• (cs)

    How entire industry came to built with concept of security is beyond my understanding nature.

    There are companies that require you to download several softwares to make your pc running well. My thought process tell me that this should be the OS maker's job.

    Point of favor to Apple who does this right. You don't need anti-virus tool for Apple Macintosh

  • Zapp Brannigan (unregistered) in reply to Meep
    Meep:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the hacker has access to my desk, he deserves access to my PC.

    You must be the only person who hasn't realized you can just change your password to something bogus five times and then reuse the last one.

    Shhh, or they say we can't use any of the last 10 passwords.

  • Seth (unregistered)

    I'd love to see the code that validates these rules.

  • Machtyn (unregistered)

    I know it has been mentioned before, but with that many restrictions it appears like the password is between 8-12 characters, characters can only be alphanumeric, and the use of certain characters relating to the user are excluded... this makes for a rather narrow "dictionary" of characters to test on. (Yikes! I'm getting flashbacks from my Automata class.)

  • Brian White (unregistered)

    That rule isn't hard at all. Just replace some of the letters in your username with corresponding digits. And tack on digits to the end, so you can just cycle the last 2 of the password.

  • Brian White (unregistered) in reply to Zapp Brannigan
    Zapp Brannigan:
    Meep:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the hacker has access to my desk, he deserves access to my PC.

    You must be the only person who hasn't realized you can just change your password to something bogus five times and then reuse the last one.

    Shhh, or they say we can't use any of the last 10 passwords.

    Um, that's why sane organizations only let your change your password once a day.

    Annoyingly our company had a "you can't re-use any of your last 12 passwords" rule. It was just about to roll around to where I would be able to reuse the first one after 11 months, and then they doubled it to last 24 passwords.

  • Brian White (unregistered) in reply to kastein
    kastein:
    my favorite is the companies that refuse to let me use a secure password: * one of my financial accounts insists that I use NO symbols, and that my password be no more than 6 characters long. Thanks guys, glad no one can get into my stock account now! * another requires that my password be ridiculously long and complex, be different from my last ten passwords, and get changed every 60 days. I finally ran out of good passwords I could remember and started just changing one digit when asked for a new password. You win guys, too secure for me...

    The sad thing is that I usually come up with ridiculously hard to guess passwords when not forced to follow some goofy set of rules.

    When given the chance I do stupid crap like using altcodes in my password... I want to see someone try and hack that! Bet your rainbow tables don't cover 25 character passwords with upper/lowercase, numbers, symbols, and upper code page characters, script kiddie!

    Hi kastein, purely out of curiosity, what stock site is that?

  • (cs) in reply to Ken B.
    Ken B.:
    boog:
    Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    Same thing with getting rid of an apartment building full of bad tenants... Pay "creepy guy" to move into a vacant apartment. Let CG indulge his "hobbies", such as running up and down the hallway in the middle of the night wearing his ski boots, playing his "Hooked on Polka" CDs all day long, cooking with Nam Pla / Padaek, and so on.
    Science help you if your building is already full of tenants that fit such a description.
  • Alex (unregistered) in reply to Mcoder

    How else are they supposed to recover the password if a user forgets it?

  • (cs) in reply to Brian White
    Brian White:
    Zapp Brannigan:
    Meep:
    Spivonious:
    My company doesn't let you use any of the last five passwords.
    ...just change your password to something bogus five times and then reuse the last one.
    Shhh, or they say we can't use any of the last 10 passwords.
    Annoyingly our company had a "you can't re-use any of your last 12 passwords" rule... then they doubled it to last 24 passwords.
    I do scoff at the arbitrary doubling method of increasing security. It's a pretty sure sign that the guys in charge of security have no idea how to improve it.

    Go ahead, double your weak security. It only means you'll have twice as much weak security.

  • Philip Newton (unregistered)

    I'm surprised that \ and ' were allowed - the former is a popular metacharacter not only in regular expressions, and the second one can get you into problems with SQL.

