Let's create DUMB PASSWORD RULES
-
@Onyx said in Let's create DUMB PASSWORD RULES:
- Passwords may not contain lewd words. Parts of your password may be censored if you disregard this rule.
Filed under:
pa**word
Shirley it's
pbuttword
.
-
@NedFodder said in Let's create DUMB PASSWORD RULES:
@Onyx said in Let's create DUMB PASSWORD RULES:
- Passwords may not contain lewd words. Parts of your password may be censored if you disregard this rule.
Filed under:
pa**word
Shirley it's
pbuttword
.Or pdickword ... because if there is a hole there is always a dick to fill it ...
-
All passwords must be written in Klingon
-
All passwords must be written in Klingoff
-
All passwords must be written in Klingfilm
-
@Luhmann said in Let's create DUMB PASSWORD RULES:
because if there is a hole there is always a dick to fill it ...
Ewwww!
Drinks later?
-
-
Password complexity is important. All passwords must be generated by a program with a cyclomatic complexity of at least 5000
-
Enter new password: [ ] Confirm password: [ ] Re-confirm password: [ ] Once more for posterity: [ ]
* copy/paste disabled
-
- password must be at least 8 characters long
- password must contain at least 1 symbol
- password must contain at least 1 number
- password must contain at least 1 capital letter
- password must contain at least 1 lower case letter
- password must contain at least 1 vowel
- password must contain at least 1 character composed with a fully enclosed area
- password may not contain anything that can be interpreted as a smily or other facial expression
- password may not contain username
- password may not be contained in username
- password may not be Password12#
- password may not contain any word found in the Official Scrabble Dictionary 5th Edition
- password as a salted hash may not contain any repeating digits or characters; we will not try additional salts beyond the first random attempt to make it valid
- password characters' ascii values in decimal must not sum to a prime number
- password must be H4n73r12!
-
@darkmatter holy hell, that's actually really hard to make work (obeying all the rules except the last one)
-
@RaceProUK If you have trouble entering your password, enter it in Klingoff then Klingon again.
-
- idiot dev searches "password rules" on google
- finds this thread
- skims a couple of the ones that start with semi-reasonable rules that you would find in lots of other places
- assumes the rest of the rules must be equally valid and, since they're all very confusing, clearly they are more secure!
-
@darkmatter I'm pretty sure this has already happened.
-
Accounts use three-factor authentication:
If you attempt to login from an unrecognized IP address, you must first wait for a letter in the mail which contains 10 personal questions which we know the answers to via our data mining of your internet browsing habits collected via marketing channels. The answers must be printed using a blue ballpoint pen and returned in the enclosed envelope. The same questions are mailed to a friend or family member of your choice, who must answer the questions exactly the same. If either of you answer any question incorrectly, or use black ink, red ink, or god forbid pencil, to answer your questions, your account will be irrevocably erased and you will have to start over. Please allow 4-6 weeks to receive your questions and another 4-6 weeks after sending to reactivate your account.
-
Oh, wait, we're talking about passwords. Nevermind...
-
@Tsaukpaetra said in Let's create DUMB PASSWORD RULES:
may not include underscores consecutively
*le sudden flashback
-
Passwords must not match any username on the system. To enforce this, usernames must not match any password either. If you try to create a username that matches an existing password you will be told which user has it so you can ask them to change their password
-
Oh, and a real one from the system I'm trying to make vaguely sane
Passwords must not match this regular expression for a postcode, because if they do we'll assume next time you log in that your password is the default one of your postcode. If the password and postcode don't match you may never be able to log in again. If your postcode doesn't match the regex then you will never be able to set your password
-
@Jaloopa said in Let's create DUMB PASSWORD RULES:
Oh, and a real one from the system I'm trying to make vaguely sane
Passwords must not match this regular expression for a postcode, because if they do we'll assume next time you log in that your password is the default one of your postcode. If the password and postcode don't match you may never be able to log in again. If your postcode doesn't match the regex then you will never be able to set your password
WTF
-
@The_Quiet_One looks like there's perfectly reasonable explanation: someone assumed that people would never make something that looks like postal code as password, and took advantage of it by making the postal code a default one-time password on first login. The "is it first login" condition is checked by matching current password to postal code regex. But the check is duplicated somewhere between login screen and password change screen, but the second check is testing current password for equality with user's current postal code, aborting procedure if it doesn't match, leaving user logged out.
