I'm happy to see the OPM has learned their lesson
-
About security.
Alternatively, time for @Lorne-Kates's favorite game - guess where in the framework they're mishandling passwords!
-
@sloosecannon said in I'm happy to see the OPM has learned their lesson:
Alternatively, time for @Lorne-Kates's favorite game - guess where in the framework they're mishandling passwords!
"Well, sometimes the admin has to log into your account to check things, and unfortunately his keyboard only has the number row left..."
-
@sloosecannon If the only allowed symbols are
! @ # $ % ^ & * ( )
, then how are you supposed to have "at least one upper case letter"? :P
-
20 characters is a somewhat sensible upper limit, more than most other sites allow. The rules are a genuine though.
I'm still wondering what the most sensible password restrictions would be, though. The maximum length should obviously be the maximum length your hashing algorithm allows (~50 bytes for bcrypt). The character restrictions are less clear, though. What kind of printable characters should you allow? You obviously want to prevent the user from accidentally setting a password which contains characters they cannot input via their keyboard. But since there are plenty of keyboard layouts and other input methods and you cannot easily detect which ones the user might use, it's not clear what the validation rule should be.
-
@asdf also, what about emoji passwords?
-
@sloosecannon said in I'm happy to see the OPM has learned their lesson:
Alternatively, time for @Lorne-Kates's favorite game - guess where in the framework they're mishandling passwords!
They disallow
<
and>
so I'm guessing when they send the password via xml to a "createUser" webservice. But they don't disallow&
, which is making me second-guess myself. But then I remember that they're probably too stupid to realize that & isn't a valid XML character because of &encoding;, so my guess stands.
-
@Adynathos said in I'm happy to see the OPM has learned their lesson:
@sloosecannon If the only allowed symbols are
! @ # $ % ^ & * ( )
, then how are you supposed to have "at least one upper case letter"? :PYeah, that's pretty stupid. I always use a lower case
!
or$
-
@Lorne-Kates said in I'm happy to see the OPM has learned their lesson:
@sloosecannon said in I'm happy to see the OPM has learned their lesson:
Alternatively, time for @Lorne-Kates's favorite game - guess where in the framework they're mishandling passwords!
They disallow
<
and>
so I'm guessing when they send the password via xml to a "createUser" webservice. But they don't disallow&
, which is making me second-guess myself. But then I remember that they're probably too stupid to realize that & isn't a valid XML character because of &encoding;, so my guess stands.Then you get the Microsoft ASP.Net WTF, where some characters aren't allowed at all, even &-encoded. We ran into that problem when we tried retreiving some of our legacy data via webservice, that happened to contain character #18 (0x12)...
-
@Medinoc said in I'm happy to see the OPM has learned their lesson:
that happened to contain character #18 (0x12)
I think we've found TR
-
@Medinoc said in I'm happy to see the OPM has learned their lesson:
Then you get the Microsoft ASP.Net WTF, where some characters aren't allowed at all, even &-encoded.
You can disable it with ValidateRequestMode if you know what you're doing and sanitize all the things in a non-automatic way.
-
@fbmac That's fine for WebForms, but for MVC, you need something different.
-
@El_Heffe said in I'm happy to see the OPM has learned their lesson:
@Adynathos said in I'm happy to see the OPM has learned their lesson:
@sloosecannon If the only allowed symbols are
! @ # $ % ^ & * ( )
, then how are you supposed to have "at least one upper case letter"? :PYeah, that's pretty stupid. I always use a lower case
!
or$
You mean 1 and 4?
-
@dangeRuss said in I'm happy to see the OPM has learned their lesson:
@El_Heffe said in I'm happy to see the OPM has learned their lesson:
@Adynathos said in I'm happy to see the OPM has learned their lesson:
@sloosecannon If the only allowed symbols are
! @ # $ % ^ & * ( )
, then how are you supposed to have "at least one upper case letter"? :PYeah, that's pretty stupid. I always use a lower case
!
or$
You mean 1 and 4?
No,
.
and¢
-
@RaceProUK said in I'm happy to see the OPM has learned their lesson:
@fbmac That's fine for WebForms, but for MVC, you need something different.
It's neither WebForms nor MFC, it's a goddamn WebService. The thing that already auto-escapes anything according to XML standards, yet either the client WebReference or some server component goes "nope" and rejects the character anyway.
-
@dangeRuss said in I'm happy to see the OPM has learned their lesson:
@El_Heffe said in I'm happy to see the OPM has learned their lesson:
@Adynathos said in I'm happy to see the OPM has learned their lesson:
@sloosecannon If the only allowed symbols are
! @ # $ % ^ & * ( )
, then how are you supposed to have "at least one upper case letter"? :PYeah, that's pretty stupid. I always use a lower case
!
or$
You mean 1 and 4?
On my keyboard, 1 is upper case &, and 4 is upper case apostrophe, while $ is lower case £ and ! is lower case §... (But it also has a dedicated key for a letter that is used in only one word... ù, used only in où.)
-
@Steve_The_Cynic said in I'm happy to see the OPM has learned their lesson:
On my keyboard, 1 is upper case &, and 4 is upper case apostrophe, while $ is lower case £ and ! is lower case §... (But it also has a dedicated key for a letter that is used in only one word... ù, used only in où.)
And there's no dead-char for acute accent, caps-lock does a shift-lock on Windows (but an actual caps-lock on most Linux) (the combination of these two problems means you need alt-codes to type the letter
É
), and most unforgivable of all†, full-stop is shift-semicolon. Because people clearly use semicolons more often than they do sentences without one. Clearly.†according to a friend who'll recognize himself, but I agree with him.