    CAPTCHA: suscipit - reminds me of the Magnificat which I sang in choir once.

  • profke (unregistered)

    policy where i work:

    *3 out of 4 categorys required: capitals,lowercase,numbers,digits

    • Lockup after 3 consecutive failures

    • must change after 30 days

    • CANNOT CHANGE VOLUNTARILY within 6 days from a previous passwordchange

    • Previous 13 Passwords cannot be re-used.

    • Minimum 8 characters

    current password used at my work (a lot)

    "default password on account creation": Welcome01

    A lot of users use January2011 February2011 (in feb) at this moment they are at , depending on which date they have to change their pw:March2011 or April2011

    No doubt that I will receive within a few days some calls about their "new" password not being accepted. (May2011 is shorter than 8 chars. Somehow they find it something IT must fix)

    Last year i received similar calls from about 25 different users... on a company with 600 users

    P.S: the "cannot change within 6 days" was to prevent some idiot who used allways the same password, and , at time to change it, immediatly changed it 14 times... (ending up with the same one he started with)

    On my question what i had to do when i noticed that someone saw me typing my password, they still have to give me an answer

  • Herby (unregistered)

    The problem is that some people just want to annoy you (BOFH types). They are the ones who insist on super complex passwords for such things as tomorrow's lunch menu (as if it were an atomic secret!). The rules continue to confound me, as the need for security is NEVER the same as ACTUAL security implemented. Cue up Dilbert cartoon here!

  • Todd Lewis (unregistered)

    No joke: below is the text from our password management page, which I readily admit that I maintain.

    Thinking up a new password can be hard. May we suggest one of the following: HAstjog<7 drY<4muCh sepgroW4} raP&9fEnD 'TWitkIn6 $Moo3wrap 2#fociSEP
    * It can't be a password you've used in the last year.
    * It must be at least 8 characters long.
    * It must contain at least one letter and at least one digit.
    * It must contain at least one of these characters: !@#$%&*+={}?<>"'
    * It and your userid must share fewer than six (or length of your userid) consecutive common characters.
    * It must not:
       start with a hyphen,
       end with a backslash (\), or
       start or end with a space, or
       contain a double-quote (") anywhere except as the last character.</div></BLOCKQUOTE>
    

    Needless to say, I'm not always popular around work.

  • Gunslinger (unregistered) in reply to trtrwtf
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.

    FTFY

    Desk has a key lock. Janitor doesn't have key. Also, hacker is more inclusive, as the hacker can be a janitor but the janitor doesn't need to be a hacker.

  • gratuitous_arp (unregistered)
    • The exclamation marks made the first half of that reminder exciting!
    • But I started glossing them over when they stopped the punctuation
    • and the period ending the last sentence made me feel a bit dismal.
  • Gunslinger (unregistered) in reply to socknet
    socknet:
    Spivonious:
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.

    FTFY

    Our room is locked-down so the janitor doesn't steal computers. The only people allowed in are in my department.

    Who vacuums?

    The robot, of course. Your office doesn't have one?

  • Gunslinger (unregistered) in reply to Nagesh
    Nagesh:
    How entire industry came to built with concept of security is beyond my understanding nature.

    There are companies that require you to download several softwares to make your pc running well. My thought process tell me that this should be the OS maker's job.

    Point of favor to Apple who does this right. You don't need anti-virus tool for Apple Macintosh

    When you graduate from junior high, then you'll learn the truth young grasshopper.

  • JW (unregistered)

    This makes my job much easier. There are only a handful of passwords that match all of those critera. Now I just need to figure them out.

  • Fred (unregistered) in reply to dpm

    Surely you mean 12 character(s)!

  • Niten (unregistered)

    I once used a password safe and made all my passwords randomly generated guids. I figured the sun would consume the earth in a raging inferno before a brute force attack could crack my password. That lasted all of until the first time I tried to sign into something on my phone. Security is nice, but I prefer a little bit of usability over an obscene amount of security.

