- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Sounds like a job for ... Superprogram!
"Just" write a program which automatically generates a random string which adheres to the rules above. (Except that it doesn't know what the "prohibited substrings" are.) Then you need to carry a little (black) book with your passwords in. (Don't carry the account for which the password accesses in case you're mugged on the way to the station and it gets stolen by manic hackers.)
Actually, those password rules miss a trick: they should also disallow passwords whose letters are on alternate sides of the keyboard to disallow those flights of frustrated randomness like Kz03ksupdywn (oops that won't work it has "up" and "dywn" in it) generated by frantic bashing of keyboard by index fingers in turn. After all, that's how the Enigma code was broken.
Admin
If a cracker cracks a pwd then I would have thought an entertaining thing to do would be to change it. By the time the original user has managed to persuade the company "hey this really is me, some blighter has impersonated me" you can off and run with significant quantities of assets.
Making the pwd rules diffficult to intuit would limit the cracker's ability to change that pwd.
Admin
What's with those "not more than 12 characters and must not contain any special characters" requirements anyway?
Admin
I loled at many of the comments...
I notice that
is redundant with not to talk about the "must not contain" + "must not be" nonsense, + the last one which is probably the old rules, left here for history...TRWTF here is with all the "special characters" madness. It screams something like "I inject passwords in regexes in a horrible way and can't be bothered with escaping them before". Would be fun if their system used regexes on login too.
Admin
ell its a great post
Admin
So TRWTF is my gmail password conforms to all of these requirements. I feel shame, huh...
Admin
My user name is “abcdefghijklmnopqrstuvwxyz”. I’m so screwed!
Admin
-Harrow.
Admin
By knowing what to put or not put inside it is way easier to bruteforce. If i know the password should be 8 characters long and have at least 2 upper case letters it reduces the possibilities.
This is how it should be: Digits, upper and lower case characters and special characters, not your username, not yout username backwards, not your or any other birthdate, at least 20 characters long
Admin
Forgot:
Admin
Good point! I can think of no reason.
Admin
So there's is no reason to prevent brute force attacks with a password changin policy.
Furthermore with a 12 chars password containing upper lowercase digits and other characters. The average time with a billion guesses a second is about 90000 years.
Admin
Admin
Admin
Your password must:
Lol, which is it? :)
Admin
Freedom to passwords! All are equal before the God, even 1-letter passwords!
Admin
Admin
Nice try, but neither of those are my sockpuppets. I usually don't use sockpuppets to talk to meself, just to make lame(r) jokes.
It's actually flattering because those two guys were actually being funny and not stupid. Now if you accused me of being Nagesh...
Admin
Admin
Admin
public boolean IsPasswordValid(String password) { return false; }
How's that?
Admin
Old job changed the password requirement for SAP.
Password had to have two lower case characters, two upper case characters, two special characters and two numbers.
It's not a mistake that I've left "at least" out of there. Password had to be EXACTLY eight characters long, with that make up. Everyone's passwords became something like 33££EEee.
Admin
Admin
Actually, that's the default Windows 2003/2008 password policy, pretty much. It means that your password must include exactly three out of the four types of characters mentioned.
So it has to have (for example) upper- and lower case letters, and a number, but not also a punctuation mark.
so abDE12,. doesn't qualify, but abcDE1 does... silly microsoft...
Admin
Admin
Admin
madarchod, i am driving top motor-cycle for past two years. Take look at motor-cycles made in India on Hero Honda's website.
*akismet, moronoc bufoon, this is not spam...
Admin
I did a stint once as an AS/400 admin at a bank. I also did the offsite backups (big reels of tape. I'm 30 years old, so it's the bank that was antiquated, not me).
I stored the offsite backups in a random bank vault at a random branch. Invariably, the combinations to the vault were always written on a post-it note or business card in the top desk drawer closest to the vault.
And lest I forget, some of the branches' alarm systems were never completed by the security contractors, meaning they were never armed.
Admin
So boog does work with you!
Yeah, I think at that point the only thing that'll get rid of Creepy Guy (TM) is to cut off any reason for him to stay there, and from the sound of it, it's the wobbly-pops.
Or another thought I had is this: if you don't know who the real creepy guy at work is, it's you. But don't worry, there are a lot of perks to the role such as surfing porn (business as usual for a creepy office guy), you can FINALLY stop hiding the hand lotion in your desk, you never have to hold it in when you need to pass gas (you already covered that one), and you can tell people all about your interest in model train sets.
Admin
Admin
Does it hurt or help to do an hour of Muay Thai training on the heavy bag a couple days a week at the company gym?
Admin
Admin
Are you asking or braging?
I would say it's fine, unless you have a "special" outfit you wear that, when seen from behind, makes you look like someone hog-tied a goat. And as long as you don't make fight sounds like "thwack", "bam", "zwap", etc, you're alright...
Admin
I was at a place like this once, and we ran a collision test against the hashed password file on the plaintext password: ABCabc,123 and got nearly 4000 hits on a system with only 80,000 registered accounts. Ooops.
Putting aside the whole "ZOMG how complicated!" what they don't understand is how constrained they've made the possible passwords. We know it must be between 8 and 12 characters long, for example, so the entire domain of 1-7, and 13-> character passwords is gone. Don't even need to check them. No dictionary words, so we can skip anything that contains a stupid string like "is", for example. Can't have three occurrences of the same character!!!! HAHAHA! That strips out an ungodly HUGE number of combinations. A secure password like "Ar9Bv4A.frA" would be rejected because it's "too easy" because it has 3 A's. Hah.
So stupid.
Admin
I guess I was bragging a little. BTW- As engineers and/or IT folks, aren't we all "the creepy guy"?
Admin
It appears your username is "Sten", so you're OK.
Admin
I think this is a chicken/egg question...
Does the IT industry create creepy guys (long hours, death march projects, radiation from monitors slowly cooking our brains, etc.) or are there a lot of creepy guys attracted to IT related roles?
I'd say the latter because anybody "normal" that I met in the IT industry usually gives it up and goes into marketing/sales/management after failing horribly.
Admin
Admin
Admin
Admin
I wouldn't have to write it down on a post-it as Qwerty123 works just fine.
Admin
Thanks for teaching us what case insensitive means. We will all be better programmers for it.
Could you do a course on Hungarian notation next?
Admin
And someone's got to go out and find the sites that need to be blocked. That's research, buddy.
Admin
Even better looking at the restricted characters makes me think that SQL injection shall grant me access... at least until i replace all of their content with pictures or puppies.
Admin
They forgot:
Admin
Can it contain carat(^), carrot(^), or caret(^) or neither of? And what if I give you one (captcha:) dolor ?
Admin
It'll just be a lookup table, so no big deal.
Admin
It's quite easy to remember. How long would that take to crack?
And Facebook's "who is this person?" authentication is pretty tight and doesn't match your rule either. Nor do "draw your login photo here" schemes. Etc.
That rule only works when you limit yourself to outdated username/password schemes.
Admin
Admin
Excellent!
Now if I need to brute force the login screen, I have a list of criteria I can follow to reduce the amount of passwords I need to try.