- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
TRWTF of course is 80 character long passwords.
Admin
Where exactly is the failing condition (cnt >= (len/2)) to be found in the posted source code? Could it be that there's something missing in this ominously malformed for-else-block?
Admin
Any chance we could see the part of the code you are talking about? It looks like all those fancy leet-haxor characters in the submission messed up the code block. In particular I am seeing "for (var i=0; i= (len/2)))", but I am not seeing the referenced "(cnt >= (len/2))".
Admin
If you view-source, then line 237 has all the missing bits. However, and I'm no JavaScript expert, it looks like the missing bit has itself got missing bits - which is what I suspect might have broken the formatter. If it doesn't have missing bits, then JS is a stranger language than I thought...
Admin
You need to use high ASCII characters!
0,]?iáÊѲXÀ×4AÇ`%¾Ò~F=[Þ³~Öæ#+™ÐÎêÜë§^-|
Put that into your validator and smoke it!
Admin
It might be different in other countries but certainly here in the UK users would expect to receive a free router from their ISP, pre-configured so that they can just plug it in and use it. A lot are blissfully unaware that their router even has an admin interface. Of course, these are the same people who say that their Wi-Fi is down when what they really mean is that their Internet connection is down. BT probably don't help by advertising "Unbreakable Wi-Fi" because it is backed up by a 4G connection - of course if the Wi-Fi really was down then the backup wouldn't work either.
Admin
Amongst all those other stupid requirements such as "must be between six and ten characters, including one numeric and one special and one in upper case." Sometimes that "one" is literally one, sometimes not.
Apparently nobody in the wonderful world of passwords understands the only important things, which are length and "known" character set (aka entropy, in this case). Fer instance, I've just tested out Purple Monkey DIshwasher on a free "strength calculator," and it would apparently take 853 septillion years to crack. I can live with that. (Not that I will live that long.)
The only real problem with this approach is that somebody can steal your password on one site and try it on others. This should be mitigated by salting, but I'm willing to bet that there are security gaps to that assumption.
No problem! Purple Bank Of SPOV Dishwasher. Purple TikTok Account Of SPOV Dishwasher. And so on.
Regrettably I cannot apply this in real life, because of stupid password limitations practically everywhere you look.
Admin
And my point here is that, if you just mandate a password of 30+ characters (and explain why and how), then you wouldn't need all the extra crap. Obviously a paranoid user (such as me) could [B]choose[/B} to use upper case, numerics, and special characters. (I do all three), But it's a user choice, not a server choice.
Admin
No... No. Use a password manager. Use a secure passphrase or password for your master password, and then create unique passwords that follow whatever bespoke password rules the site has. Then you can just copy the password from the password manager (or use autofill with some sort of extension) instead of having to remember anything so none of these rules come back to bother you until they force you to change the password again. Just remember to rotate the ones with really poor requirements from time to time.
Admin
abcdefghijklmnopqrstuvwxyz? That's the password on my luggage!
Admin
Unless you are the manufacturer of Purple Monkey Dishes.... then the password might be cracked in seconds....
Seriously, I wonder about that calculation. Straight dictionary attacks typically break "pure word sequences" quite quickly.... If you figure 10K words then 10^12 attempts worse case at... Event at a few hundred uS per attack, that is quite short.
Admin
@Jane Bailey
Cybercrime gangs do tend to behave more and more like drug street gangs, though: https://krebsonsecurity.com/2022/09/sim-swapper-abducted-beaten-held-for-200k-ransom/
We've been warned by cyberpunk authors for a while, now that part of sci-fi is becoming more and more real.
Admin
Pass phrases of (mostly) real words are easier to memorize than the ASCII vomit created by most password generators. Mix in a foreign language (if you know one), a numeral or 3, and some punctuation.
"Oui, said the Frenchman at gate 5." ==> 34 characters. Includes uppercase letters, punctuation, and a numeral.
Admin
I find it hard to believe that I am the first one to post this link, https://xkcd.com/936/
Admin
Here in the US, users would expect to pay a monthly fee for their "free" modem/router.
Admin
Was that kind of requirement that made Allan Turing solve the decoding of the Enigma? A character could not be mapped to itself.
