• Prime Mover (unregistered)

    TRWTF of course is 80 character long passwords.

  • Robert (unregistered)

    Where exactly is the failing condition (cnt >= (len/2)) to be found in the posted source code? Could it be that there's something missing in this ominously malformed for-else-block?

    for (var i=0; i= (len/2)))
        flag = 1;
    else if ((sum >= 18) && (sum <= 30))
        flag = 2;
    else if (sum > 30)
        flag = 3;
  • JiffyPop (unregistered)

    Any chance we could see the part of the code you are talking about? It looks like all those fancy leet-haxor characters in the submission messed up the code block. In particular I am seeing "for (var i=0; i= (len/2)))", but I am not seeing the referenced "(cnt >= (len/2))".

  • Darren (unregistered)

    If you view-source, then line 237 has all the missing bits. However, and I'm no JavaScript expert, it looks like the missing bit has itself got missing bits - which is what I suspect might have broken the formatter. If it doesn't have missing bits, then JS is a stranger language than I thought...

  • Andrew (unregistered)

    You need to use high ASCII characters!


    Put that into your validator and smoke it!

  • Pabz (unregistered)

    It might be different in other countries but certainly here in the UK users would expect to receive a free router from their ISP, pre-configured so that they can just plug it in and use it. A lot are blissfully unaware that their router even has an admin interface. Of course, these are the same people who say that their Wi-Fi is down when what they really mean is that their Internet connection is down. BT probably don't help by advertising "Unbreakable Wi-Fi" because it is backed up by a 4G connection - of course if the Wi-Fi really was down then the backup wouldn't work either.

  • Sole Purpose Of Visit (unregistered) in reply to Prime Mover

    Amongst all those other stupid requirements such as "must be between six and ten characters, including one numeric and one special and one in upper case." Sometimes that "one" is literally one, sometimes not.

    Apparently nobody in the wonderful world of passwords understands the only important things, which are length and "known" character set (aka entropy, in this case). Fer instance, I've just tested out Purple Monkey DIshwasher on a free "strength calculator," and it would apparently take 853 septillion years to crack. I can live with that. (Not that I will live that long.)

    The only real problem with this approach is that somebody can steal your password on one site and try it on others. This should be mitigated by salting, but I'm willing to bet that there are security gaps to that assumption.

    No problem! Purple Bank Of SPOV Dishwasher. Purple TikTok Account Of SPOV Dishwasher. And so on.

    Regrettably I cannot apply this in real life, because of stupid password limitations practically everywhere you look.

  • Sole Purpose Of Visit (unregistered) in reply to Sole Purpose Of Visit

    And my point here is that, if you just mandate a password of 30+ characters (and explain why and how), then you wouldn't need all the extra crap. Obviously a paranoid user (such as me) could [B]choose[/B} to use upper case, numerics, and special characters. (I do all three), But it's a user choice, not a server choice.

  • Vincent Cunningham (github)

    No... No. Use a password manager. Use a secure passphrase or password for your master password, and then create unique passwords that follow whatever bespoke password rules the site has. Then you can just copy the password from the password manager (or use autofill with some sort of extension) instead of having to remember anything so none of these rules come back to bother you until they force you to change the password again. Just remember to rotate the ones with really poor requirements from time to time.

  • I dunno LOL ¯\(°_o)/¯ (unregistered)

    abcdefghijklmnopqrstuvwxyz? That's the password on my luggage!

  • (nodebb) in reply to Sole Purpose Of Visit

    Unless you are the manufacturer of Purple Monkey Dishes.... then the password might be cracked in seconds....

    Seriously, I wonder about that calculation. Straight dictionary attacks typically break "pure word sequences" quite quickly.... If you figure 10K words then 10^12 attempts worse case at... Event at a few hundred uS per attack, that is quite short.

  • Sauron (unregistered)

    @Jane Bailey

    Cybercrime gangs do tend to behave more and more like drug street gangs, though: https://krebsonsecurity.com/2022/09/sim-swapper-abducted-beaten-held-for-200k-ransom/

    We've been warned by cyberpunk authors for a while, now that part of sci-fi is becoming more and more real.

  • Sou Eu (unregistered)

    Pass phrases of (mostly) real words are easier to memorize than the ASCII vomit created by most password generators. Mix in a foreign language (if you know one), a numeral or 3, and some punctuation.

    "Oui, said the Frenchman at gate 5." ==> 34 characters. Includes uppercase letters, punctuation, and a numeral.

  • (nodebb) in reply to Sole Purpose Of Visit

    I find it hard to believe that I am the first one to post this link, https://xkcd.com/936/

  • Rod (unregistered) in reply to Pabz

    Here in the US, users would expect to pay a monthly fee for their "free" modem/router.

  • Hasseman (unregistered)

    Was that kind of requirement that made Allan Turing solve the decoding of the Enigma? A character could not be mapped to itself.

