Yay! Passwords!



  • Just signed up to something online to do with our pensions from work (because I obviously really want to know it's already worth f*ck all....)



    Anyway, got to the part where I need to choose a password, and their requirements are:

    @Random Financial Institution said:

    Please ensure your password:


    is case sensitive

    is between 7 and 12 characters, contains one number and ends with a letter

    uses no spaces

    Ok....

    1. It's their job to ensure it's case sensitive not mine. I'll remember where I put capital letters when I re-enter it, if that's what you mean (incidentally, the password I chose is all lower case, so if they mean I must use mixed case, they failed on multiple levels)

    2. Ends with a letter?!!? Why??? And judging by the max length (remember, this is a financial company, where security is meant to be paramount) obviously someone decided either not to store the hashed password, or didn't want to waste hard disk space on a varchar(100) or something...

    3. Uses not spaces - Again, why the hell not?!


  • Maybe they're hardcoding each password as a variable name (reversed of course) and they don't want syntax errors? Maybe their system only has 1KB of RAM and they don't want to overtax it?



  • @Random Financial Institution said:

    Please ensure your password:

    is case sensitive

     

    @MeesterTurner said:

    1) It's their job to ensure it's case sensitive not mine.

    I'm guessing this is more "bad terminology" and it should have read "is of mixed case". But I know what you mean.

    And yeah, other two are WTFs. The better online password-setting systems I've seen show an indicator of password strength. Don't think it detects dictionary words, but will show that mixing case and adding non-alphanumeric characters improves strength (and short alphabetic words are weak).



  • sql.excute("ALTER USER " + getParam("user") + " IDENTIFIED BY " + getParam("password").reverse());



  • @MeesterTurner said:

    2) Ends with a letter?!!? Why???
     

     If I remember correctly, studies show that when most people are faced with a number requirement in a password, they just tack it on the end of whatever their usual password was.  This rule supposedly will make it harder for the passwords to get cracked.



  • @Suburban_Decay said:

    @MeesterTurner said:

    2) Ends with a letter?!!? Why???
     

     If I remember correctly, studies show that when most people are faced with a number requirement in a password, they just tack it on the end of whatever their usual password was.  This rule supposedly will make it harder for the passwords to get cracked.

    Not by much. It's just now instead of knowing the last character is probably a number, you know it's definitely a letter.



  • @lethalronin27 said:

    @Suburban_Decay said:

    @MeesterTurner said:

    2) Ends with a letter?!!? Why???
     

     If I remember correctly, studies show that when most people are faced with a number requirement in a password, they just tack it on the end of whatever their usual password was.  This rule supposedly will make it harder for the passwords to get cracked.

    Not by much. It's just now instead of knowing the last character is probably a number, you know it's definitely a letter.
    I agree.  Anything which reduces the password space isn't just stupid, it borders on reckless.

    I used to be with a bank which limited password to something like 12 or 15 characters, no white space and no special characters...  So basically you have just a plain old (and short) aphanumeric password.  I understand it probably lessens the number of password reset requests they get, but christ almighty why in the hell would you want to PREVENT someone from using a strong password?



  • @Suburban_Decay said:

    This rule supposedly will make it take longer for the passwords to get cracked.
     

    FTFY. I found L0phtCrack discovered 50% of passwords on NT systems in under 5 mins running on an old P-450.

    (then again, our customers weren't particularly clued-up, and this predated widespread internet connectivity)

    @C-Octothorpe said:

    but christ almighty why in the hell would you want to PREVENT someone from using a strong password?

    The honest answer is quite simply "because it's [ easier |quicker | cheaper ] to code that way".

    TRWTF, as you pointed out, is a financial institution putting design/developer effort before customer security.

     

     



  • @Cassidy said:

    @Suburban_Decay said:

    This rule supposedly will make it take longer for the passwords to get cracked.
     

    FTFY. I found L0phtCrack discovered 50% of passwords on NT systems in under 5 mins running on an old P-450.

