- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
On the plus side, I can have a password ending in "!" for extra excitement!
Admin
Well its great post...
http://lawyer.laws.com/
Admin
It's mandatory to change your password every month, so this exercise is a frequent event :-(
Admin
Can't be more than 12 characters because they are using a fixed length field in the password database to store them.
If the password has a leading digit then the perl script used to validate passwords treats it as a number.
My take on writing passwords on posit notes is that there is nothing wrong with it as long as you don't write down the whole password. So if your password is H6eczlom;fr_doobiE, then writing down rf;H6eczlom on a posit note isn't likely to be helpful to someone who is casually snooping.
Admin
once you created it, its not that complicated, because it is between 8 and 12 chars. only creating one is hard
Admin
Well if god is ok with it, then I am too ... I guess
Admin
Their system sucks :)
Admin
For encouraging migration to a full post it based solution, add also the mandatory change of the password each three month.
A useful information: if you know more than one (human) language, try dictionary words from you secondary language, it may works (it does here :).
Maurizio
Admin
Are you kidding? Your chosen password AND a test password chosen in the cracker's next thousand attempts (or the next attempt) can be the same.
Taking "three months to crack a password" means ON AVERAGE, not all of the time. A cracker could (with a small probability) guess your password on the first try, no matter how complex your password is.
Think about moving your passwords around in password-space while a cracker is also moving his attempts around in the same password-space: You could happen to move your password to the same place that the cracker is about to try.
That is not really more secure than leaving your password in the same place while the cracker is moving his attempts around in the same space.
IF the space is large enough, that is.
Admin
Does anybody know what "conatain" means? Normally, I would assume it was a typo, but in a list like this...
Admin
Oh the horror! The agony. Did they have a special accounting "center" to track all the time spent guessing what password would work? How utterly vile.
Admin
Please, please please .. post the code that enforces this ... I want to see it!! :o I think that would be worth the laugh ...
Admin
This ought to define it plainly: It's here (then click the link to fix the autocorrect).
HTH
Admin
It doesn't.
Admin
This reminds me of one I ran in to the other day. I forget what the site was...but they wanted me to generate a 4 digit a "PIN" for security. So I picked a number and entered it. Rejected. Picked another. Reject. Huh? It's a 4 digit number between 0000 and 9999, how many rules could there be?
Then I found the "rules"...no consecutive digits, no duplicate digits, can't start with 0, can't use the same digit more than once, blaa blaa blaa... So I sat down and did the math...from 10,000 possible combinations (not terribly secure to begin with), their rules took the possible valid choices down to something like 3000. Not to mention the amount of time you had to spend just trying to think of a number that met all the rules...
I guess they were afraid a hacker might tie up the system too long trying to crack your pin, so they improved efficiency by cutting the possibilities down by about 2/3.
Admin
It's amusing watching that ambiguous specification being clarified over and over here in different ways. My take was that, since spec described first the length then the kind of characters, that the 3/4 quantified the number of characters (six characters OF WHICH 3/4 must be characters OF THIS KIND).
But, yea, the spec is ambiguous, so its meaning can't be known for certain, without either knowing the implementation of the password validation, or without throwing test cases consistent with each interpretation of the spec. The latter won't be too much help, though, because I can already see our respective interpretations aren't necessarily mutually exclusive: meaning it could be my rule AND your rule AND the other rules... what a nightmare that would be!
Admin
When password requirements are this stringent, brute-force attacks can be highly successful just by trying keyboard patterns, which is what people end up resorting to. (e.g. all 8-character strings of horizontally adjacent keys, etc.)
Admin
Steps to generate password:
Actually, you may only have a easy to remember but hard to guess and attack password, but you'll fail the "not have 3 occurrences of the same character" because of how frequent the letter "e" is in English. Add an extra e at the end if you have three "e"-s in the word, to make it 4, which is compliant.
Use this: http://watchout4snakes.com/CreativityTools/RandomWord/RandomWordPlus.aspx
Example: Word = Clergy Lucky number = 42 New password: Cler42gy
If this is your password, you may want to change it now :P
Admin
Obsolete rules, mostly.
First you had folks who don't / didn't hash passwords...so they had field length limitations where to store them.
Second you had poorly designed hashes. Old Windows NT LAN MAN (w00t! Netbui everywhere!) had a weaknesses that they used 14 character passwords -- if you typed more then 14, it was simply ignored. More over, it divided the 14 into two sets of 7 characters.
If you had a 7 character password, it just added a pad of 7 more to make 14.
The key weakness being this: If you had a 10 character password, it was like have 7 + 3 character passwords. Hackers would attack the 2nd 3 character part first, and once they decoded characters in that, those same ones would be decoded in the first part. So in a simple example ABCABCABCA if you decoded the last three "BCA" portion, you had all you needed to know the first part was ABCABCA.
So an 8 character password was theoretically the more vulnerable to hacking then 7; and indeed anything between 8 and 13 characters was considered weaker then 7 or 14.
Admin
I'm also not sure how to tell whether my password "conatains" the specified characters. "Contains", I understand -- those characters shouldn't be in my password... but how do those "conatained" characters pertain to my password?
Admin
So if I understand that right (the last one confuses me a bit) the password "Abcdefg1" (that's a one at the end) would be perfectly valid
Admin
provided that the screen is completely covered with (unremoveable) post-its security may be acceptable...
Admin
New secure-password rules!: