• (cs) in reply to Serpentes
    Serpentes:
    I once worked at a company whose password policy, as best I remember it, was:
    • Minimum 10 characters, maximum 24.
    • Must contain at least one each of capital letters, lowercase letters, numbers, punctuation marks.
    • Passwords expire every 45 calendar days.
    • No password may contain a substring that is a valid entry in the system's English lookup dictionary.
    • No password may contain any of an enumerated (but not publicly announced) list of prohibited substrings.
    • No password may repeat any character-position pair that was used in any of your 16 previous passwords.

    The dictionary lookup was very thorough. Too thorough. As a result, no password could contain (in either case) the letters A or I, since those were, of course, in the lookup dictionary. I rapidly concluded that vowels simply weren't worth my time. Although passwords were case sensitive (and had required mixed-case), the dictionary check was NOT -- so no thinking that "dUmB" was a valid substring.

    The secret substring blacklist wasn't any better. As far as I could ever determine, it included every alphabetically ordered three letter series, regardless of case (so no "FGH" or "PQR") and every three letter numerical series (no "123" or "789"). Also, sometimes, passwords would fail even if they should have been valid, so the blacklist clearly had some other nonsense on it.

    Probably already at Security by Post-It levels, the character-position non-reuse rule is what made it a likely violation of the Geneva Convention (with the 45 day expiration timer not helping at all). The story was that originally there was a standard "cannot repeat previous passwords" rule, but the security psychos realized people were just iterating a number at the end of their password. They concluded that was a security risk, because ninja death hackers would be smart enough to conclude that any compromised password was part of a sequence and thus obtain the current password, wreaking havoc and ending civilization. Their solution is just as horrid as it sounds. If you had a password with R as the second character, then for the next 16 passwords, the second character couldn't be R. Every character had to be novel, every time.

    The character-position system was also buggy. It was fine with passwords that were less than the maximum length ... sort of. If you always used a constant password length, you never saw the bug. But if you ever once created a password longer than your longest previous password, that became your new minimum length, because the matching code was clearly a WTF all by itself.

    And finally, note that the system wouldn't tell you why a password request failed (after the 5-10 minute "testing password" phase), just that it was invalid due a "Rules Exception". Had you stumbled on some secret blacklisted character sequence? Had you accidentally repeated the 14th character of the password you used 9 months ago? Did you discover some Welsh-originated horror lurking in the lookup dictionary ("cwm", for example; it was a pretty good dictionary)? No way to know! Just pound on the keyboard like a monkey and try again!

    Sounds like a job for ... Superprogram!

    "Just" write a program which automatically generates a random string which adheres to the rules above. (Except that it doesn't know what the "prohibited substrings" are.) Then you need to carry a little (black) book with your passwords in. (Don't carry the account for which the password accesses in case you're mugged on the way to the station and it gets stolen by manic hackers.)

    Actually, those password rules miss a trick: they should also disallow passwords whose letters are on alternate sides of the keyboard to disallow those flights of frustrated randomness like Kz03ksupdywn (oops that won't work it has "up" and "dywn" in it) generated by frantic bashing of keyboard by index fingers in turn. After all, that's how the Enigma code was broken.

  • (cs) in reply to trtrwtf
    trtrwtf:
    socknet:
    The primary reason for passwords regularly isn't to try and make it more difficult to crack (i.e. to change it halfway through someone's brute force), it is so that if the password is cracked, the problem will only exist until the next reset.

    That's my question - does a cracker return to a cracked password? Or do they just do their thing and go?

    Serious question, I really don't know much about typical cracker behavior (insert white people joke here). My naive supposition would be that you would assume a cracked password would be detected, and to return to it would be setting yourself up, but maybe that's not the case.

    Any leet warez verdorz here want to clue me in?

    If a cracker cracks a pwd then I would have thought an entertaining thing to do would be to change it. By the time the original user has managed to persuade the company "hey this really is me, some blighter has impersonated me" you can off and run with significant quantities of assets.

    Making the pwd rules diffficult to intuit would limit the cracker's ability to change that pwd.

  • Simon (unregistered)

    What's with those "not more than 12 characters and must not contain any special characters" requirements anyway?

  • Piotr Tramosky (unregistered)

    I loled at many of the comments...

    I notice that

    have at least 2 letter(s)!
    is redundant with
    have upper and lower case characters!
    not to talk about the "must not contain" + "must not be" nonsense, + the last one which is probably the old rules, left here for history...

    TRWTF here is with all the "special characters" madness. It screams something like "I inject passwords in regexes in a horrible way and can't be bothered with escaping them before". Would be fun if their system used regexes on login too.

    login : admin
    password : .*
  • attroneys (unregistered)

    ell its a great post

  • Grey (unregistered) in reply to dpm

    So TRWTF is my gmail password conforms to all of these requirements. I feel shame, huh...

  • Sten (unregistered)

    My user name is “abcdefghijklmnopqrstuvwxyz”. I’m so screwed!

  • Harrow (unregistered) in reply to Gunslinger
    Gunslinger:
    socknet:
    Spivonious:
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.

    FTFY

    Our room is locked-down so the janitor doesn't steal computers. The only people allowed in are in my department.

    Who vacuums?

    The robot, of course. Your office doesn't have one?

    We never use ours any more. It did a great job cleaning, but we could never stop it going through the cabinets and drawers looking for passwords.

    -Harrow.

  • derp (unregistered)

    By knowing what to put or not put inside it is way easier to bruteforce. If i know the password should be 8 characters long and have at least 2 upper case letters it reduces the possibilities.

    This is how it should be: Digits, upper and lower case characters and special characters, not your username, not yout username backwards, not your or any other birthdate, at least 20 characters long

  • (cs)

    Forgot:

    • not contain )
  • ziemas (unregistered) in reply to trtrwtf
    trtrwtf:
    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security? Wouldn't it make more sense to just require a sufficiently complex and long password and leave it at that? I think just about anyone could memorize a truly random 14-character password if they had to type it every day, but if you have to change it once a month then you have to come up with algorithms for generating "unguessable" passwords. These include things like regular substitutions, which become well known (ie, @ for a, 1 for i or l, and so forth), and the purpose is successfully defeated.

    Good point! I can think of no reason.

  • ziemas (unregistered) in reply to socknet
    socknet:
    trtrwtf:
    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security? Wouldn't it make more sense to just require a sufficiently complex and long password and leave it at that? I think just about anyone could memorize a truly random 14-character password if they had to type it every day, but if you have to change it once a month then you have to come up with algorithms for generating "unguessable" passwords. These include things like regular substitutions, which become well known (ie, @ for a, 1 for i or l, and so forth), and the purpose is successfully defeated.

    The primary reason for passwords regularly isn't to try and make it more difficult to crack (i.e. to change it halfway through someone's brute force), it is so that if the password is cracked, the problem will only exist until the next reset.

    Resetting a password regularly without sufficient complexity is of limited use, as is having a complex password with no resets

    BS! On any proper system trying to guess a password is prevented by only allowing 3 entries.

    So there's is no reason to prevent brute force attacks with a password changin policy.

    Furthermore with a 12 chars password containing upper lowercase digits and other characters. The average time with a billion guesses a second is about 90000 years.

  • Sock Puppets R Us (unregistered) in reply to frits
    frits:
    ÃÆâ€â„Â:
    BLs:
    two X chromosomes
    As if women didn't have enough to worry about
    FTFY
    For anyone who didn't know, we're having a 3-for-1 sale down here.
  • Anne McGee (unregistered) in reply to Serpentes
    Serpentes:
    I once worked at a company whose ******** policy, as best I remember it, was:
    • Minimum 10 characters, maximum 24.
    • Must contain at least one each of capital letters, lowercase letters, numbers, punctuation marks.
    • ********s expire every 45 calendar days.
    • No ******** may contain a substring that is a valid entry in the system's English lookup dictionary.
    • No ******** may contain any of an enumerated (but not publicly announced) list of prohibited substrings.
    • No ******** may repeat any character-position pair that was used in any of your 16 previous ********s.

    The dictionary lookup was very thorough. Too thorough. As a result, no ******** could contain (in either case) the letters A or I, since those were, of course, in the lookup dictionary. I rapidly concluded that vowels simply weren't worth my time. Although ********s were case sensitive (and had required mixed-case), the dictionary check was NOT -- so no thinking that "dUmB" was a valid substring.