  • foo (unregistered) in reply to Mike
    Mike:
    Jam of the day - code to generate a password per the rules.
    return "Frist123";  // chosen by fair draw etc.
  • OMG (unregistered) in reply to Dazed
    Dazed:
    I don't think the problem is so much being able to remember your password as trying to find a valid one in the first place. I can see it now:
    • (shout) "WTF can I use for a password?"
    • (shout from another cubicle) "QWErty123$%^ seems to work*"
    • everyone in the office now uses the same password.
    • This is a hypothesis on my part, not a promise.

    I just realised that's why we all use summer99

  • e john (unregistered) in reply to dogbrags

    you are right ! i'm going to try that on my memoranda !

  • Jimmy (unregistered)

    [quote user="article]

    • not contain a dictionary word!
    • not contain an exact dictionary word match! [/quote]

    Uh oh, can't use 'a', 'A', 'I' and 'O' can't be used in a password. Assuming they do their dictionary check case-insensitive (that is, that something like caPSiCum would still match as a dictionary word), this excludes 'i' and 'o' as well...

    I could see the potential password space being quite small here...

  • Mr Big (unregistered) in reply to abcdefg?
    abcdefg?:
    trtrwtf:
    I think just about anyone could memorize a truly random 14-character password if they had to type it every day
    Exactly this. When I came up with my original password I just bashed on the keyboard until like 12 chars appeared, replaced a few characters. sure took me a month or two to memorize, but once I did, i always remembered it, and was secure because it truly was a random password and didn't mean anything.. But if I was changing it every 2 months I would never remember it.

    When it comes to passwords nothing is totally secure.
    Randomness does not necessarily make a password any more or less secure. (and a pedant will probably tell you that mashing the keyboard does not produce a random series of characters)

  • Ape D. Ant (unregistered) in reply to abcdefg?
    abcdefg?:
    When I came up with my original password I just bashed on the keyboard until like 12 chars appeared, replaced a few characters. sure took me a month or two to memorize, but once I did, i always remembered it, and was secure because it truly was a random password and didn't mean anything.. But if I was changing it every 2 months I would never remember it.
    Just bashing on the keyboard doesn't make for a random password.
  • June (unregistered) in reply to Ken B.
    Ken B.:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    Same thing with getting rid of an apartment building full of bad tenants. (Which you just bought at a bargain price, due to said tenants.)

    Tenant "protection" laws make it very difficult / costly / time-consuming to evict them. So...

    Pay "creepy guy" to move into a vacant apartment. Let CG indulge his "hobbies", such as running up and down the hallway in the middle of the night wearing his ski boots, playing his "Hooked on Polka" CDs all day long, cooking with Nam Pla / Padaek, and so on. Tenants spontaneously decide to move elsewhere.

    Easy / inexpensive / efficient.

    How do you get 'creepy guy' to move out? Find someone more sinister, perhaps?

  • C.K. (unregistered) in reply to Pat
    Pat:
    The real WTF is the validation code they'll use to enforce that policy...

    TRRWTF is that they'll probably store the passwords in clear text and have somebody audit them.

    Captcha: eros; Why do I always get this captcha? Is the site commenting on my sex life?

  • June (unregistered) in reply to Brian White
    Brian White:
    Zapp Brannigan:
    Meep:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the hacker has access to my desk, he deserves access to my PC.

    You must be the only person who hasn't realized you can just change your password to something bogus five times and then reuse the last one.

    Shhh, or they say we can't use any of the last 10 passwords.

    Um, that's why sane organizations only let your change your password once a day.

    Annoyingly our company had a "you can't re-use any of your last 12 passwords" rule. It was just about to roll around to where I would be able to reuse the first one after 11 months, and then they doubled it to last 24 passwords.

    I can see a patter here Perhaps people used: Jan Feb Mar ....

    It was doubled to force them to include the year too... Jan11 Feb11 Mar11 ....

    This must be more secure, right?

