionary words!

  • mackenziema (unregistered) in reply to dpm

    This and some of the other requirements like not to increase security, but because the system (or some subsystem) can't handle that.

  • PRMan (unregistered) in reply to trtrwtf

    Changing passwords every "n" days increases security by eliminating servers that somebody forgot to remove access from when someone left. A person has 6 weeks on average to hack. After that, all their passwords will be gone no matter what.

  • Harrow (unregistered)

    This list almost certainly was constructed by at least three different people.

    The first 18 rules (the ones with exclamation points) were written by some low ranking weenie who thinks he is God's gift to cryptography, and therefore can easily think of all the things that make passwords insecure without consulting any references, which he probably doesn't know where to find anyway.

    The next 13 rules were written by the poor shlub who was handed the first 18 and assigned the problem of implementing a filter. Unfamiliar with the writings of J. Zawinski, he decided to use a regular expression. Now he had two problems. So he wrote a second filter, to restrict the password candidates to only those that can be parsed by his first filter.

    The last rule was added by the first weenie's PHB because he could not understand the existing list of rules and decided to encode his ignorance into a summary. He probably goes around telling everyone that his weenie always overcomplicates everything, and the last rule is the only one you really need because it includes all the others.

    -Harrow.

  • (cs) in reply to Harrow
    Harrow:
    This list almost certainly was constructed by at least three different people.

    The first 18 rules (the ones with exclamation points) were written by some low ranking weenie who thinks he is God's gift to cryptography, and therefore can easily think of all the things that make passwords insecure without consulting any references, which he probably doesn't know where to find anyway.

    The next 13 rules were written by the poor shlub who was handed the first 18 and assigned the problem of implementing a filter. Unfamiliar with the writings of J. Zawinski, he decided to use a regular expression. Now he had two problems. So he wrote a second filter, to restrict the password candidates to only those that can be parsed by his first filter.

    The last rule was added by the first weenie's PHB because he could not understand the existing list of rules and decided to encode his ignorance into a summary. He probably goes around telling everyone that his weenie always overcomplicates everything, and the last rule is the only one you really need because it includes all the others.

    -Harrow.

    Your analysis is more entertaining than the article itself.
  • Meep (unregistered) in reply to Anne
    Anne:
    Worse than that, all these rules actually make the passwords less secure.

    They make the strongest passwords less secure, but only a fraction of people are using a completely random password. If you considered the system to be cracked when a few accounts are compromised, it's a worthwhile to strengthen the weaker passwords at the expense of the stronger passwords.

    The same goes for "leading character must be a letter"? Why can't it be a number? Why are characters forbidden? You're actually reducing the number of possible passwords here.

    If they're require leading character to be a letter, that suggests they're using some horrible, horrible way of storing the passwords.

    I often use a password manager, and it generated one that had a space at the end. Since it had worked fine when I copied and pasted, I was going nuts trying to figure out why I couldn't type it in. (Probably ought to have filed a bug report...)

  • Spivonious (unregistered) in reply to trtrwtf
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.

    FTFY

    Our room is locked-down so the janitor doesn't steal computers. The only people allowed in are in my department.

  • Meep (unregistered) in reply to PRMan
    PRMan:
    Changing passwords every "n" days increases security by eliminating servers that somebody forgot to remove access from when someone left. A person has 6 weeks on average to hack. After that, all their passwords will be gone no matter what.

    Assuming they lock the accounts as well.

    It also allows you to upgrade password storage, since you need a fresh password to calculate a new hash.

  • Meep (unregistered) in reply to James Q. Muphry
    James Q. Muphry:
    boog:
    Anne:
    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?
    It's because of people like me who prefer to have a 2GB password (just to be extra secure) which brings the server to its knees.
    You really are a moron, aren't you? Any length password will be stored in a hash which will ALWAYS BE THE SAME.