    The secret substring blacklist wasn't any better. As far as I could ever determine, it included every alphabetically ordered three letter series, regardless of case (so no "FGH" or "PQR") and every three letter numerical series (no "123" or "789"). Also, sometimes, ********s would fail even if they should have been valid, so the blacklist clearly had some other nonsense on it.

    Probably already at Security by Post-It levels, the character-position non-reuse rule is what made it a likely violation of the Geneva Convention (with the 45 day expiration timer not helping at all). The story was that originally there was a standard "cannot repeat previous ********s" rule, but the security psychos realized people were just iterating a number at the end of their ********. They concluded that was a security risk, because ninja death hackers would be smart enough to conclude that any compromised ******** was part of a sequence and thus obtain the current ********, wreaking havoc and ending civilization. Their solution is just as horrid as it sounds. If you had a ******** with R as the second character, then for the next 16 ********s, the second character couldn't be R. Every character had to be novel, every time.

    The character-position system was also buggy. It was fine with ********s that were less than the maximum length ... sort of. If you always used a constant ******** length, you never saw the bug. But if you ever once created a ******** longer than your longest previous ********, that became your new minimum length, because the matching code was clearly a WTF all by itself.

    And finally, note that the system wouldn't tell you why a ******** request failed (after the 5-10 minute "testing ********" phase), just that it was invalid due a "Rules Exception". Had you stumbled on some secret blacklisted character sequence? Had you accidentally repeated the 14th character of the ******** you used 9 months ago? Did you discover some Welsh-originated horror lurking in the lookup dictionary ("cwm", for example; it was a pretty good dictionary)? No way to know! Just pound on the keyboard like a monkey and try again!

    I'm having trouble understanding this. Why is everyone typing stars everywhere?

  • Resu (unregistered) in reply to dogbrags

    Your password must:

    • have at least 8 character(s)!
    <snip> • be at least 6 characters long,

    Lol, which is it? :)

  • Not of this Earth (unregistered) in reply to derp
    derp:
    By knowing what to put or not put inside it is way easier to bruteforce. If i know the password should be 8 characters long and have at least 2 upper case letters it reduces the possibilities.

    This is how it should be: Digits, upper and lower case characters and special characters, not your username, not yout username backwards, not your or any other birthdate, at least 20 characters long

    Freedom to passwords! All are equal before the God, even 1-letter passwords!

  • (cs) in reply to Resu
    Resu:
    Your password must: • have at least 8 character(s)! <snip> • be at least 6 characters long,

    Lol, which is it? :)

    Maybe it's a typo, and your password has to be at least 8 bytes and no fewer than 6 UTF-8 characters.

  • (cs) in reply to Sock Puppets R Us
    Sock Puppets R Us:
    frits:
    ÃÆâ€â„Â:
    BLs:
    two X chromosomes
    As if women didn't have enough to worry about
    FTFY
    For anyone who didn't know, we're having a 3-for-1 sale down here.

    Nice try, but neither of those are my sockpuppets. I usually don't use sockpuppets to talk to meself, just to make lame(r) jokes.

    It's actually flattering because those two guys were actually being funny and not stupid. Now if you accused me of being Nagesh...

  • drusi (unregistered) in reply to June
    June:
    Ken B.:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    Same thing with getting rid of an apartment building full of bad tenants. (Which you just bought at a bargain price, due to said tenants.)

    Tenant "protection" laws make it very difficult / costly / time-consuming to evict them. So...

    Pay "creepy guy" to move into a vacant apartment. Let CG indulge his "hobbies", such as running up and down the hallway in the middle of the night wearing his ski boots, playing his "Hooked on Polka" CDs all day long, cooking with Nam Pla / Padaek, and so on. Tenants spontaneously decide to move elsewhere.

    Easy / inexpensive / efficient.

    How do you get 'creepy guy' to move out? Find someone more sinister, perhaps?

    You stop paying him.