Admin
Er, I think you are misunderstanding the point of a password manager. I only remember three passwords: two which I use daily, and the password manager password.
Admin
Interesting, so you have to pay for both the router and the Internet service separately?
Admin
Well, "separately". They're on the same bill, but they're separate itemized charges. So your 50USD/month plan actually costs maybe 70USD if you have a 10USD "equipment rental fee" and another ten bucks or so in taxes. And you have to drive, or pay to ship, the equipment back to the company's receiving address when you cancel the service.
Obviously it's a huge racket - they want to be able to quote price X to get you to sign up but actually make X+Y dollars off you each month. The public is generally not aware that it's possible to buy and use your own (20USD on Craigslist pays for itself really quickly) because the company will install it without being asked - and they may require their own equipment to be in place to activate the service. So people just assume that using the ISP's branded box is necessary to use the ISP's internet service.
Admin
Never try to defeat password strength logic.
More than once I've hit websites that for some braindead reason put a strength check in the password entry screen. I caught on when I realized it was rejecting my password client-side. Yeah, my password failed the strength check--I typically use generated random alpha because it's much easier to type on a phone.
(I suspect they reused code between password setting and password entry. However, I've been burned by this more than once.)
Admin
In the US most ISPs give you the choice of renting a modem/router from them (the monthly fee is around $10) or supplying your own.
Admin
How does this work?
It doesn't pass the password to the function. And why does it need to use
.call()?Admin
Only Auhtorized passwords can be authorized!
Admin
And this is why Apple’s Airport Base Stations were so much easier to set up than regular routers. Pity they stopped making them; they were a little pricey but since ALL of them automatically supported stuff you had to pay extra to get from other manufacturers (like NAS and USB printer sharing) it wasn’t a bad deal.
Admin
The biggest WTF in the history of passwords was when Windows required you to type in your WiFi password twice to connect to a network (to make sure you remembered it properly...?) without being able to see what you were typing. I used to type it into Notepad then copy/paste it twice.
Admin
10^12 times 500 microseconds is almost 16 years. I wouldn't call it "quite short".
Admin
I've seen password setting silently truncate a password, but password entry doing no such thing. Only figured that out by repeatedly dropping the last character from the password until it worked.
Admin
How do I get to my password manager when I'm using a work computer, a different work computer, a library computer, my Mum's computer, the community centre computer...?
Admin
Technically even the "most tech-illiterate" don't need to ever log into their router, at least, not here in Australia.
If you get an ISP supplied modem/router, it will either be preconfigured, or thanks to our National Broadband Network and the use of 'tagging', the moment you connect it, your ISP will configure it.
And quite often they'll come with a welcome card that provides all the passwords you need (Telstra ones certainly do).
My aunty has never seen her modem/routers config screen, all she needed to know was that she just plugged it into the wall, powered it up, and within 2mins she could connect her iPad to it and get internet.
Admin
Depending on the password manager, log in to the online vault?
When I was using LastPass, and now that I am using BitWarden, if I need a password and don't have the extension installed, I can either open the app on my phone, or log into the online vault website to get the password.
Admin
As ray mentioned, there are options such as using phone app or (where stored in cloud) an online vault. Also, some password managers are able to run off a USB drive, possibly without requiring any elevated access. Opinions vary on whether a password manager with an online vault becomes an unacceptable security risk, I'd still contend it's more secure than any solution that depends on remembering passwords.
Fortunately at least more organisations seem to have caught on to the latest NIST guidance that forced regular password changes reduces, rather than increases, security.
Admin
In that case, invent your own words: Pakametriopleistogonikum or "Ad Buben um Lostophan-Seybments 2022!" - okay, not those exactly, because they'll probably show up in a dictionary once they are published online for a while...
Admin
BRB, adding 6Y9^}Ky.SK50ZR84.p,5u$380(G;m;bI%NZG%zHd?lOStqRzS}Z?t;8qSg;[gy@ to my raindow tables, right after hunter2.
Admin
So every time you need to reuse a character just find a similar looking unicode character to use instead.
Not much between a U+0061 and а U+0430 anyway?