  • TS (unregistered) in reply to Sou Eu

    Er, I think you are misunderstanding the point of a password manager. I only remember three passwords: two which I use daily, and the password manager password.

  • Pabz (unregistered) in reply to Rod

    Interesting, so you have to pay for both the router and the Internet service separately?

  • Vicki (unregistered) in reply to Pabz

    Well, "separately". They're on the same bill, but they're separate itemized charges. So your 50USD/month plan actually costs maybe 70USD if you have a 10USD "equipment rental fee" and another ten bucks or so in taxes. And you have to drive, or pay to ship, the equipment back to the company's receiving address when you cancel the service.

    Obviously it's a huge racket - they want to be able to quote price X to get you to sign up but actually make X+Y dollars off you each month. The public is generally not aware that it's possible to buy and use your own (20USD on Craigslist pays for itself really quickly) because the company will install it without being asked - and they may require their own equipment to be in place to activate the service. So people just assume that using the ISP's branded box is necessary to use the ISP's internet service.

  • (nodebb)

    Never try to defeat password strength logic.

    More than once I've hit websites that for some braindead reason put a strength check in the password entry screen. I caught on when I realized it was rejecting my password client-side. Yeah, my password failed the strength check--I typically use generated random alpha because it's much easier to type on a phone.

    (I suspect they reused code between password setting and password entry. However, I've been burned by this more than once.)

  • Barry Margolin (github) in reply to Pabz

    In the US most ISPs give you the choice of renting a modem/router from them (the monthly fee is around $10) or supplying your own.

  • Barry Margolin (github)

    How does this work?

    var passwordComplexity = $.validator.methods.passwordAtleast.call()

    It doesn't pass the password to the function. And why does it need to use .call()?

  • Erwin (unregistered)

    Only Auhtorized passwords can be authorized!

  • Ann on a Mouse (unregistered)

    And this is why Apple’s Airport Base Stations were so much easier to set up than regular routers. Pity they stopped making them; they were a little pricey but since ALL of them automatically supported stuff you had to pay extra to get from other manufacturers (like NAS and USB printer sharing) it wasn’t a bad deal.

  • FTB (unregistered) in reply to LorenPechtel

    The biggest WTF in the history of passwords was when Windows required you to type in your WiFi password twice to connect to a network (to make sure you remembered it properly...?) without being able to see what you were typing. I used to type it into Notepad then copy/paste it twice.

  • Jan (unregistered) in reply to TheCPUWizard

    10^12 times 500 microseconds is almost 16 years. I wouldn't call it "quite short".

  • CdrJameson (unregistered) in reply to LorenPechtel

    I've seen password setting silently truncate a password, but password entry doing no such thing. Only figured that out by repeatedly dropping the last character from the password until it worked.

  • Battery Horse Staple (unregistered) in reply to TS

    How do I get to my password manager when I'm using a work computer, a different work computer, a library computer, my Mum's computer, the community centre computer...?

  • (nodebb)

    Technically even the "most tech-illiterate" don't need to ever log into their router, at least, not here in Australia.

    If you get an ISP supplied modem/router, it will either be preconfigured, or thanks to our National Broadband Network and the use of 'tagging', the moment you connect it, your ISP will configure it.

    And quite often they'll come with a welcome card that provides all the passwords you need (Telstra ones certainly do).

    My aunty has never seen her modem/routers config screen, all she needed to know was that she just plugged it into the wall, powered it up, and within 2mins she could connect her iPad to it and get internet.

  • (nodebb) in reply to Battery Horse Staple

    Depending on the password manager, log in to the online vault?

    When I was using LastPass, and now that I am using BitWarden, if I need a password and don't have the extension installed, I can either open the app on my phone, or log into the online vault website to get the password.

  • (nodebb) in reply to Battery Horse Staple

    As ray mentioned, there are options such as using phone app or (where stored in cloud) an online vault. Also, some password managers are able to run off a USB drive, possibly without requiring any elevated access. Opinions vary on whether a password manager with an online vault becomes an unacceptable security risk, I'd still contend it's more secure than any solution that depends on remembering passwords.

    Fortunately at least more organisations seem to have caught on to the latest NIST guidance that forced regular password changes reduces, rather than increases, security.

  • Officer Johnny Holzkopf (unregistered) in reply to TheCPUWizard

    In that case, invent your own words: Pakametriopleistogonikum or "Ad Buben um Lostophan-Seybments 2022!" - okay, not those exactly, because they'll probably show up in a dictionary once they are published online for a while...

  • Diane B (unregistered)

    BRB, adding 6Y9^}Ky.SK50ZR84.p,5u$380(G;m;bI%NZG%zHd?lOStqRzS}Z?t;8qSg;[gy@ to my raindow tables, right after hunter2.

  • Matt (unregistered)

    So every time you need to reuse a character just find a similar looking unicode character to use instead.

    Not much between a U+0061 and а U+0430 anyway?

Leave a comment on “Special Validation”

Log In or post as a guest

Replying to comment #:

« Return to Article