  • Todd Lewis (unregistered) in reply to JustAskin
    JustAskin:
    Todd Lewis:
    No joke: below is the text from our password management page, which I readily admit that I maintain.
    Thinking up a new password can be hard. May we suggest one of the following: HAstjog<7 drY<4muCh sepgroW4} raP&9fEnD 'TWitkIn6 $Moo3wrap 2#fociSEP
    * It can't be a password you've used in the last year.
    * It must be at least 8 characters long.
    * It must contain at least one letter and at least one digit.
    * It must contain at least one of these characters: !@#$%&*+={}?<>"'
    * It and your userid must share fewer than six (or length of your userid) consecutive common characters.
    * It must not:
       <b>start with a hyphen,</b>
       <b>end with a backslash (\),</b> or
       start or end with a space, or
       <b>contain a double-quote (") anywhere except as the last character.</b></div></BLOCKQUOTE>
    

    Needless to say, I'm not always popular around work.

    It may make you unpopular, but most of those rules aren't all that unreasonable.

    Except the ones in bold. Why on earth are they in there? Would allowing those somehow break the code? That sounds like a WTF if true. Or do they just somehow cause a lot of support calls? (I can see where \ might, maybe do that, being so close to the enter key, but even that is a stretch.)

    When the policy was crafted, we wanted to come up with passwords that would work on various UNIX systems, Windows (of the time), Novell Netware, RACF, and a couple of others I can't think of at the moment. The weird ones ('"' at the end, '' and '-'; your bold didn't come through, but Im guessing these are the ones you meant) were problems with old Windows systems.

    We also expire them every 90 days.

  • NoAstronomer (unregistered) in reply to Seth
    Seth:
    I'd love to see the code that validates these rules.

    public boolean IsPasswordValid(String password) { return false; }

    How's that?

  • Matt (unregistered) in reply to dogbrags

    Old job changed the password requirement for SAP.

    Password had to have two lower case characters, two upper case characters, two special characters and two numbers.

    It's not a mistake that I've left "at least" out of there. Password had to be EXACTLY eight characters long, with that make up. Everyone's passwords became something like 33££EEee.

  • (cs) in reply to boog
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?

  • Jochem (unregistered) in reply to Anon

    Actually, that's the default Windows 2003/2008 password policy, pretty much. It means that your password must include exactly three out of the four types of characters mentioned.

    So it has to have (for example) upper- and lower case letters, and a number, but not also a punctuation mark.

    so abDE12,. doesn't qualify, but abcDE1 does... silly microsoft...

  • (cs) in reply to Mr Big
    Mr Big:
    When it comes to passwords nothing is totally secure. Randomness does not necessarily make a password any more or less secure. (and a pedant will probably tell you that mashing the keyboard does not produce a random series of characters)
    Actually, a pedant will tell you that mashing the keyboard does not even produce a pseudo-random series of characters.
  • Duh (unregistered) in reply to Gunslinger
    Gunslinger:
    Nagesh:
    My thought process tell me that this should be the OS maker's job.

    When you graduate from junior high, then you'll learn the truth young grasshopper.

    It's okay. He thinks that the contractors that built his home should take care of keeping the alarm and theft insurance up to date and that the car company that made his car should provide him with free Lo-Jack for life. Oh, wait, he lives in a shitty basement apartment with nothing worth stealing and rides a stolen bicycle.
  • (cs) in reply to Duh
    Duh:
    Gunslinger:
    Nagesh:
    My thought process tell me that this should be the OS maker's job.

    When you graduate from junior high, then you'll learn the truth young grasshopper.

    It's okay. He thinks that the contractors that built his home should take care of keeping the alarm and theft insurance up to date and that the car company that made his car should provide him with free Lo-Jack for life. Oh, wait, he lives in a shitty basement apartment with nothing worth stealing and rides a stolen bicycle.

    madarchod, i am driving top motor-cycle for past two years. Take look at motor-cycles made in India on Hero Honda's website.

    *akismet, moronoc bufoon, this is not spam...

  • (cs)

    I did a stint once as an AS/400 admin at a bank. I also did the offsite backups (big reels of tape. I'm 30 years old, so it's the bank that was antiquated, not me).

    I stored the offsite backups in a random bank vault at a random branch. Invariably, the combinations to the vault were always written on a post-it note or business card in the top desk drawer closest to the vault.

    And lest I forget, some of the branches' alarm systems were never completed by the security contractors, meaning they were never armed.

  • C-Octothorpe (unregistered) in reply to hoodaticus
    hoodaticus:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?

    So boog does work with you!