-
@The_Quiet_One said in Let's create DUMB PASSWORD RULES:
Please allow 4-6 weeks to receive your questions and another 4-6 weeks after sending to reactivate your account.
Australia Post much?
-
@Gąska said in Let's create DUMB PASSWORD RULES:
@The_Quiet_One looks like there's perfectly reasonable explanation: someone assumed that people would never make something that looks like postal code as password, and took advantage of it by making the postal code a default one-time password on first login. The "is it first login" condition is checked by matching current password to postal code regex. But the check is duplicated somewhere between login screen and password change screen, but the second check is testing current password for equality with user's current postal code, aborting procedure if it doesn't match, leaving user logged out.
Speaking of, this week we're inventing default password verification to allow users pre-authenticated to set their initial password.
The only requirement is that the password be at least six characters (you know, we want a modicum of security). So I feel confident in setting the salted password to
¿
.Discuss !!!
-
@Tsaukpaetra said in Let's create DUMB PASSWORD RULES:
Discuss !!!
You missed the opportunity to use
🍆🍑😍
as the default.
-
@dkf said in Let's create DUMB PASSWORD RULES:
🍑
It may be different on other platforms, but on Windows 10, that's a very sharp peach
For those who aren't swimming in the 'glory' of Windows 10:
-
@RaceProUK Weird fonts…
-
@Gąska said in Let's create DUMB PASSWORD RULES:
@The_Quiet_One looks like there's perfectly reasonable explanation...
The word you are looking for is cromulent.
-
@The_Quiet_One said in Let's create DUMB PASSWORD RULES:
@Gąska said in Let's create DUMB PASSWORD RULES:
@The_Quiet_One looks like there's perfectly reasonable explanation...
The word you are looking for is cromulent.
The explanation is reasonable. The developer is not.
-
@Tsaukpaetra said in Let's create DUMB PASSWORD RULES:
@Gąska said in Let's create DUMB PASSWORD RULES:
@The_Quiet_One looks like there's perfectly reasonable explanation: someone assumed that people would never make something that looks like postal code as password, and took advantage of it by making the postal code a default one-time password on first login. The "is it first login" condition is checked by matching current password to postal code regex. But the check is duplicated somewhere between login screen and password change screen, but the second check is testing current password for equality with user's current postal code, aborting procedure if it doesn't match, leaving user logged out.
Speaking of, this week we're inventing default password verification to allow users pre-authenticated to set their initial password.
The only requirement is that the password be at least six characters (you know, we want a modicum of security). So I feel confident in setting the salted password to
¿
.Discuss !!!
Why not make separate column in database telling you whether the password is one-time or not?
-
- Password must contain enough entropy to cook a whole chicken
- Password must summon Cthulhu
-
@Gąska said in Let's create DUMB PASSWORD RULES:
@Tsaukpaetra said in Let's create DUMB PASSWORD RULES:
@Gąska said in Let's create DUMB PASSWORD RULES:
@The_Quiet_One looks like there's perfectly reasonable explanation: someone assumed that people would never make something that looks like postal code as password, and took advantage of it by making the postal code a default one-time password on first login. The "is it first login" condition is checked by matching current password to postal code regex. But the check is duplicated somewhere between login screen and password change screen, but the second check is testing current password for equality with user's current postal code, aborting procedure if it doesn't match, leaving user logged out.
Speaking of, this week we're inventing default password verification to allow users pre-authenticated to set their initial password.
The only requirement is that the password be at least six characters (you know, we want a modicum of security). So I feel confident in setting the salted password to
¿
.Discuss !!!
Why not make separate column in database telling you whether the password is one-time or not?
Because they they're going to want a column that says if their username is one-time, and their email is one-time, and their gender is one-time...
Actually, there's a field already for one-time codes, could abuse that...
-
@Tsaukpaetra is there use case for one-time username? One-time email? If not, no one will ask for it, and if they still ask for unused fields in DB, you can just ignore them. And if there's use case, you're gonna implement it anyway.
Also. To prevent making a separate field to store one-time flag, you're going to integrate this flag into existing field, possibly creating conflict with other data. And the business logic will stay the same no matter where the flag is. So why make terrible hacks instead of doing it the only sane way?
-
@Gąska said in Let's create DUMB PASSWORD RULES:
@Tsaukpaetra is there use case for one-time username? One-time email? If not, no one will ask for it, and if they still ask for unused fields in DB, you can just ignore them. And if there's use case, you're gonna implement it anyway.
