- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I remember a long time ago, I couldn't change the password on a forum simply because the new rules applied to the old password as well (I think they added a non-letter-number symbol as a requirement). So basically I could no longer logon because I had to change the password to follow the new rules but I couldn't change the password because the new rules when changing the password also applied to the old password.
BTW for those that don't know how those old password rules came to be: Basically a team of scientist where told to came up with something plausible in just two hours and that stuff became basically a "best practice". A good example that stuff with the name of a bunch of experts underneath is not always up to the quality standards those people usually deliver.
Admin
No repeated or sequential characters in a password? The best passwords are pass phrases, as they're longer and easier for humans to remember, but those 2 requirements, alone, get rid of an awful lot of words that could otherwise be used in a pass phrase. No special characters is kinda dumb, but whatever.
Admin
My least favorite recent password issue was a site which required a "special character" but only certain special characters were allowed. My password manager kept suggesting passwords with the wrong special characters.
My least favorite historical password issue was a system back in the late 80s which accepted my favorite password (yes, I had only one password for everything back then) but quietly truncated it as I set it. Of course, it didn't truncate the password when I was trying to log in.
Admin
Dish Network. 8 characters max. Need I say more?
Admin
There was an online banking website that was adamant that you had to use uppercase and lowercase letters in your password, and the front-end validated your input to check you had.
However, behind the scenes it looked like they were doing a ToUpper() or ToLower() on the password as it didn't make a difference whether you used uppercase or lowercase letters when entering your password to login - so long as it was the right letter, its case didn't matter. I discovered this when I accidentally logged in with the Caps Lock key turned on - essentially I'd 'inverted' my password and it still worked.
Thankfully, this was some years back and they've now fixed it so that case sensitivity is now a thing. They're doing 2FA too, so it seems like they've got someone a bit more competent than the CEO's nephew doing security.
Admin
I had a similar issue once with a security camera system. It turned out setting a password or logging in directly on the device would ignore any capital letter inputs, but attempting to connect via a Windows application over a network would not. Once I figured out it was expecting "ypass" rather than "Mypass", everything worked.
Admin
Password rules: Because it's easier to write a regex than it is to write a robust retry limiter.
Admin
The password must not exceed 8 characters. Allowed are letters A - Z and numers 0 - 9 as well as the national symbols @, #, and $. The first character must be a letter. There is no distinction between lower and upper case... do you remember? That was half a century ago.
Admin
And all those exclamation marks, you notice? Three? A sure sign of someone who wears his underpants on his head.
Admin
I've worked several places with annoying password rules:
Must have upper and lower letters with numbers and specials. Must change once a month and cannot repeat. At least eight long
I guarantee half the office will have a simple variant on this as their password today:
Jan-4-2025
Admin
One of the worst rules was "Must change once a month and cannot repeat." So first you had to pick a new password, but could not follow a pattern that you could remember but the password system would decide was repeating. You had to either write down your new password, or choose one simple enough to easily remember.
But when someone either found the password you had written down or guessed it, they'd have up to 30 days to misuse it. That's 30 days too long. Changing passwords on a schedule is one of the stupidest things ever done to protect them. Pick a really difficult one to guess or brute force and DON'T give it away.
Edit Admin
Password rules are such a problem. I've been looking after passwords in some fashion on and off for a long, long time, sometimes as security sometimes as a dev. Still endlessly frustrating when websites implement idiotic password rules. About half that I use don't believe spaces are valid password characters, for instance.
Admin
Those are exactly the mainframe rules, and mainframes are still in use; we just got rid of ours last summer. Mix in domain<->mainframe password synchronization and you got several of the other complaints here, like allowing Windows to use a longer password and just truncating them on the mainframe. The client applications had to limit the user's password entry if they called the mainframe or we'd have to deal with too many calls about passwords not working. Now the mainframe is gone and all authorization is Windows Domain or OAuth2/OIDC; we can now fully-delegate password entry to another provider.