    On a more serious note, I've never understood why people want to reuse passwords (and I thought the reason they stop you reusing the last X because they've worked out that you won't remember any before that).

    The whole idea of changing passwords is to minimise unknown security breaches (that is, someone has been using your account but you never noticed). Changing it back to something it was in the past kind of defeats the purpose (especially given that the hacker presumably has been on the system, and most likely has access to at least the rules...."Hmm...this password doesn't work anymore, let me see, 6 rotations at somewhere between 25-30 days....I'll try again in 6 months".

  • Yummy yummy, salted hashes (unregistered) in reply to kastein
    kastein:
    my favorite is the companies that refuse to let me use a secure password: * one of my financial accounts insists that I use NO symbols, and that my password be no more than 6 characters long. Thanks guys, glad no one can get into my stock account now! * another requires that my password be ridiculously long and complex, be different from my last ten passwords, and get changed every 60 days. I finally ran out of good passwords I could remember and started just changing one digit when asked for a new password. You win guys, too secure for me...

    The sad thing is that I usually come up with ridiculously hard to guess passwords when not forced to follow some goofy set of rules.

    When given the chance I do stupid crap like using altcodes in my password... I want to see someone try and hack that! Bet your rainbow tables don't cover 25 character passwords with upper/lowercase, numbers, symbols, and upper code page characters, script kiddie!

    (I couldn't decide whether you were trolling or not. After writing my essay, I decided you were, but I didn't want a good lecture to go to waste)

    You know what rainbow tables are, right? they require hackers to have access to the hash of passwords, and they then look for a string that creates a particular hash.
    Now, password->Hash is a many to 1 relationship, so the strength of your password is irrelevant in a rainbow lookup (you might be unfortunate enough to have the same hash as "abc123".

    Password complexity combats brute force attacks, not rainbow tables.

    [boring detail - not about food] Of course, we oversimplified In an attempt to combat rainbow tables, people started to salt their hashes. What this meant was that they would add something else to the hash as well (I think they often used the website name, for instance).
    Obviously, this now meant that 1 rainbow table did not fit all, but the hackers soon realised that it simply meant that (provided they knew the salt) they needed one (actually two - the salt could be placed before or after the password, although if a hacker knew the salt, they would probably know the order) rainbow table for each website. Something more was needed. Somebody (citation needed) decided that adding more salt using a more dynamic string might be the solution. Thus, in some cases the hash is actually made of [dynamic salt][password][static salt]. I think the username is (or was) commonly used. Suddenly, the hackers needed a rainbow table for each username on each website (and if they didn't know the order of the salts, 6 each). To further complicate matters, I believe people started to use data that was more dynamic than the username (eg password changed date).

    Basically (AFAIK, happy to be corrected) well salted hashes are not only good to eat, but rende Rainbow Tables virtually useless. [/boring detail]

  • Stiggy (unregistered) in reply to boog
    boog:
    Meep:
    Since JavaScript doesn't have a built-in digest algorithm, most web apps do the hashing on the server side.
    Also, doesn't submitting the hashed password defeats the purpose of hashing? Since you no longer need to know the user's password in order to break in, just what it hashes to.

    For better security, you should also ensure that the hashed value is also subject to complexity requirements.

  • Herby (unregistered)

    Why did I suddenly realize that given these password rules, it is quite easy for the TV characters to hack at various accounts. It must be the reason that they have the rules, to make TV scripts believable!

    Yeah, that's the ticket!

  • Smiddy (unregistered)

    Point 1 says at least 8 character(s) And then the last point is at least 6 characters long... WTF..

  • (cs) in reply to Smiddy
    Smiddy:
    Point 1 says at least 8 character(s) And then the last point is at least 6 characters long... WTF..

    I think the last point used to be the entire policy, then all of the preceding points got tacked on -- the last point should have been deleted but was kept. Because somebody's stupid.

  • Jex (unregistered) in reply to Smiddy
    Smiddy:
    Point 1 says at least 8 character(s) And then the last point is at least 6 characters long... WTF..

