• dfcowell (unregistered) in reply to dogbrags

    On the plus side, I can have a password ending in "!" for extra excitement!

  • lawyer (unregistered)

    Well its great post...

    http://lawyer.laws.com/

  • Torre Lasley (unregistered) in reply to dogbrags

    It's mandatory to change your password every month, so this exercise is a frequent event :-(

  • Gibbon1 (unregistered) in reply to Anne
    Anne:
    Worse than that, all these rules actually make the passwords less secure.

    One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?

    The same goes for "leading character must be a letter"? Why can't it be a number? Why are characters forbidden? You're actually reducing the number of possible passwords here.

    Can't be more than 12 characters because they are using a fixed length field in the password database to store them.

    If the password has a leading digit then the perl script used to validate passwords treats it as a number.

    My take on writing passwords on posit notes is that there is nothing wrong with it as long as you don't write down the whole password. So if your password is H6eczlom;fr_doobiE, then writing down rf;H6eczlom on a posit note isn't likely to be helpful to someone who is casually snooping.

  • allo (unregistered)

    once you created it, its not that complicated, because it is between 8 and 12 chars. only creating one is hard

  • derp (unregistered) in reply to Not of this Earth

    Well if god is ok with it, then I am too ... I guess

  • M (unregistered) in reply to socknet
    socknet:
    Spivonious:
    trtrwtf:
    Spivonious:
    My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.

    FTFY

    Our room is locked-down so the janitor doesn't steal computers. The only people allowed in are in my department.

    Who vacuums?

    Their system sucks :)

  • Maurizio (unregistered) in reply to dogbrags

    For encouraging migration to a full post it based solution, add also the mandatory change of the password each three month.

    A useful information: if you know more than one (human) language, try dictionary words from you secondary language, it may works (it does here :).

    Maurizio

  • (cs) in reply to some dude
    some dude:
    trtrwtf:
    Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security?
    The original idea was that if it takes three months to crack a password, then if you change your password every three months then the cracker will never have a valid login. I'm surprised at how many people don't know this.

    Are you kidding? Your chosen password AND a test password chosen in the cracker's next thousand attempts (or the next attempt) can be the same.

    Taking "three months to crack a password" means ON AVERAGE, not all of the time. A cracker could (with a small probability) guess your password on the first try, no matter how complex your password is.

    Think about moving your passwords around in password-space while a cracker is also moving his attempts around in the same password-space: You could happen to move your password to the same place that the cracker is about to try.

    That is not really more secure than leaving your password in the same place while the cracker is moving his attempts around in the same space.

    IF the space is large enough, that is.

  • -doug (unregistered)

    Does anybody know what "conatain" means? Normally, I would assume it was a typo, but in a list like this...

  • (cs) in reply to Serpentes
    Serpentes:
    I once worked at a company whose password policy, as best I remember it, was:
    • Minimum 10 characters, maximum 24.
    • Must contain at least one each of capital letters, lowercase letters, numbers, punctuation marks.
    • Passwords expire every 45 calendar days.
    • No password may contain a substring that is a valid entry in the system's English lookup dictionary.
    • No password may contain any of an enumerated (but not publicly announced) list of prohibited substrings.
    • No password may repeat any character-position pair that was used in any of your 16 previous passwords .... And finally, note that the system wouldn't tell you why a password request failed (after the 5-10 minute "testing password" phase), just that it was invalid due a "Rules Exception". Had you stumbled on some secret blacklisted character sequence? Had you accidentally repeated the 14th character of the password you used 9 months ago? Did you discover some Welsh-originated horror lurking in the lookup dictionary ("cwm", for example; it was a pretty good dictionary)? No way to know! Just pound on the keyboard like a monkey and try again!

    Oh the horror! The agony. Did they have a special accounting "center" to track all the time spent guessing what password would work? How utterly vile.

  • Ditto (unregistered)

    Please, please please .. post the code that enforces this ... I want to see it!! :o I think that would be worth the laugh ...

  • (cs) in reply to -doug
    -doug:
    Does anybody know what "conatain" means? Normally, I would assume it was a typo, but in a list like this...

    This ought to define it plainly: It's here (then click the link to fix the autocorrect).

    HTH

  • (cs) in reply to Pecos Bill
    Pecos Bill:
    -doug:
    Does anybody know what "conatain" means? Normally, I would assume it was a typo, but in a list like this...

    This ought to define it plainly: It's here (then click the link to fix the autocorrect).

    HTH

    It doesn't.

  • anonanon (unregistered)

    This reminds me of one I ran in to the other day. I forget what the site was...but they wanted me to generate a 4 digit a "PIN" for security. So I picked a number and entered it. Rejected. Picked another. Reject. Huh? It's a 4 digit number between 0000 and 9999, how many rules could there be?