Also. To prevent making a separate field to store one-time flag, you're going to integrate this flag into existing field, possibly creating conflict with other data. And the business logic will stay the same no matter where the flag is. So why make terrible hacks instead of doing it the only sane way?
Well, essentially the use case is: We want to avoid people from having to type in VR. Since we can infer enough information about them from the Store, we can auto-generate an account for them and avoid most of the hullabaloo involved in account setup.
However, it is feasible that they want to access the web-based account management portal (and we really would like to tie their email address into the account asap).
Essentially, the "flag" will be to indicate whether or not the account is auto-generated, and shove them into the "finish your account" flow (which would collect their intended username, password, etc).
Actually, come to think of it, I can add a "Auto-generated" claim to their account, which would suffice for this purpose....
-
@Tsaukpaetra make sure you create the new column as follows:
alter table Users add column autoGeneratedYesNo varchar(20);
to allow for such codes as Y, N, Yes, No, YES, NO, MAYBE, FILE_NOT_FOUND
-
@darkmatter said in Let's create DUMB PASSWORD RULES:
@Tsaukpaetra make sure you create the new column as follows:
alter table Users add column autoGeneratedYesNo varchar(20);
to allow for such codes as Y, N, Yes, No, YES, NO, MAYBE, FILE_NOT_FOUND
Well, the claims table can have a significant amount of data for the claim type/value.
So since it's a string: PreRequirements success!!
Using the claims table as an account flag system is probably , but it seems to work just as well as a new mostly-useless column, so
-
@Tsaukpaetra just stuff all your extra values in the same spot... with nvarchar(max) you could hold an almost unlimited amount of comma-delimited data!
-
-
@RaceProUK
The ASP.NET user authentication defaults are TR here. The related column in the main table is e-mail addresses as the UserId.
-
@RaceProUK clearly the UserId is also the Username as an intelligent key, as any sane database would do it. Makes it easier to check against the password to make sure no one uses the same password and username!
clearly not being sarcastic
-
@izzion said in Let's create DUMB PASSWORD RULES:
@RaceProUK
The ASP.NET user authentication defaults are TR here. The related column in the main table is e-mail addresses as the UserId.Actually, that in particular was fixed in the project before I came in. No, the other WTF is that email and username were treated as the same (in a really hack way) until I untangled that mess so we could properly handle oauth. Then I disabled the hacked in Facebook oauth because it literally wiped all the claims for a user whenever they used that option.
-
Passwords must consist entirely of prime numbers when read as a sequence of 32-bit integers.
-
Passwords must be unique; i.e. you can't have the same password as anyone else.
-
Your password must not be used by any other person in our system.
-
@thecpuwizard
E_PASSWORD_RULE_NOT_UNIQUE
-
-
Password must cut down a tree with a herring before being accepted.
-
@thecpuwizard said in Let's create DUMB PASSWORD RULES:
Your password must not be used by any other person in our system.
… and if it is, we'll tell you who you have to make your password different from!
-
Password must contain between 2 and 6 unique characters.
Lowercase characters will be automatically* converted to uppercase.
Password must contain at least one letter and one number.
Password must not contain any character more than once.
Password may not contain a dictionary word in any documented language.
For clarity, the following characters are not allowed: 0, O, o, l, |, 1, I, t, +.
No characters outside the printable 7-bit ASCII range may be used.
Whitespace is not permitted and will be automatically* removed.
Password will be truncated if a null character is encountered.
Password may not contain your middle initial.
No symbols other than -, _, and " are permitted.
If the " character is used, it must be entered as \".
Password expires every 666 days.
Passwords may only be changed or reset by calling Customer Service.
When calling Customer Service to change or reset your password, at that time a new Password Hint must also be created.
Password Hint must be related in some way to the password you choose, or both Password and Password Hint will be rejected by Customer Service Agent.
*When setting a new password only. Nothing will mention this.
-
@pjh said in Let's create DUMB PASSWORD RULES:
Enter new password: [ ] Confirm password: [ ] Re-confirm password: [ ] Once more for posterity: [ ]
* copy/paste disabled
Enter password backwards to re-confirm password: [ ]
-
@anotherusername said in Let's create DUMB PASSWORD RULES:
Enter password backwards to re-confirm password:
The Evil Ideas thread is .