Amex Passwords



  • So I go to update my Amex password and see that they no longer limit you to a maximum of 8 characters. Progress, right? Then I saw this:

    @Amex said:

    Your new password cannot have any spaces and will not be case sensitive.


    Sweet Jesus.



  • @morbiuswilters said:

    So I go to update my Amex password and see that they no longer limit you to a maximum of 8 characters. Progress, right? Then I saw this:

    @Amex said:
    Your new password cannot have any spaces and will not be case sensitive.


    Sweet Jesus.

    well either they are converting it to upper case before hashing it which is only half bad, or they are converting it to upper case and saving it straight which might explain the no spaces part which is so completly wrong, I don' tknow what to say except, glad I'm not an Amex user.



  • @morbiuswilters said:

    will not be case sensitive.
    Well, converting your stored password and the input string to all upper or lower case for case insensitive comparison can take quite a bit of processing power; maybe their servers just aren't up to the task of performing this analysis on longer passwords?

    As for spaces, well they're just being grammatically correct: if your password contains a space, then technically, it'd be two (or more) passwords, no? Be honest, what algorithm could they possibly use to implement that?



  • If it can't have spaces, I'd be interested in seeing what happens when you enter some of the more interesting Unicode characters.



  • @KattMan said:

    well either they are converting it to upper case before hashing it which is only half bad

    I'd say that's pretty bad. Reducing they keyspace for no good reason is just senseless.



  • When I called to activate my corporate Amex, the automated system insisted I should set a PIN. Sort of. What it actually tells you to do is "Enter a four digit memorable date, such as a birthday".

    This tells me more than I ever wanted to know about Amex security.



  • @snoofle said:

    Well, converting your stored password and the input string to all upper or lower case for case insensitive comparison can take quite a bit of processing power; maybe their servers just aren't up to the task of performing this analysis on longer passwords?

    No, they are doing case insensitive matching, which sucks.



  • @morbiuswilters said:

    @snoofle said:
    Well, converting your stored password and the input string to all upper or lower case for case insensitive comparison can take quite a bit of processing power; maybe their servers just aren't up to the task of performing this analysis on longer passwords?

    No, they are doing case insensitive matching, which sucks.

    Actually, making passwords case-insensitive isn't such a bad idea at all:

    • It avoids the (unfortunately) common "I can't log in because I accidentally pressed Caps Lock instead of Shift" error.
    • It does reduce the entropy of mixed-case passwords by a few bits.  But if you're using a relatively common capitalization pattern (like "BobbyTables"), it really is just a few bits.  (Password cracking programs know those patterns and will try them.)  The only way to pack a significant amount of entropy into capitalization is to make it completely random, and nobody (sane) does that because it's impossible to remember.
    • For the crazy people who use random caps anyway, it also avoids the "I can't log in because I can't remember which letters in my password are upper case" error.
    • Hopefully, it makes it harder for PHBs who've read a computer security book written in the 70s to enforce silly rules like "all passwords must contain at least two uppercase letters".  ("OK, I'll make mine 'LetMeIn', that has three.")

    Ps.: Obligatory xkcd reference.



  • @vyznev said:

    @morbiuswilters said:

    @snoofle said:
    Well, converting your stored password and the input string to all upper or lower case for case insensitive comparison can take quite a bit of processing power; maybe their servers just aren't up to the task of performing this analysis on longer passwords?

    No, they are doing case insensitive matching, which sucks.

    Actually, making passwords case-insensitive isn't such a bad idea at all:

    • It avoids the (unfortunately) common "I can't log in because I accidentally pressed Caps Lock instead of Shift" error.
    • It does reduce the entropy of mixed-case passwords by a few bits.  But if you're using a relatively common capitalization pattern (like "BobbyTables"), it really is just a few bits.  (Password cracking programs know those patterns and will try them.)  The only way to pack a significant amount of entropy into capitalization is to make it completely random, and nobody (sane) does that because it's impossible to remember.
    • For the crazy people who use random caps anyway, it also avoids the "I can't log in because I can't remember which letters in my password are upper case" error.
    • Hopefully, it makes it harder for PHBs who've read a computer security book written in the 70s to enforce silly rules like "all passwords must contain at least two uppercase letters".  ("OK, I'll make mine 'LetMeIn', that has three.")