    Then I found the "rules"...no consecutive digits, no duplicate digits, can't start with 0, can't use the same digit more than once, blaa blaa blaa... So I sat down and did the math...from 10,000 possible combinations (not terribly secure to begin with), their rules took the possible valid choices down to something like 3000. Not to mention the amount of time you had to spend just trying to think of a number that met all the rules...

    I guess they were afraid a hacker might tie up the system too long trying to crack your pin, so they improved efficiency by cutting the possibilities down by about 2/3.

  • (cs) in reply to Mark
    Mark:
    Anon:
    • be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks, and may not contain your user name or any part of your full name.

    First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)

    Then I realized it must mean contains 3 or 4 uppercase, 3 or 4 lowercase, 3 or 4 digits and 3 or 4 punctuation. Of course to follow that rule, your password must be at least 12 characters, so the "must be at least 6 characters" is redundant. Also the punctuation part is difficult when they've already explicitly forbidden several marks.

    Or, more likely, they mean you must use at least 3 of the 4 character classes (uppercase, lowercase, digits, punctuation)

    It's amusing watching that ambiguous specification being clarified over and over here in different ways. My take was that, since spec described first the length then the kind of characters, that the 3/4 quantified the number of characters (six characters OF WHICH 3/4 must be characters OF THIS KIND).

    But, yea, the spec is ambiguous, so its meaning can't be known for certain, without either knowing the implementation of the password validation, or without throwing test cases consistent with each interpretation of the spec. The latter won't be too much help, though, because I can already see our respective interpretations aren't necessarily mutually exclusive: meaning it could be my rule AND your rule AND the other rules... what a nightmare that would be!

  • GsT (unregistered)

    When password requirements are this stringent, brute-force attacks can be highly successful just by trying keyboard patterns, which is what people end up resorting to. (e.g. all 8-character strings of horizontally adjacent keys, etc.)

  • Uplink (unregistered)

    Steps to generate password:

    1. Pick a dictionary
    2. Pick a word from the dictionary. The word must be at least 6 letters long.
    3. Think of your two- or three-digit lucky number.
    4. Split dictionary word in the middle.
    5. Put lucky number in the middle of word.
    6. Capitalize the first letter of the word.
    7. Congratulations, you now have a compliant password.

    Actually, you may only have a easy to remember but hard to guess and attack password, but you'll fail the "not have 3 occurrences of the same character" because of how frequent the letter "e" is in English. Add an extra e at the end if you have three "e"-s in the word, to make it 4, which is compliant.

    Use this: http://watchout4snakes.com/CreativityTools/RandomWord/RandomWordPlus.aspx

    Example: Word = Clergy Lucky number = 42 New password: Cler42gy

    If this is your password, you may want to change it now :P

  • Dal90 (unregistered) in reply to Anne

    Obsolete rules, mostly.

    First you had folks who don't / didn't hash passwords...so they had field length limitations where to store them.

    Second you had poorly designed hashes. Old Windows NT LAN MAN (w00t! Netbui everywhere!) had a weaknesses that they used 14 character passwords -- if you typed more then 14, it was simply ignored. More over, it divided the 14 into two sets of 7 characters.

    If you had a 7 character password, it just added a pad of 7 more to make 14.

    The key weakness being this: If you had a 10 character password, it was like have 7 + 3 character passwords. Hackers would attack the 2nd 3 character part first, and once they decoded characters in that, those same ones would be decoded in the first part. So in a simple example ABCABCABCA if you decoded the last three "BCA" portion, you had all you needed to know the first part was ABCABCA.

    So an 8 character password was theoretically the more vulnerable to hacking then 7; and indeed anything between 8 and 13 characters was considered weaker then 7 or 14.

  • Dok Jones (unregistered)

    I'm also not sure how to tell whether my password "conatains" the specified characters. "Contains", I understand -- those characters shouldn't be in my password... but how do those "conatained" characters pertain to my password?

  • Todd Eddy (unregistered)

    So if I understand that right (the last one confuses me a bit) the password "Abcdefg1" (that's a one at the end) would be perfectly valid

  • nodog (unregistered) in reply to dogbrags

    provided that the screen is completely covered with (unremoveable) post-its security may be acceptable...

  • Axel (unregistered)

    New secure-password rules!:

    1. Reduce the available codespace!
    2. Reduce the available codespace some more!
    3. Reduce it further still!
    4. ???!
    5. Profit!

Leave a comment on “Security by Post-It”

Log In or post as a guest

Replying to comment #:

« Return to Article