    Since JavaScript doesn't have a built-in digest algorithm, most web apps do the hashing on the server side. Transmitting 2GB over TLS and then hashing it would be pretty intensive.

    Plus, you'll just want to store your password in plain-text on the hard-drive, and HTH are you going to access it?

    I don't know about Winders, but OS X has a simple command line pasteboard utility:

    cat mypassword | pbcopy

    Or, for ultimate security...

    openssl enc -aes256 -d -in mypassword -kfile /secretplace/passwordkey | pbcopy
  • Meep (unregistered) in reply to Spivonious
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the hacker has access to my desk, he deserves access to my PC.

    You must be the only person who hasn't realized you can just change your password to something bogus five times and then reuse the last one.

  • Design Pattern (unregistered) in reply to Meep
    Deh Rules:
    not conatain & • not contain # • not contain , • not conatain ; • not contain " • not contain > • not contain <
    Looks like they're storing the password in cleartext in a XML-file and those rules avoid issues with the encoding!
  • Ã (unregistered)

    After yesterday's email validation WTF, I'd love to see how these idiots validate passwords.

  • drusi (unregistered) in reply to Serpentes
    Serpentes:
    Probably already at Security by Post-It levels, the character-position non-reuse rule is what made it a likely violation of the Geneva Convention (with the 45 day expiration timer not helping at all). The story was that originally there was a standard "cannot repeat previous passwords" rule, but the security psychos realized people were just iterating a number at the end of their password. They concluded that was a security risk, because ninja death hackers would be smart enough to conclude that any compromised password was part of a sequence and thus obtain the current password, wreaking havoc and ending civilization. Their solution is just as horrid as it sounds. If you had a password with R as the second character, then for the next 16 passwords, the second character couldn't be R. Every character had to be novel, every time.
    Both stupid and easily defeated:

    qnDrfsgvbm19-!._ nDrfsgvbm19-!._q Drfsgvbm19-!._qn rfsgvbm19-!._qnD ... _qnDrfsgvbm19-!.

  • Ken B. (unregistered) in reply to boog
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    Same thing with getting rid of an apartment building full of bad tenants. (Which you just bought at a bargain price, due to said tenants.)

    Tenant "protection" laws make it very difficult / costly / time-consuming to evict them. So...

    Pay "creepy guy" to move into a vacant apartment. Let CG indulge his "hobbies", such as running up and down the hallway in the middle of the night wearing his ski boots, playing his "Hooked on Polka" CDs all day long, cooking with Nam Pla / Padaek, and so on. Tenants spontaneously decide to move elsewhere.

    Easy / inexpensive / efficient.

  • ÃƆ(unregistered) in reply to Meep
    Meep:

    I don't know about Winders, but OS X smug hipstersheep.

    FTFY

  • Ken B. (unregistered) in reply to Anachronda
    Anachronda:
    I keep waiting for someone to decide that not having occasional missed attempts implies that your password is insufficiently complex and needs to be changed.
    [image]
  • BLs (unregistered)

    Imagine... a couple years down the road when hackers get even more sophisticated and security managers get even more insane...

    Attention All: Due to recent security breaches, all employees will be required to log in using a sample of their DNA. To ensure this cannot be cloned in any way and therefore compromise our security some restrictions will be placed on the DNA that can be used for system access. Specifically, every DNA sample must contain at least 5 each of capital, lowercase, and numeric chromosomes. In addition, your chromosomes cannot contain repeating values, your name, or two X chromosomes.

    Thank you for your compliance.

  • ÃÆâ€℠(unregistered) in reply to BLs
    BLs:
    two X chromosomes
    As if Klinefelter's sufferers didn't have enough to worry about
  • (cs) in reply to ÃÆâ€â„Â
    ÃÆâ€â„Â:
    BLs:
    two X chromosomes
    As if women didn't have enough to worry about
    FTFY
  • HappyEngineer (unregistered) in reply to Buzer
    Buzer:
    Qwerty00 Qwerty01 ...