    Ps.: Obligatory xkcd reference.

    That comic is retarded and incorrect. Additionally, I use randomly-generated passwords that differ for every site. Seriously, if you're using your memory for all of your passwords you are doing it wrong.



  • @morbiuswilters said:

    That comic is retarded and incorrect. Additionally, I use randomly-generated passwords that differ for every site. Seriously, if you're using your memory for all of your passwords you are doing it wrong.

    While I completely disagree that making passwords case-insensitive isn't a bad idea, can you elaborate on what is wrong with the comic?

  • ♿ (Parody)

    @Sutherlands said:

    While I completely disagree that making passwords case-insensitive isn't a bad idea, can you elaborate on what is wrong with the comic?

    I can't figure out if you think case insensitive passwords are a good idea or a bad idea.



  • @blakeyrat said:

    If it can't have spaces, I'd be interested in seeing what happens when you enter some of the more interesting Unicode characters.
     

    <font size="36">☃</font>



  • @Sutherlands said:

    While I completely disagree that making passwords case-insensitive isn't a bad idea, can you elaborate on what is wrong with the comic?

    His numbers aren't incorrect, assuming you actually use 4 randomly-selected words from a dictionary of 2048. However:

    • He seems to be under the impression that somebody thinks creating a password like that in panel 1 is a good idea. It's not. Who does that?
    • The comic makes a good point about usability being an important concern in security but then he shoots himself in the foot. Passphrases are long. People don't like typing long passwords. They're probably going to write it down in an unencrypted text file so they can copy and paste it. It's also a PITA to type on phones.
    • Since it seems to advocate memorizing all of your passwords, it's expecting people to keep hundreds of words in their heads. The fact is, you're going to forget things or get words out of order. Hell, his little picture doesn't even have you remembering the correct passphrase: it seems to imply "horse battery staple correct". Randomly-generated phrases are sometimes going to be difficult to remember; I don't even think "correct horse battery staple" is all that easy to remember and I've seen that comic like a dozen times.
    • The fact is, you should be using some kind of password generation utility which securely stores passwords in an encrypted form. Then you can use extremely secure randomly-generated passwords.
    • He says that compromise of a hash database isn't a concern for an end user when it absolutely should be. The sad truth is, a lot of people store passwords unhashed or hashed only with straight MD5 (which may as well be unhashed for all the good it does).
    • He seems to think the security industry isn't aware of passphrases and that it has spent decades teaching incorrect practices due to ignorance, which is bullshit.


    His entire premise is basically: "use this insecure method of password generation instead of this even-less-secure method". I have my suspicions that he just discovered passphrases and entropy the night before and decided to create a half-assed comic strip about it. Which is basically how every xkcd is made.



  • @bgodot said:

    @blakeyrat said:

    If it can't have spaces, I'd be interested in seeing what happens when you enter some of the more interesting Unicode characters.
     

    <font size="36">☃</font>

    I still wonder why that exists in Unicode..



  • @morbiuswilters said:

    <font size="36">☃</font>

     I still wonder why that exists in Unicode..

     

    For the benefit of weather reporters, duh.

     



  • Wow morbius, you manage to suck the life out of anything. Even simple tri-weekly 5 seconds of fun that is xkcd. I'd hate to be you. Or near you.



  • @morbiuswilters said:

    The comic makes a good point about usability being an important concern in security but then he shoots himself in the foot. Passphrases are long. People don't like typing long passwords. They're probably going to write it down in an unencrypted text file so they can copy and paste it. It's also a PITA to type on phones.

    Really? How exactly are you going to copy and paste that long phrase on a phone? On an Internet cafe machine?
    My experience is the consumers are happy typing "monkey tennis" over "password1" (especially compared to typing "aBf34%G").

    @morbiuswilters said:
    The fact is, you should be using some kind of password generation utility which securely stores passwords in an encrypted form. Then you can use extremely secure randomly-generated passwords.

    Again, how is this applicable to a phone or an Internet cafe machine?
    Your process for generating these is not applicable to consumers rather than IT enginners and is simply replacing lots of passwords with one. If you lose the pasword or seed file or whatever for the password generator then you are completely screwed, for all password protected things you use.
    If nothing else, what you have typed is not a fact, it is an opinion.

    @morbiuswilters said:
    He says that compromise of a hash database isn't a concern for an end user when it absolutely should be. The sad truth is, a lot of people store passwords unhashed or hashed only with straight MD5 (which may as well be unhashed for all the good it does).

    It is not a concern for the end user who has no knowledge and (more importantly) no control over what happens on the target computer system. I have no idea how Fishpond.co.nz or Bookdepository.co.uk store my password. Even if I did have an idea, I have no control over how it is stored. As a consumer I just have to trust the vendor.

    The lesson I take from the XKCD comic is that we in the IT industry should be teaching consumers (i.e. people not in the IT industry) practices that take into account good security as well as good ease of use. 

    As for the original post that started this thread, yes, Amex are being fucking stupid. Whoever came up with that policy needs to be replaced with someone who understands computer security a lot better.



  • @morbiuswilters said:

    The fact is, you should be using some kind of password generation utility which securely stores passwords in an encrypted form. Then you can use extremely secure randomly-generated passwords.
     

    I use a slightly different approach, which is to take the SHA1-hash (base64-ed for brevity) of "website:password" as my password on every website, with "password" a ten-letter password. I've written a little app that calculates this, and put it on the Internet with a URL I can remember. This way, I can log in to any website, even when I'm at a place I would normally not be able to access a list of stored passwords.

    Do you see any disadvantage to this?

     



  • @da Doctah said:

    @morbiuswilters said:

    <font size="36">☃</font>

     I still wonder why that exists in Unicode..

     

    For the benefit of weather reporters, duh.

     

    Aw, I thought it was for a roguelike version of SkiFree...



  • @veggen said:

    Wow morbius, you manage to suck the life out of anything. Even simple tri-weekly 5 seconds of fun that is xkcd. I'd hate to be you. Or near you.

    If your definition of fun is anything related to xkcd, I'm glad you aren't near me either. That pile of shit is about as fun as having crocheting needles shoved up your urethra.



  • @havokk said:

    How exactly are you going to copy and paste that long phrase on a phone? On an Internet cafe machine?

    What the fuck? That's exactly my point, it's a PITA because you can't copy-and-paste.

    @havokk said:

    Again, how is this applicable to a phone or an Internet cafe machine?

    It's about as difficult to manage with a phone as a passphrase. There are password managers for phone OSes. And Internet cafe? What third world shithole do you think I live in?

    @havokk said:

    Your process for generating these is not applicable to consumers rather than IT enginners and is simply replacing lots of passwords with one. If you lose the pasword or seed file or whatever for the password generator then you are completely screwed, for all password protected things you use.

    It's perfectly applicable to consumers. How fucking hard do you think it is to use a piece of software that stores passwords? "Replacing lots of passwords with one" is the whole goddamn point. I can memorize a random password or two, but I've got hundreds. You use the password all of the time so the likelihood of forgetting it is rather slim. Apparently you think it's easier to memorize dozens of passwords rather than one? And if you're really scared you can write the password down and stash it in a safety deposit box.

    @havokk said:

    It is not a concern for the end user who has no knowledge and (more importantly) no control over what happens on the target computer system. I have no idea how Fishpond.co.nz or Bookdepository.co.uk store my password. Even if I did have an idea, I have no control over how it is stored. As a consumer I just have to trust the vendor.

    Wrong answer, dipshit. It absolutely is your concern because it's your data. I never said anything about having control over how passwords are stored, I said you have control over how easy your password is to crack, which you do. "Trust the vendor" is just asking to get ass-fucked.

    @havokk said:

    The lesson I take from the XKCD comic is that we in the IT industry should be teaching consumers (i.e. people not in the IT industry) practices that take into account good security as well as good ease of use.

    Seriously have you paid any attention to computer security the last decade? Do you have the first clue what you are talking about? One of the primary concerns of security is ease of use. The point is that passphrases don't fix a damn thing. The "try to remember dozens of passphrases" method is sub-par compared to using strong, randomly-generated passwords.



  • @briverymouse said:

    @morbiuswilters said:

    The fact is, you should be using some kind of password generation utility which securely stores passwords in an encrypted form. Then you can use extremely secure randomly-generated passwords.
     

    I use a slightly different approach, which is to take the SHA1-hash (base64-ed for brevity) of "website:password" as my password on every website, with "password" a ten-letter password. I've written a little app that calculates this, and put it on the Internet with a URL I can remember. This way, I can log in to any website, even when I'm at a place I would normally not be able to access a list of stored passwords.

    Do you see any disadvantage to this?

     

    Is it the same 10-letter password? I'm assuming so which makes things slightly less secure (if someone gets your master password they can derive any password for any site). It's also not very good if your site doesn't use SSL. The biggest issue, though, is logging in from untrusted machines in the first place. I don't care how good your password is, if there's a keylogger installed you are owned. And, really, I don't tend to trust any computer but my own.

    Your best bet is a good smartphone app that keeps the encrypted list of passwords for you. There are probably ones that sync easily with an app running on your computer, too, so you can manage the passwords on your computer but still have them on-the-go.



  • @morbiuswilters said:


    @Amex said:

    Your new password cannot have any spaces and will not be case sensitive.

    I had a similar thing on another website, there was a length limit, symbols weren't allowed and it was case insensitive.

    I later discovered that this particular website, which is a kind of comparison site which allows you to book travel with a number of different operators all on one site, works by setting up an account for me on the sites of these individual companies. I discovered this one day when trying to sign up with one of them directly only to be told I already had an account, using the same insecure password.

    Upon enquiring I was informed they use these password rules for two reasons. A. It ensures the password I choose works with the sites of all the member companies and B. Such passwords are easier to remember and so they get less support calls about it. :/

     



  •  @morbiuswilters said:

    @veggen said:
    Wow morbius, you manage to suck the life out of anything. Even simple tri-weekly 5 seconds of fun that is xkcd. I'd hate to be you. Or near you.

    If your definition of fun is anything related to xkcd, I'm glad you aren't near me either. That pile of shit is about as fun as having crocheting needles shoved up your urethra.

    You say as if you've experienced this before. Please go and do it again and again until the pain keeps you away from your computer.


  • Discourse touched me in a no-no place

    @vyznev said:

    It avoids the (unfortunately) common "I can't log in because I accidentally pressed Caps Lock instead of Shift" error.
    That is not a benefit for those who do know how to use a keyboard.@vyznev said:
    It does reduce the entropy of mixed-case passwords by a few bits.  But if you're using a relatively common capitalization pattern (like "BobbyTables"), it really is just a few bits. 
    That's not a benefit either, to those of us who use non-common capitalisation.
    @vyznev said:
    For the crazy people who use random caps anyway, it also avoids the "I can't log in because I can't remember which letters in my password are upper case" error.
    Well, at least you're consistent... Again, no benefit for those of us who don't forget which are capitalised.


  • Discourse touched me in a no-no place

    @bgodot said:

    @blakeyrat said:

    If it can't have spaces, I'd be interested in seeing what happens when you enter some of the more interesting Unicode characters.
     

    <font size="36">☃</font>

    <font size="36">💩</font>



  • @briverymouse said:

    @morbiuswilters said:

    The fact is, you should be using some kind of password generation utility which securely stores passwords in an encrypted form. Then you can use extremely secure randomly-generated passwords.
     

    I use a slightly different approach, which is to take the SHA1-hash (base64-ed for brevity) of "website:password" as my password on every website, with "password" a ten-letter password. I've written a little app that calculates this, and put it on the Internet with a URL I can remember. This way, I can log in to any website, even when I'm at a place I would normally not be able to access a list of stored passwords.

    https://www.pwdhash.com/    ... which is basically the same thing, afaict.

    @briverymouse said:

    Do you see any disadvantage to this?
     

    The only one I've come across is that one of my web sites has a 2-capitals-2-numbers requirement, and my standard hash-this-password didn't have 2 numbers, so now I sadly have two different passwords that get hashed, one for Citibank and one for everybody else.

     



  • @snoofle said:

    ...

    As for spaces, well they're just being grammatically correct: if your password contains a space, then technically, it'd be two (or more) passwords, no? Be honest, what algorithm could they possibly use to implement that?

     

    ssh uses the term passphrase. Fixed.

     

     



  • @snoofle said:

    Well, converting your stored password and the input string to all upper or lower case for case insensitive comparison can take quite a bit of processing power; maybe their servers just aren't up to the task of performing this analysis on longer passwords?

    As for spaces, well they're just being grammatically correct: if your password contains a space, then technically, it'd be two (or more) passwords, no? Be honest, what algorithm could they possibly use to implement that?

     

     

    I think they're using the "SQL string concatenation without escaping" algorithm, which neatly explains the case-insensitivity in case they're using MSSQL, where = is case-insensitive.

     



  • The other failure with the xkcd is that a pass phrase it over estimates the complexity of the pass phrase.  Dictionary hacking works at the word level not necessarily character level so the complexity it gives is totally off.



  • @dhromed said:

    I think they're using the "SQL string concatenation without escaping" algorithm, which neatly explains the case-insensitivity in case they're using MSSQL, where = is case-insensitive.

    The = operator is only as case-sensitive as your collation tells it to be.



  • @blakeyrat said:

    If it can't have spaces, I'd be interested in seeing what happens when you enter some of the more interesting Unicode characters.
    A few weeks ago, I was paying for something with my mastercard online, and was redirected to their 3D secure bullshit, which is basically, "enter your tax ID so we know who you are, now choose a password (which you can reset with the tax ID if you forget it, and which had some stupid limitations I already forgot about) and put a phrase here (letters, numbers and spaces only) that you can remember, so next time you see this, you can verify we're legit". Note that all of this was in Slovenian, so the phrase I entered naturally contained some accented characters - which resulted in an error: "Phrase must letters, numbers and spaces" (again, in Slovenian, and missing part of the verb). Nowhere was I told that accented letters don't count as letters.
    @morbiuswilters said:
    I still wonder why that exists in Unicode..
    Snowman's been there since Unicode 2.0 IIRC, but 6.0 adds a lot more interesting glyphs.



  •  @dhromed said:

    @snoofle said:

    Well, converting your stored password and the input string to all upper or lower case for case insensitive comparison can take quite a bit of processing power; maybe their servers just aren't up to the task of performing this analysis on longer passwords?

    As for spaces, well they're just being grammatically correct: if your password contains a space, then technically, it'd be two (or more) passwords, no? Be honest, what algorithm could they possibly use to implement that?

     

     

    I think they're using the "SQL string concatenation without escaping" algorithm, which neatly explains the case-insensitivity in case they're using MSSQL, where = is case-insensitive.

     

    MSSQL isn't case insensitive by default, at least not across the board.  It depends on the collation used.  If not changed, the column will use the collation of the database.  If not specified when creating the database, the database will use the collation of the instance.  The default instance collation is defined by the region of the server it is being installed on.  For example, installing on a server setup in Poland will result in a default case-sensitive instance, while installing on a US server will be case-insensitive.

    Case sensitive instances are really fun.  You need to make sure all the tables, columns, procs all use the proper casing or you get Invalid object or Don't have access to blah blah blah or whatever error you get when you try to access something that doesn't exist.

     



  • @lpope187 said:

    MSSQL
     

    The More You Know™



  • @ender said:

    Snowman's been there since Unicode 2.0 IIRC, but 6.0 adds a lot more interesting glyphs.
     

    <3



  • Your new password must:
    - not be the same as your previous 24 passwords
    - not be similar to your login name
    - not be similar to your name
    - not be similar to other commonly used passwords
    - must contain at least 2 uppercase characters
    - must contain at least 2 lowercase characters
    - must contain at least 2 numeric characters
    - must contain at least 2 special characters
    - not contain a keyboard pattern such as qwerty
    - contain at least 15 characters

    Passwords are expired every 60 days, with a 15-day warning (essentially a 45-day password if the expiry warning annoys you enough to change it early.)



  • @Anketam said:

    The other failure with the xkcd is that a pass phrase it over estimates the complexity of the pass phrase.  Dictionary hacking works at the word level not necessarily character level so the complexity it gives is totally off.


    Not sure whether you're trolling or not, but if you aren't: the xkcd estimate of passphrase entropy is correct for a dictionary with about 2000 words and a good RNG. I shall assume that any argument against that not accompanied by calculations involving logs is a troll.



  • @dhromed said:

    I think they're using the "SQL string concatenation without escaping" algorithm, which neatly explains the case-insensitivity in case they're using MSSQL, where = is case-insensitive.

    Wow, so many WTFs. = is case-sensitive in MS SQL if the collation on that column is case-sensitive. It isn't if it isn't. Isn't that how every DB works?

    Go back to refrigerator school.



  • @bgodot said:

    I like U+1F4A9




  • @blakeyrat said:

    Go back to refrigerator school.
     

    Can't. I was too cool.



  • @pjt33 said:

    Not sure whether you're trolling or not, but if you aren't: the xkcd estimate of passphrase entropy is correct for a dictionary with about 2000 words and a good RNG.

    It's actually 2048 words (as I stated above). And "a good RNG" should be "a cryptographically-secure RNG". I know you know that but for the benefit of others who might think Mersenne-Twister is a "good RNG"..


  • Trolleybus Mechanic

    @El_Heffe said:

    @bgodot said:

    I like U+1F4A9


     

    Oh no! The snowman melted.

     



  • @morbiuswilters said:

    Seriously, if you're using your memory for all of your passwords you are doing it wrong just trading one single-point-of-failure for a different one.

    FTFY

     



  • @veggen said:

    Wow morbius, you manage to suck the life out of anything. Even simple tri-weekly 5 seconds of fun that is xkcd. I'd hate to be you. Or near you.

    Linking xkcd and putting "obligatory" in front of it is a tired meme.  It's a tired meme when even I, an internet recluse, can tell when a discussion is going to get an xkcd link and I know what comic it's going to be.  The comic is great.  The people that link it are sad.

    It's not clever.  It's not funny.  And it's certainly not original.

    Imagine if I ended this post by saying, "You are the weakest link.  Good bye."  See, that's equivalent to linking to xkcd.



  • @havokk said:

    @morbiuswilters said:

    The comic makes a good point about usability being an important concern in security but then he shoots himself in the foot. Passphrases are long. People don't like typing long passwords. They're probably going to write it down in an unencrypted text file so they can copy and paste it. It's also a PITA to type on phones.

    Really? How exactly are you going to copy and paste that long phrase on a phone?

    KeePassDroid


  • @MiffTheFox said:

    @havokk said:

    @morbiuswilters said:

    The comic makes a good point about usability being an important concern in security but then he shoots himself in the foot. Passphrases are long. People don't like typing long passwords. They're probably going to write it down in an unencrypted text file so they can copy and paste it. It's also a PITA to type on phones.

    Really? How exactly are you going to copy and paste that long phrase on a phone?

    KeePassDroid



  • @morbiuswilters said:

    It's actually 2048 words (as I stated above).

    I think that "about 2000" is reasonable given that the entropy stated in the comic is "~44 bits" rather than "44 bits".



  • @pjt33 said:

    @morbiuswilters said:
    It's actually 2048 words (as I stated above).

    I think that "about 2000" is reasonable given that the entropy stated in the comic is "~44 bits" rather than "44 bits".

    Fine. It's still too little.



  • Re : Amex Passwords

    Then there is the method of picking a passphrase because it is easier to remember, but using as password first letter + lenght of each word because it is shorter to type.

    For "correct horse battery staple" that would be c7h6b7s6.

    Of course it is much weaker than a random password, but still hard to guess. And better than forgetting your password...



  • @Musaran said:

    Then there is the method of picking a passphrase because it is easier to remember, but using as password first letter + lenght of each word because it is shorter to type.

    For "correct horse battery staple" that would be c7h6b7s6.

    ...for suitably large values of horse.

     


Log in to reply