Yet another Password WTF



  • The provider of my 401(k) has the following restrictions on passwords:

    Password Standards

    • Use 6 to 12 letters and/or numbers
    • Do not use one entire piece of personally identifiable information such as your Social Security number, telephone number, or date of birth. Instead, alter or disguise it (e.g., Jane212Smith)
    • Do not use more than 5 instances of a single number or letter, or easily recognized sequences (e.g., 12345 or 11111)
    • Do not use symbols, punctuation marks, or spaces (e.g., #,@, /, *, -.)

    This inspires me with confidence that I won't have my retirement savings stolen ...



  • Does it actually enforce those standards? I've seen sites which say all of the above, but then let you type in virtually anything.



  • @zelmak said:

    Does it actually enforce those standards? I've seen sites which say all of the above, but then let you type in virtually anything.

    Yes it does.



  • It'd be pretty difficult to enforce something like "easily recognized sequences", I would think. What if you have a sequence of squares or cubed roots or something?



  • I think it is worse then you think.

    Based off of the "disguise it" statement and example, I am pretty sure most of the passwords in the system will be Firstname999LastName where 999 is the first three digits of thier SSN.

    They just social engineered thier own customer base.



  • @lettucemode said:

    It'd be pretty difficult to enforce something like "easily recognized sequences", I would think. What if you have a sequence of squares or cubed roots or something?

    Actualyl I think this means "Easily recognizable by our committee that defines standards." so this means only directly ascending or descending single step sequences, and descending might be pushing it.  I say go with a fabbinochi sequence and see if it catches it.

    (112358), hmm might just catch it after all



  • @lettucemode said:

    It'd be pretty difficult to enforce something like "easily recognized sequences", I would think. What if you have a sequence of squares or cubed roots or something?

    It gets even better - passwords are case-insensitive!



  • @rad131304 said:

    Use 6 to 12 letters and/or numbers

    Six characters is far too short.

    @rad131304 said:

    Do not use one entire piece of personally identifiable information such as your Social Security number, telephone number, or date of birth. Instead, alter or disguise it (e.g., Jane212Smith)

    The first sentence is very good (especially if they enforce it at the software level). They shoot themselves in the foot with the second sentence, though.

    @rad131304 said:

    Do not use more than 5 instances of a single number or letter, or easily recognized sequences (e.g., 12345 or 11111)

    This is very good.

    @rad131304 said:

    Do not use symbols, punctuation marks, or spaces (e.g., #,@, /, *, -.)

    This doesn't significantly reduce entropy and if they had reasonable length limits alphanum would be plenty secure. However, it is questionable why they don't allow special characters; maybe storing the password plaintext in a database with inappropriate escaping?



  • as it's case insensitive, maybe the 'do not use symbols' is only there to lower the number of troubleshooting/support calls from confused users with caps-lock on.

     

     



  • @morbiuswilters said:

    @rad131304 said:
    Use 6 to 12 letters and/or numbers

    Six characters is far too short.


    Agreed.
    @morbiuswilters said:
    @rad131304 said:
    Do not use one entire piece of personally identifiable information such as your Social Security number, telephone number, or date of birth. Instead, alter or disguise it (e.g., Jane212Smith)

    The first sentence is very good (especially if they enforce it at the software level). They shoot themselves in the foot with the second sentence, though.

    Agreed - although I also agree with the comment about them socially engineering themselves here. Given the requirements here, I don't see how they would have the technical skill to implement this kind of detection in a non WTFy way. Pattern checking here would require one monster of an if/else construct to allow patterns of GivenName/Numbers/Surname while blocking GivenName/Surname and there's no real requirements here (e.g. would GivenName/SSN pass or fail) which leads me to believe this is probably just a suggestion and not enforced.@morbiuswilters said:
    @rad131304 said:
    Do not use more than 5 instances of a single number or letter, or easily recognized sequences (e.g., 12345 or 11111)

    This is very good.

    Agreed. I didn't check if they enforce this though.@morbiuswilters said:
    @rad131304 said:
    Do not use symbols, punctuation marks, or spaces (e.g., #,@, /, *, -.)

    This doesn't significantly reduce entropy and if they had reasonable length limits alphanum would be plenty secure. However, it is questionable why they don't allow special characters; maybe storing the password plaintext in a database with inappropriate escaping?


    I was more worried that this indicated possible SQL injection issues* than the entropy decrease. If they are storing in plaintext, they at least won't send it to you via email. You can only create a new password.



  • @MustBeUsersFault said:

    as it's case insensitive, maybe the 'do not use symbols' is only there to lower the number of troubleshooting/support calls from confused users with caps-lock on.

    Maybe I missed something, but why would caps lock matter for symbols?



  • @rad131304 said:

    @MustBeUsersFault said:
    as it's case insensitive, maybe the 'do not use symbols' is only there to lower the number of troubleshooting/support calls from confused users with caps-lock on.
    Maybe I missed something, but why would caps lock matter for symbols?
     

    MustBeUsersFault is not American. He probably uses a keyboard layout like the French one, where Caps Lock is actually Shift Lock, so it also works on symbols. Of course, this WTF is from the United States, so Caps Lock is probably not the right explanation.

    (Swiss German even has a keyboard layout where ü with shift is é, but ü with caps lock is Ü.)

     





  • @mott555 said:

     @rad131304 said:

    Filed under: * I will stab you if you make a bobby tables joke

    [snip rosie img]

    Pulls out rusty soldering iron you asked for this ...



  • @rad131304 said:

    @mott555 said:

     @rad131304 said:

    Filed under: * I will stab you if you make a bobby tables joke

    [snip rosie img]

    *Pulls out rusty soldering iron* you asked for this ...
     

    As long as you let it warm up first so it's sterile. I haven't had a tetanus shot since junior high school.

     



  • @KattMan said:

    I say go with a fabbinochi sequence and see if it catches it.

    Hmm. I assume you mean a Fibonacci sequence? Unless your 'internal Spoonerism' is intentional and intended humourously, of course. :)



  • To be fair, just posting the comic inline isn't really making a joke, just quoting one...



  • @Cad Delworth said:

    I assume you mean a Fibonacci sequence?
    Maybe he meant the Fabinocci sequence?



  • What about the Fibonazi sequence?

    How's that go? Well, duh! It goes 6 million, then zero!


Log in to reply