    Sorry, that doesn't work. Your name contains "er", so you can't have "er" in your password. Of course, if your real name doesn't include those letters then that may be ok.

    Here is the smallest set of condensed rules I could come up with by eliminating redundant rules:

    Your password:

    • must have between 8 and 12 characters.
    • must have between 1 and 8 uppercase letter(s)
    • must have between 1 and 8 lowercase letter(s)
    • must have at least 1 digit
    • may also contain any of the following: !@$%*(-_+':`~./?]{}
    • must have a leading letter
    • must have at least 2 letter(s)
    • must not CONTAIN more than 1 pair of repeating characters
    • must not CONTAIN 3 occurences of the same character
    • must not CONTAIN an exact dictionary word match (does this include all the 2 letter scrabble words?)
    • must not CONTAIN your username or your username backwards
    • must not BE your username with the letters rearranged
    • must not BE an old password
    • must not CONTAIN any part of your full name. (does this include individual letters from your name?)
  • Ken B. (unregistered) in reply to Gary
    Gary:
    These intrigue me
    • not contain a dictionary word!
    • not contain an exact dictionary word match!
    

    That rules out at minimum any of the vowels A, I and O. If you can't include two-letter combinations either am, do, em, en, go, he, etc., then we are going to have a really small set of possible pwds.

    Sorry, "wds" is a sequence of three neighboring keys on the keyboard.

  • (cs)

    Oh, that's nothing. Somebody here decided that we needed a different password for every domain or standalone server we log into. All these servers have somewhat random rules regarding password expiration, length, past, character set, etc. There are a few hundred servers here. Don't make me laugh with your post-it notes. They're good for one, maximum 4 passwords. We have a Excel template file that every new coworker just gets unofficially from us with all the servers listed, along with a "keep it password-protected" notice and a how-to. The system hasn't failed us yet.

  • (cs)

    If you exclude the rules involving username, this password ruleset reduces the keyspace by 92%, compared to a baseline of any combination of printable ASCII characters, 8 to 12 characters in length.

    I calculated it statistically with the following program:

    #include <stdio.h>
    #include <stdlib.h>
    #include <ctype.h>
    #include <string.h>
    
    int CheckValidPassword(const char *pw)
    {
    	int nUpper = 0;
    	int nLower = 0;
    	int nDigit = 0;
    	int nRepeat = 0;
    	
    	int charCount[95];
    	
    	memset(charCount, 0, sizeof(charCount));
    
    	const char *pwe = pw;
    	
    	// First character must be a letter
    	if (!isalpha(*pwe)) return 0;
    	if (isupper(*pwe)) ++nUpper; else ++nLower;
    	
    	// Overall count of characters
    	++charCount[*pwe-32];
    	
    	for (++pwe; *pwe; ++pwe)
    	{
    		// Overall count of characters
    		++charCount[*pwe-32];
    		
    		// No more than 1 pair of repeating characters
    		if (*pwe == pwe[-1])
    		{
    			++nRepeat;
    			if (nRepeat > 1)
    				return 0;
    		}
    	
    		if (isupper(*pwe)) ++nUpper;
    		else if (islower(*pwe)) ++nLower;
    		else if (isdigit(*pwe)) ++nDigit;
    		
    		// Forbidden chars
    		else if (strchr("^ =&#,;\"<>[|)", *pwe)) return 0;
    	}
    	
    	// Must have at least two letters
    	if (nUpper + nLower < 2) return 0;
    	
    	// Must have a mixture of cases
    	if (nUpper == 0 || nLower == 0) return 0;
    	
    	// Must have no more than 8 uppercase or 8 lowercase letters, and at least 1 digit
    	if (nUpper > 8 || nLower > 8 || nDigit < 1) return 0;
    	