    Oh wow!! You're the first tp noptice that!

  • foo (unregistered) in reply to smxlong
    smxlong:
    Smiddy:
    Point 1 says at least 8 character(s) And then the last point is at least 6 characters long... WTF..

    I think the last point used to be the entire policy, then all of the preceding points got tacked on -- the last point should have been deleted but was kept. Because somebody's stupid.

    Rather because somebody didn't dare deleting one rule. A manager might think they made the policy less secure and fire them. CYA design at work.

  • foo (unregistered) in reply to Yummy yummy, salted hashes
    Yummy yummy:
    In an attempt to combat rainbow tables, people started to salt their hashes. What this meant was that they would add something else to the hash as well (I think they often used the website name, for instance). Obviously, this now meant that 1 rainbow table did not fit all, but the hackers soon realised that it simply meant that (provided they knew the salt) they needed one (actually two - the salt could be placed before or after the password, although if a hacker knew the salt, they would probably know the order) rainbow table for each website. Something more was needed. Somebody (citation needed) decided that adding more salt using a more dynamic string might be the solution. Thus, in some cases the hash is actually made of [dynamic salt][password][static salt]. I think the username is (or was) commonly used. Suddenly, the hackers needed a rainbow table for each username on each website (and if they didn't know the order of the salts, 6 each). To further complicate matters, I believe people started to use data that was more dynamic than the username (eg password changed date).
    Unix password hashes were dynamically salted long before web sites even existed. The salt was random and stored with the hash, but still an attacker would need separate tables for each account.

    Why didn't some (citation needed) web site authors do the same from the start? I know I did.

  • JustAskin (unregistered) in reply to Todd Lewis
    Todd Lewis:
    No joke: below is the text from our password management page, which I readily admit that I maintain.
    Thinking up a new password can be hard. May we suggest one of the following: HAstjog<7 drY<4muCh sepgroW4} raP&9fEnD 'TWitkIn6 $Moo3wrap 2#fociSEP
    * It can't be a password you've used in the last year.
    * It must be at least 8 characters long.
    * It must contain at least one letter and at least one digit.
    * It must contain at least one of these characters: !@#$%&*+={}?<>"'
    * It and your userid must share fewer than six (or length of your userid) consecutive common characters.
    * It must not:
       <b>start with a hyphen,</b>
       <b>end with a backslash (\),</b> or
       start or end with a space, or
       <b>contain a double-quote (") anywhere except as the last character.</b></div></BLOCKQUOTE>
    

    Needless to say, I'm not always popular around work.

    It may make you unpopular, but most of those rules aren't all that unreasonable.

    Except the ones in bold. Why on earth are they in there? Would allowing those somehow break the code? That sounds like a WTF if true. Or do they just somehow cause a lot of support calls? (I can see where \ might, maybe do that, being so close to the enter key, but even that is a stretch.)

  • trtwtf (unregistered) in reply to Mr Big
    Mr Big:
    When it comes to passwords nothing is totally secure. Randomness does not necessarily make a password any more or less secure. (and a pedant will probably tell you that mashing the keyboard does not produce a random series of characters)

    A password randomly selected from a sufficiently large space offers fewer clues than one predictably selected from the same space, and therefore fewer ways to make their brute force attack more efficient. For example, it is considered worth reducing the total search space by eliminating some combinations in order to prevent certain too-predictable combinations.

    This seems useful.

  • Shit Stirrer Supreme (unregistered) in reply to trtwtf
    trtwtf:
    Mr Big:
    When it comes to passwords nothing is totally secure. Randomness does not necessarily make a password any more or less secure. (and a pedant will probably tell you that mashing the keyboard does not produce a random series of characters)

    A password randomly selected from a sufficiently large space offers fewer clues than one predictably selected from the same space, and therefore fewer ways to make their brute force attack more efficient. For example, it is considered worth reducing the total search space by eliminating some combinations in order to prevent certain too-predictable combinations.

    This seems useful.

