- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
How entire industry came to built with concept of security is beyond my understanding nature.
There are companies that require you to download several softwares to make your pc running well. My thought process tell me that this should be the OS maker's job.
Point of favor to Apple who does this right. You don't need anti-virus tool for Apple Macintosh
Admin
Admin
I'd love to see the code that validates these rules.
Admin
I know it has been mentioned before, but with that many restrictions it appears like the password is between 8-12 characters, characters can only be alphanumeric, and the use of certain characters relating to the user are excluded... this makes for a rather narrow "dictionary" of characters to test on. (Yikes! I'm getting flashbacks from my Automata class.)
Admin
That rule isn't hard at all. Just replace some of the letters in your username with corresponding digits. And tack on digits to the end, so you can just cycle the last 2 of the password.
Admin
Um, that's why sane organizations only let your change your password once a day.
Annoyingly our company had a "you can't re-use any of your last 12 passwords" rule. It was just about to roll around to where I would be able to reuse the first one after 11 months, and then they doubled it to last 24 passwords.
Admin
Hi kastein, purely out of curiosity, what stock site is that?
Admin
Admin
How else are they supposed to recover the password if a user forgets it?
Admin
Go ahead, double your weak security. It only means you'll have twice as much weak security.
Admin
I'm surprised that \ and ' were allowed - the former is a popular metacharacter not only in regular expressions, and the second one can get you into problems with SQL.
CAPTCHA: suscipit - reminds me of the Magnificat which I sang in choir once.
Admin
policy where i work:
*3 out of 4 categorys required: capitals,lowercase,numbers,digits
Lockup after 3 consecutive failures
must change after 30 days
CANNOT CHANGE VOLUNTARILY within 6 days from a previous passwordchange
Previous 13 Passwords cannot be re-used.
Minimum 8 characters
current password used at my work (a lot)
"default password on account creation": Welcome01
A lot of users use January2011 February2011 (in feb) at this moment they are at , depending on which date they have to change their pw:March2011 or April2011
No doubt that I will receive within a few days some calls about their "new" password not being accepted. (May2011 is shorter than 8 chars. Somehow they find it something IT must fix)
Last year i received similar calls from about 25 different users... on a company with 600 users
P.S: the "cannot change within 6 days" was to prevent some idiot who used allways the same password, and , at time to change it, immediatly changed it 14 times... (ending up with the same one he started with)
On my question what i had to do when i noticed that someone saw me typing my password, they still have to give me an answer
Admin
The problem is that some people just want to annoy you (BOFH types). They are the ones who insist on super complex passwords for such things as tomorrow's lunch menu (as if it were an atomic secret!). The rules continue to confound me, as the need for security is NEVER the same as ACTUAL security implemented. Cue up Dilbert cartoon here!
Admin
No joke: below is the text from our password management page, which I readily admit that I maintain.
Admin
Desk has a key lock. Janitor doesn't have key. Also, hacker is more inclusive, as the hacker can be a janitor but the janitor doesn't need to be a hacker.
Admin
Admin
The robot, of course. Your office doesn't have one?
Admin
When you graduate from junior high, then you'll learn the truth young grasshopper.
Admin
This makes my job much easier. There are only a handful of passwords that match all of those critera. Now I just need to figure them out.
Admin
Surely you mean 12 character(s)!
Admin
I once used a password safe and made all my passwords randomly generated guids. I figured the sun would consume the earth in a raging inferno before a brute force attack could crack my password. That lasted all of until the first time I tried to sign into something on my phone. Security is nice, but I prefer a little bit of usability over an obscene amount of security.
Admin
Admin
I just realised that's why we all use summer99
Admin
you are right ! i'm going to try that on my memoranda !
Admin
[quote user="article]
Uh oh, can't use 'a', 'A', 'I' and 'O' can't be used in a password. Assuming they do their dictionary check case-insensitive (that is, that something like caPSiCum would still match as a dictionary word), this excludes 'i' and 'o' as well...
I could see the potential password space being quite small here...
Admin
When it comes to passwords nothing is totally secure.
Randomness does not necessarily make a password any more or less secure. (and a pedant will probably tell you that mashing the keyboard does not produce a random series of characters)
Admin
Admin
How do you get 'creepy guy' to move out? Find someone more sinister, perhaps?
Admin
TRRWTF is that they'll probably store the passwords in clear text and have somebody audit them.
Captcha: eros; Why do I always get this captcha? Is the site commenting on my sex life?
Admin
I can see a patter here Perhaps people used: Jan Feb Mar ....
It was doubled to force them to include the year too... Jan11 Feb11 Mar11 ....
This must be more secure, right?
On a more serious note, I've never understood why people want to reuse passwords (and I thought the reason they stop you reusing the last X because they've worked out that you won't remember any before that).