    	// No triples or more of any character
    	for (int n = 0; n < 95; ++n)
    		if (charCount[n] > 2) return 0;
    	
    	return 1;
    }
    
    int Chance()
    {
    	// Each chance is 1/95th the preceding chance
    	return (rand() % 96) != 0;
    }
    
    void GenPasswordN(char *buffer, int n)
    {
    	for (int i = 0; i < n; ++i)
    		buffer[i] = rand() % 95 + 32;
    	buffer[n] = 0;
    }
    
    void GenPassword(char *buffer)
    {
    	// 8, 9, 10, 11, or 12 characters? Weight it properly.
    	if (Chance())
    		GenPasswordN(buffer, 12);
    	else if (Chance())
    		GenPasswordN(buffer, 11);
    	else if (Chance())
    		GenPasswordN(buffer, 10);
    	else if (Chance())
    		GenPasswordN(buffer, 9);
    	else
    		GenPasswordN(buffer, 8);
    }
    
    int main()
    {
    	unsigned long long int valid = 0;
    	unsigned long long int total = 0;
    
    	char buffer[13];
    	for( ;; )
    	{
    		GenPassword(buffer);
    		if (CheckValidPassword(buffer))
    			++valid;
    		++total;
    		printf("%f\n", (double)valid / (double)total);
    	}
    }
    
  • (cs) in reply to Meep
    Meep:
    Since JavaScript doesn't have a built-in digest algorithm, most web apps do the hashing on the server side.
    Also, doesn't submitting the hashed password defeats the purpose of hashing? Since you no longer need to know the user's password in order to break in, just what it hashes to.
  • danielpauldavis (unregistered)

    No problem! My method of using Old Testament names fits that criteria (all of it) nicely. It has the added benefit of my being one of the few who actually know how to spell the names.

  • socknet (unregistered) in reply to Spivonious
    Spivonious:
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.

    FTFY

    Our room is locked-down so the janitor doesn't steal computers. The only people allowed in are in my department.

    Who vacuums?

  • socknet (unregistered) in reply to boog

    not if the server is doing the hashing, since you need to know what value to submit to get the same hash - i.e. what is the password.

    Anyone who hashed the password client side is committing a rather large wtf - I'd agree.

  • (cs)

    Simple function to check for valid passwords!

    while (true) {
      pass = getStrSys();
      if (pass.length() < 7) {
        System.out.println("must be at least 7 characters long");
      } else {
        boolean upper = false;
        boolean lower = false;
        boolean number = false;
        for (char c : pass.toCharArray()) {
          if (Character.isUpperCase(c)) {
            upper = true;
          } else if (Character.isLowerCase(c)) {
            lower = true;
          } else if (Character.isDigit(c)) {
            number = true;
          }
        }
        if (!upper) {
          System.out.println("must contain at least one uppercase character");
        } else if (!lower) {
          System.out.println("must contain at least one lowercase character");
        } else if (!number) {
          System.out.println("must contain at least one number");
        } else {
          break;
        }
      }
    }
    
  • (cs)

    Halfway through that list, did anyone else have images of Eric Idle and Michael Plain in medieval gear running through their heads...

  • Anon (unregistered) in reply to Kiss me I'm Polish
    PSN Admin:
    Oh, that's nothing. Somebody here decided that we needed a different password for every domain or standalone server we log into. All these servers have somewhat random rules regarding password expiration, length, past, character set, etc. There are a few hundred servers here. Don't make me laugh with your post-it notes. They're good for one, maximum 4 passwords. We have a Excel template file that every new coworker just gets unofficially from us with all the servers listed, along with a "keep it password-protected" notice and a how-to. The system has just failed spectacularly.

    FTFY

  • Anon (unregistered) in reply to chron3
    chron3:
    Halfway through that list, did anyone else have images of Eric Idle and Michael Plain in medieval gear running through their heads...

    When don't I?

Leave a comment on “Security by Post-It”

Log In or post as a guest

Replying to comment #:

« Return to Article