    (then again, our customers weren't particularly clued-up, and this predated widespread internet connectivity)

    @C-Octothorpe said:

    but christ almighty why in the hell would you want to PREVENT someone from using a strong password?

    The honest answer is quite simply "because it's [ easier |quicker | cheaper ] to code that way".

    TRWTF, as you pointed out, is a financial institution putting design/developer effort before customer security.

    This is where I'll have to disagree with you on motive.  Creating validation logic to filter out certain values adds more work onto the developer.  That's one more regular expression that has to be written, and one more error message that needs to be translated into several languages, etc.  I think the driver is that they save money by not having one or two less people staffed at the call center because they won't have to field calls from the 87 y/o Gertrudes who seems to have forgotten her password for the third time this week.



  • @C-Octothorpe said:

    I think the driver is that they save money by not having one or two less people staffed at the call center because they won't have to field calls from the 87 y/o Gertrudes who seems to have forgotten her password for the third time this week.
     

    The route may differ but the destination is still the same: cost-savings have priority over customer security.

    At times like this, I'm reminded of someone whom - when asked if the passwords could be made simpler for ease of use - asked if he should also slacken whell nuts on every vehicle so they would be easier to remove in future.



  • @C-Octothorpe said:

    a bank which limited password to something like 12 or 15 characters, no white space and no special characters...  So basically you have just a plain old (and short) aphanumeric password.  I understand it probably lessens the number of password reset requests they get, but christ almighty why in the hell would you want to PREVENT someone from using a strong password?
    Well, first off, you just answered your own question.

    Secondly, while it is true that extremely simple passwords are stupid, complex passwords are highly over-rated as a security mechanism.  When a system is broken into, blaming the users for having weak passwords is a nothing but a gigantic lame excuse for having shitty security.  For example, several years ago someone broke into my Ebay account and was running a bunch of bogus auctions under my user name (big screen TVs at ridiculously low prices and free shipping -- from China). The problem wasn't the complexity (or lack of complexity) of my password.  The problem was Ebay allowed an unlimited number of failed login attempts.  Someone could just run a brute force script that keep trying until it finally got in.  I don't know if they ever fixed it because I haven't been back since.



  • @Ben L. said:

    Filed under: Breast Programming
     

    Ben, fix your sig. The link gives me a 404 Not found. Thank you.

     



  • Passwords are an ego thing. Ego of the site, that is. "Our site is really important and so you should make up a 20 byte string of random characters and never write it down; memorize it just to show how much important you are to us". Or, even worse, "Do not include any special characters because we hire cheap programmers."

    Password security is MY choice, not yours. If I use my name for a password, I know that it is insecure, but I also think that you are not very important and if a hacker gets in, I don't care. I have a high-security password for my bank, and a low-security password for TheDailyWTF and similar sites.



  • @El_Heffe said:

    The problem wasn't the complexity (or lack of complexity) of my password.  The problem was Ebay allowed an unlimited number of failed login attempts.  Someone could just run a brute force script that keep trying until it finally got in.
     

    Indeed.



  • @El_Heffe said:

    When a system is broken into, blaming the users for having weak passwords is a nothing but a gigantic lame excuse for having shitty security.
     

    @AndyCanfield said:

    If I use my name for a password, I know that it is insecure, but I also think that you are not very important and if a hacker gets in, I don't care.
     

    All security is as strong as the weakest link.

    Encourage that link to be stronger to protect the site, and you're just stroking your ego. Allow the user enough rope to hang themselves, and it's still the site's fault.

    @El_Heffe said:

    The problem was Ebay allowed an unlimited number of failed login attempts. 
     

    No, that's part of the problem. The other part is users having passwords that are broken early on in during brute-force. Whilst I agree that a lockout policy should be in place, users having weak passwords are not entirely blameless.



  • @Ben L. said:

    Maybe they're hardcoding each password as a variable name (reversed of course) and they don't want syntax errors?