    Yes, a password gtenerated randomly might be more secure, however a password generated randomly could result in a weak password (such as qwert123).
    Mashing keys would make such a combination more likely...

    A sensible person generating a genuinely random password would probably regenerate if something shyte did get generated, however this sort of selectiveness actually makes the result less random...

  • trtwtf (unregistered) in reply to Shit Stirrer Supreme
    Shit Stirrer Supreme:
    trtwtf:
    Mr Big:
    When it comes to passwords nothing is totally secure. Randomness does not necessarily make a password any more or less secure. (and a pedant will probably tell you that mashing the keyboard does not produce a random series of characters)

    A password randomly selected from a sufficiently large space offers fewer clues than one predictably selected from the same space, and therefore fewer ways to make their brute force attack more efficient. For example, it is considered worth reducing the total search space by eliminating some combinations in order to prevent certain too-predictable combinations.

    This seems useful.

    Yes, a password gtenerated randomly might be more secure, however a password generated randomly could result in a weak password (such as qwert123).
    Mashing keys would make such a combination more likely...

    A sensible person generating a genuinely random password would probably regenerate if something shyte did get generated, however this sort of selectiveness actually makes the result less random...

    I agree that people don't generate random passwords - whether it's by mashing the keys or thinking about randomness or whatever it is. I'm talking about the user being presented with a finite set of well-generated random passwords, say 5, and required to pick one. That takes a bit of the randomness out of it, but still that password is likely to be much stronger against a brute force attack than anything the user is likely to generate - even if they're clever enough to think of using alt codes or something.

    Oddly enough, qwerty123 was exactly my example of a non-random password generated by a user, but I deleted that part of the post. So we can certainly agree that it's the most random of random passwords - it's so random, it's obviously the one to pick.

  • Naresh Kookaburra (unregistered)

    Wow. I can see we have a lot of experts on here today. Let me get this straight: The hive mind concurs that requiring special characters and numbers reduces the search space for passwords? Also, why don't we stop beating around the bush and just agree that a randomly generated UUID would be the ideal password. KTHXBAI

  • trtwtf (unregistered) in reply to Naresh Kookaburra
    Naresh Kookaburra:
    Wow. I can see we have a lot of experts on here today. Let me get this straight: The hive mind concurs that requiring special characters and numbers reduces the search space for passwords?

    No, the hive mind does not agree. The hive mind agrees that restraints on the placement of certain classes of characters reduces the search space for passwords, but that this is sometimes a good tradeoff if it prohibits easily-guessed passwords. For example, prohibiting "qwerty123" would reduce the search space by 1, but eliminating it might force more complexity into the overall set of passwords, and therefore increase the effective search space.

    Also, why don't we stop beating around the bush and just agree that a randomly generated UUID would be the ideal password.

    If it's short enough to be remembered and not subject to frequent required changes, yes it probably would be much more secure than a user-generated password and still memorable without the clever use of post-it notes under the desk.

  • kktkkr (unregistered)

    Without further ado, the code:

    bool isValidPwd(Pwdstring stringToTest){
    return Math.floor(0.08/Math.random());
    }
    
  • Matt (unregistered)

    So it has to have 8 characters minimum, and at least 6 characters?

    Technically correct, but surely there's a better way of phrasing it.

  • Bradley (unregistered) in reply to dogbrags

    The best thing is that the ! itself is actually allowed in the password. Clearly they didn't have a problem with it! (pun intended)

  • Master Yoda (unregistered)

    Your username contain must not, young padawan!

  • (cs)

    When I worked at a place that cared about security, they let us pick any password we wanted... from a list of 10 randomly generated ones (this was to make it harder for someone to record the password if they were looking over our shoulder). We only needed to change it every month.

  • Dahpluth (unregistered)

    not be longer than 12 characters!

    So basically any password I've made up in the last 10 years is to long... That's also a weird constraint for password security.

Leave a comment on “Security by Post-It”

Log In or post as a guest

Replying to comment #:

« Return to Article