-
@Steve_The_Cynic said in I'm happy to see the OPM has learned their lesson:
@dangeRuss said in I'm happy to see the OPM has learned their lesson:
@El_Heffe said in I'm happy to see the OPM has learned their lesson:
@Adynathos said in I'm happy to see the OPM has learned their lesson:
@sloosecannon If the only allowed symbols are
! @ # $ % ^ & * ( )
, then how are you supposed to have "at least one upper case letter"? :PYeah, that's pretty stupid. I always use a lower case
!
or$
You mean 1 and 4?
On my keyboard, 1 is upper case &, and 4 is upper case apostrophe, while $ is lower case £ and ! is lower case §... (But it also has a dedicated key for a letter that is used in only one word... ù, used only in où.)
Oh yes, having to press Shift to enter numbers... Had to use a french colleagues laptop (so no numpad) once at work and every time I had to enter a number I first entered a few special characters -_-
-
@Medinoc said in I'm happy to see the OPM has learned their lesson:
@Steve_The_Cynic said in I'm happy to see the OPM has learned their lesson:
On my keyboard, 1 is upper case &, and 4 is upper case apostrophe, while $ is lower case £ and ! is lower case §... (But it also has a dedicated key for a letter that is used in only one word... ù, used only in où.)
And there's no dead-char for acute accent, caps-lock does a shift-lock on Windows (but an actual caps-lock on most Linux) (the combination of these two problems means you need alt-codes to type the letter
É
), and most unforgivable of all†, full-stop is shift-semicolon. Because people clearly use semicolons more often than they do sentences without one. Clearly.†according to a friend who'll recognize himself, but I agree with him.
It's debatable. Both square bracket sides, both brace sides, the backslash, the pipe, and the # character require AltGr instead of being plain or shifted. When programming in C and C++ (and any other brace-block language), that's an annoyance.
And the shift-lock versus caps-lock thing is the same on FreeBSD/Xorg as it is on Linux/Xorg, and complicated by the fact that on keyboards that have words or word fragments on these keys, the key is, indeed, Caps Lock, "Verr Maj" ("Verr" from verrouiller, to lock, and "Maj" from majuscules, capital letters). But then again, the key marked "Shift" on QWERTY keyboards is marked "Maj" = Caps on AZERTY ones, so it's really Shift Lock.
Whoever was responsible for this needs to be ... chastised. I recommend strapping him to that rather battered wall over there, and I'll turn on this switch. Oh, that thing with the tubes? Don't worry, it won't hurt for very long...
-
@Steve_The_Cynic said in I'm happy to see the OPM has learned their lesson:
that rather battered wall over there, and I'll turn on this switch. Oh, that thing with the tubes?
...
???
-
@sloosecannon If only those symbols are allowed, how are you supposed to include letters and numbers?
-
@ben_lubar said in I'm happy to see the OPM has learned their lesson:
@sloosecannon If only those symbols are allowed, how are you supposed to include letters and numbers?
Unicode magic.
-
@Tsaukpaetra said in I'm happy to see the OPM has learned their lesson:
@Steve_The_Cynic said in I'm happy to see the OPM has learned their lesson:
that rather battered wall over there, and I'll turn on this switch. Oh, that thing with the tubes?
...
???
What am I most famous here for referencing? The tubes in question are around 20 feet long, straight, hollow, with an interior diameter of 35 mm. Seven of them in a cluster. Loud as fuck.
Sigh.
-
@Steve_The_Cynic said in I'm happy to see the OPM has learned their lesson:
What am I most famous here for referencing?
You're famous?
-
@Yamikuronue said in I'm happy to see the OPM has learned their lesson:
@Steve_The_Cynic said in I'm happy to see the OPM has learned their lesson:
What am I most famous here for referencing?
You're famous?
Not at all. Notorious, perhaps. Or well-known.
-
@asdf said in I'm happy to see the OPM has learned their lesson:
You obviously want to prevent the user from accidentally setting a password which contains characters they cannot input via their keyboard.
No you don't. If they can't enter their password because their password storage and handling mechanisms are unsound, they can just exercise your password reset mechanism. Restricting anything but the overall length, or restricting the overall length to anything under 50, is a .
-
@flabdablet said in I'm happy to see the OPM has learned their lesson:
or restricting the overall length to anything under 50
Remember: Bcrypt supports 50 bytes, not characters. And a maximum length that depends on the actual password chosen would be TR.
-
@asdf said in I'm happy to see the OPM has learned their lesson:
a maximum length that depends on the actual password chosen would be TR.
Provided initial password entry involved client-side validation that simply stopped accepting characters at the point where UTF-8 encoding the next one would make the password exceed 56 bytes, I can't see why.
Any password approaching that length is going to have enough entropy even if composed solely of ASCII digits that no practical strength reduction would result if an attacker was able to glean some information about the likely alphabet used from the number of characters accepted.
-
@Steve_The_Cynic said in I'm happy to see the OPM has learned their lesson:
The tubes in question are around 20 feet long, straight, hollow, with an interior diameter of 35 mm. Seven of them in a cluster. Loud as fuck.
A pipe organ that can only play one note?
-
@Steve_The_Cynic said in I'm happy to see the OPM has learned their lesson:
I recommend strapping him to that rather battered wall over there, and I'll turn on this switch. Oh, that thing with the tubes? Don't worry, it won't hurt for very long...
-
@Steve_The_Cynic said in I'm happy to see the OPM has learned their lesson:
What am I most famous here for referencing?
Pipe organs?
Edit: of course..