    Yeah, I think at that point the only thing that'll get rid of Creepy Guy (TM) is to cut off any reason for him to stay there, and from the sound of it, it's the wobbly-pops.

    Or another thought I had is this: if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.

  • (cs) in reply to C-Octothorpe
    C-Octothorpe:
    hoodaticus:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?

    So boog does work with you!

    Yeah, I think at that point the only thing that'll get rid of Creepy Guy (TM) is to cut off any reason for him to stay there, and from the sound of it, it's the wobbly-pops.

    Or another thought I had is this: if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.

    Everyone surfs porn here. I freely tell the owners of the company that surfing porn is required under IT department policy.

  • (cs) in reply to C-Octothorpe
    C-Octothorpe:
    hoodaticus:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?

    So boog does work with you!

    Yeah, I think at that point the only thing that'll get rid of Creepy Guy (TM) is to cut off any reason for him to stay there, and from the sound of it, it's the wobbly-pops.

    Or another thought I had is this: if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.

    Does it hurt or help to do an hour of Muay Thai training on the heavy bag a couple days a week at the company gym?

  • (cs) in reply to hoodaticus
    hoodaticus:
    C-Octothorpe:
    hoodaticus:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?

    So boog does work with you!

    Yeah, I think at that point the only thing that'll get rid of Creepy Guy (TM) is to cut off any reason for him to stay there, and from the sound of it, it's the wobbly-pops.

    Or another thought I had is this: if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.

    Everyone surfs porn here. I freely tell the owners of the company that surfing porn is required under IT department policy.
    How else would you verify that the site-blocker is effective?

  • C-Octothorpe (unregistered) in reply to frits
    frits:
    C-Octothorpe:
    hoodaticus:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?

    So boog does work with you!

    Yeah, I think at that point the only thing that'll get rid of Creepy Guy (TM) is to cut off any reason for him to stay there, and from the sound of it, it's the wobbly-pops.

    Or another thought I had is this: if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.

    Does it hurt or help to do an hour of Muay Thai training on the heavy bag a couple days a week at the company gym?

    Are you asking or braging?

    I would say it's fine, unless you have a "special" outfit you wear that, when seen from behind, makes you look like someone hog-tied a goat. And as long as you don't make fight sounds like "thwack", "bam", "zwap", etc, you're alright...

  • (cs)

    I was at a place like this once, and we ran a collision test against the hashed password file on the plaintext password: ABCabc,123 and got nearly 4000 hits on a system with only 80,000 registered accounts. Ooops.

    Putting aside the whole "ZOMG how complicated!" what they don't understand is how constrained they've made the possible passwords. We know it must be between 8 and 12 characters long, for example, so the entire domain of 1-7, and 13-> character passwords is gone. Don't even need to check them. No dictionary words, so we can skip anything that contains a stupid string like "is", for example. Can't have three occurrences of the same character!!!! HAHAHA! That strips out an ungodly HUGE number of combinations. A secure password like "Ar9Bv4A.frA" would be rejected because it's "too easy" because it has 3 A's. Hah.

    So stupid.

  • (cs) in reply to C-Octothorpe
    C-Octothorpe:
    frits:
    C-Octothorpe:
    hoodaticus:
    boog:
    C-Octothorpe:
    hoodaticus:
    I've long promoted the notion that the secret to securing any system is to eliminate its users.
    BOFH?

    Do you have a lot of elevator and electrical "accidents" at your workplace?

    Safety incidents going through the roof would be a huge red flag. Better to just hire a really creepy guy that scares everyone into finding work elsewhere or early retirement.
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?

    So boog does work with you!

    Yeah, I think at that point the only thing that'll get rid of Creepy Guy (TM) is to cut off any reason for him to stay there, and from the sound of it, it's the wobbly-pops.

    Or another thought I had is this: if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.

    Does it hurt or help to do an hour of Muay Thai training on the heavy bag a couple days a week at the company gym?

    Are you asking or braging?

    I would say it's fine, unless you have a "special" outfit you wear that, when seen from behind, makes you look like someone hog-tied a goat. And as long as you don't make fight sounds like "thwack", "bam", "zwap", etc, you're alright...

    I guess I was bragging a little. BTW- As engineers and/or IT folks, aren't we all "the creepy guy"?