The whole idea of changing passwords is to minimise unknown security breaches (that is, someone has been using your account but you never noticed). Changing it back to something it was in the past kind of defeats the purpose (especially given that the hacker presumably has been on the system, and most likely has access to at least the rules...."Hmm...this password doesn't work anymore, let me see, 6 rotations at somewhere between 25-30 days....I'll try again in 6 months".
Admin
(I couldn't decide whether you were trolling or not. After writing my essay, I decided you were, but I didn't want a good lecture to go to waste)
You know what rainbow tables are, right? they require hackers to have access to the hash of passwords, and they then look for a string that creates a particular hash.
Now, password->Hash is a many to 1 relationship, so the strength of your password is irrelevant in a rainbow lookup (you might be unfortunate enough to have the same hash as "abc123".
Password complexity combats brute force attacks, not rainbow tables.
[boring detail - not about food] Of course, we oversimplified In an attempt to combat rainbow tables, people started to salt their hashes. What this meant was that they would add something else to the hash as well (I think they often used the website name, for instance).
Obviously, this now meant that 1 rainbow table did not fit all, but the hackers soon realised that it simply meant that (provided they knew the salt) they needed one (actually two - the salt could be placed before or after the password, although if a hacker knew the salt, they would probably know the order) rainbow table for each website. Something more was needed. Somebody (citation needed) decided that adding more salt using a more dynamic string might be the solution. Thus, in some cases the hash is actually made of [dynamic salt][password][static salt]. I think the username is (or was) commonly used. Suddenly, the hackers needed a rainbow table for each username on each website (and if they didn't know the order of the salts, 6 each). To further complicate matters, I believe people started to use data that was more dynamic than the username (eg password changed date).
Basically (AFAIK, happy to be corrected) well salted hashes are not only good to eat, but rende Rainbow Tables virtually useless. [/boring detail]
Admin
For better security, you should also ensure that the hashed value is also subject to complexity requirements.
Admin
Why did I suddenly realize that given these password rules, it is quite easy for the TV characters to hack at various accounts. It must be the reason that they have the rules, to make TV scripts believable!
Yeah, that's the ticket!
Admin
Point 1 says at least 8 character(s) And then the last point is at least 6 characters long... WTF..
Admin
I think the last point used to be the entire policy, then all of the preceding points got tacked on -- the last point should have been deleted but was kept. Because somebody's stupid.
Admin
Oh wow!! You're the first tp noptice that!
Admin
Admin
Why didn't some (citation needed) web site authors do the same from the start? I know I did.
Admin
Admin
A password randomly selected from a sufficiently large space offers fewer clues than one predictably selected from the same space, and therefore fewer ways to make their brute force attack more efficient. For example, it is considered worth reducing the total search space by eliminating some combinations in order to prevent certain too-predictable combinations.
This seems useful.
Admin
Yes, a password gtenerated randomly might be more secure, however a password generated randomly could result in a weak password (such as qwert123).
Mashing keys would make such a combination more likely...
A sensible person generating a genuinely random password would probably regenerate if something shyte did get generated, however this sort of selectiveness actually makes the result less random...
Admin
I agree that people don't generate random passwords - whether it's by mashing the keys or thinking about randomness or whatever it is. I'm talking about the user being presented with a finite set of well-generated random passwords, say 5, and required to pick one. That takes a bit of the randomness out of it, but still that password is likely to be much stronger against a brute force attack than anything the user is likely to generate - even if they're clever enough to think of using alt codes or something.
Oddly enough, qwerty123 was exactly my example of a non-random password generated by a user, but I deleted that part of the post. So we can certainly agree that it's the most random of random passwords - it's so random, it's obviously the one to pick.
Admin
Wow. I can see we have a lot of experts on here today. Let me get this straight: The hive mind concurs that requiring special characters and numbers reduces the search space for passwords? Also, why don't we stop beating around the bush and just agree that a randomly generated UUID would be the ideal password. KTHXBAI
Admin
No, the hive mind does not agree. The hive mind agrees that restraints on the placement of certain classes of characters reduces the search space for passwords, but that this is sometimes a good tradeoff if it prohibits easily-guessed passwords. For example, prohibiting "qwerty123" would reduce the search space by 1, but eliminating it might force more complexity into the overall set of passwords, and therefore increase the effective search space.
If it's short enough to be remembered and not subject to frequent required changes, yes it probably would be much more secure than a user-generated password and still memorable without the clever use of post-it notes under the desk.
Admin
Without further ado, the code:
Admin
So it has to have 8 characters minimum, and at least 6 characters?
Technically correct, but surely there's a better way of phrasing it.
Admin
The best thing is that the ! itself is actually allowed in the password. Clearly they didn't have a problem with it! (pun intended)
Admin
Your username contain must not, young padawan!
Admin
When I worked at a place that cared about security, they let us pick any password we wanted... from a list of 10 randomly generated ones (this was to make it harder for someone to record the password if they were looking over our shoulder). We only needed to change it every month.
Admin
not be longer than 12 characters!
So basically any password I've made up in the last 10 years is to long... That's also a weird constraint for password security.