  • Mr. Keith (unregistered) in reply to Sten
    Sten:
    My user name is “abcdefghijklmnopqrstuvwxyz”. I’m so screwed!

    It appears your username is "Sten", so you're OK.

  • C-Octothorpe (unregistered) in reply to frits
    frits:
    I guess I was bragging a little. BTW- As engineers and/or IT folks, aren't we all "the creepy guy"?

    I think this is a chicken/egg question...

    Does the IT industry create creepy guys (long hours, death march projects, radiation from monitors slowly cooking our brains, etc.) or are there a lot of creepy guys attracted to IT related roles?

    I'd say the latter because anybody "normal" that I met in the IT industry usually gives it up and goes into marketing/sales/management after failing horribly.

  • (cs) in reply to C-Octothorpe
    C-Octothorpe:
    hoodaticus:
    We already have Raunchy Fart Guy who drinks waaaaay too much protein shake, yet people continue working here. Maybe we should stop giving out free alcohol?
    So boog does work with you!
    If I get free alcohol? Sure, I can be Raunchy Fart Guy.
  • (cs) in reply to frits
    frits:
    C-Octothorpe:
    ...if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.

    Does it hurt or help to do an hour of Muay Thai training on the heavy bag a couple days a week at the company gym?

    It depends on how frequently and how intensely you tell your co-workers about it. Then again, that's probably true for just about any activity.
  • (cs) in reply to frits
    frits:
    As engineers and/or IT folks, aren't we all "the creepy guy"?
    Absolutely. See my previous comment explaining why.
  • Alex268 (unregistered)

    I wouldn't have to write it down on a post-it as Qwerty123 works just fine.

  • socknet (unregistered) in reply to Jimmy
    Jimmy:
    Uh oh, can't use 'a', 'A', 'I' and 'O' can't be used in a password. Assuming they do their dictionary check case-insensitive (that is, that something like caPSiCum would still match as a dictionary word), this excludes 'i' and 'o' as well...

    Thanks for teaching us what case insensitive means. We will all be better programmers for it.

    Could you do a course on Hungarian notation next?

  • trtrwtf (unregistered) in reply to frits
    frits:
    How else would you verify that the site-blocker is effective?

    And someone's got to go out and find the sites that need to be blocked. That's research, buddy.

  • Chad (unregistered) in reply to Mcoder

    Even better looking at the restricted characters makes me think that SQL injection shall grant me access... at least until i replace all of their content with pictures or puppies.

  • Frank Wales (unregistered)

    They forgot:

    • must have a prime MD5 hash !
  • carrot ? (unregistered)

    Can it contain carat(^), carrot(^), or caret(^) or neither of? And what if I give you one (captcha:) dolor ?

  • jbrains (unregistered) in reply to Pat

    It'll just be a lookup table, so no big deal.

  • some dude (unregistered) in reply to Bill
    Bill:
    When I was working on a project for a major government agency we were in a meeting with the client when she needed her latest password (they had very stringent password rules), she pulled up her calendar, navigated to a certain date and pulled out her password.

    I was floored. She has this password stored in a public calendar (at least within her organization) and in plain text.

    This is the problem with creating really strigent password rules, people can't remember them and write them down in tremendously insecure ways.

    Rule of security vs. usability

    secure <------------------------------------------> usable

    You can't have both, you get more secure it gets less usable, you get more usable (think Microsoft adding scripting to email) you get less secure.

    My password is "IthinKthatbilLsmellSlikEguacamolEanD2sweatYgorillAscroteS"

    It's quite easy to remember. How long would that take to crack?

    And Facebook's "who is this person?" authentication is pretty tight and doesn't match your rule either. Nor do "draw your login photo here" schemes. Etc.

    That rule only works when you limit yourself to outdated username/password schemes.

  • some dude (unregistered) in reply to trtrwtf
    trtrwtf:
    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security?
    The original idea was that if it takes three months to crack a password, then if you change your password every three months then the cracker will never have a valid login. I'm surprised at how many people don't know this.
  • Andrew (unregistered) in reply to dogbrags

    Excellent!

    Now if I need to brute force the login screen, I have a list of criteria I can follow to reduce the amount of passwords I need to try.

Leave a comment on “Security by Post-It”

Log In or post as a guest

Replying to comment #:

« Return to Article