    LOL! That's classic. Suddenly, I'm wondering if anyone out there does that. You can actually do that dynamically in PHP! A whole class of WTFs in itself, to be sure.



  • @C-Octothorpe said:

    I agree.  Anything which reduces the password space isn't just stupid, it borders on reckless.
    Hmmm... how to say... no.  ANY password requirement reduces the password space, including one that says the length must be 6+ characters.  Having a large password space is all well and good, but is absolutely useless when your users all pick "god", "sex", "penis" for their passwords.  It's all about increasing ENTROPY, not password space.  Average users don't use randomly generated strings as their passwords, which you're suddenly keeping them from using.  They use the simplest thing they can, which is generally a short word with few deviations.



  • @Sutherlands said:

    ANY password requirement reduces the password space, including one that says the length must be 6+ characters.
     

    I think Thorpe was referring to setting an upper limit to passwords [that is much lower than your system can support]. A rule like that is dreadfully uninformed and reckless.

    Not so with a minimum required length.

    Since entropy increases exponentially with password length, shorter passwords form only a small portion of all possible passwords of reasonable length,  so mandating 6+ characters does not significantly reduce password space, but instead forces the total set of used passwords to live in a high-entropy section of that space, thus increasing practical entropy.



  • @toon said:

    @Ben L. said:
    Maybe they're hardcoding each password as a variable name (reversed of course) and they don't want syntax errors?

    LOL! That's classic. Suddenly, I'm wondering if anyone out there does that. You can actually do that dynamically in PHP! A whole class of WTFs in itself, to be sure.

    I saw someone do that in a Perl golfing contest (with list elements, not passwords), and was very impressed. (For people who don't know, programming golf is where you try to write the program as short as possible and ignore any sort of sense or good practice; also the program doesn't have to be reliable, you only have to get it to work once. Golfing production code is a really stupid thing to do; golfing competitions can be quite fun, though. Out of mainstream languages, it's normally pretty close between Perl and Ruby to see which language wins.) For added benefit, the code generated a lot of junk variables which were repeated contents of the input, too, and then never read them, because it was shorter than writing an if statement.

    (Aside: my role on the TDWTF forums is mostly in making true statements that people don't want to believe.)

     



  • @Sutherlands said:

    @C-Octothorpe said:
    I agree.  Anything which reduces the password space isn't just stupid, it borders on reckless.
    Hmmm... how to say... no.  ANY password requirement reduces the password space, including one that says the length must be 6+ characters. 
     

    I think you're looking at the wrong problem.

    The issue of reducing password space isn't a issue, it's the effect it has upon the security of the password: will it make them stronger or weaker?

    Reducing a minimum password length requirement because it reduces the password space and yet allows brute-force attacking to guess shorter passwords more quickly is terrible for security.



  • @Cassidy said:

    The issue of reducing password space isn't a issue
    Next you're going to tell me the Republican party isn't a party. Yeah, right.



  • @Ben L. said:

    @Cassidy said:
    The issue of reducing password space isn't a issue
    Next you're going to tell me the Republican party isn't a party. Yeah, right.
    It's totally not a real party. The music sucks, the chicks are ugly, and there's no booze (probably because the other guys already drank it all).



  • @Anonymouse said:

    It's totally not a real party.
     

    It's not a party because they hate people.



  • @Cassidy said:

    @Sutherlands said:

    @C-Octothorpe said:
    I agree.  Anything which reduces the password space isn't just stupid, it borders on reckless.
    Hmmm... how to say... no.  ANY password requirement reduces the password space, including one that says the length must be 6+ characters. 
     

    I think you're looking at the wrong problem.

    The issue of reducing password space isn't a issue, it's the effect it has upon the security of the password: will it make them stronger or weaker?

    Reducing a minimum password length requirement because it reduces the password space and yet allows brute-force attacking to guess shorter passwords more quickly is terrible for security.

    @dhromed said:

    @Sutherlands said:

    ANY password requirement reduces the password space, including one that says the length must be 6+ characters.

    I think Thorpe was referring to setting an upper limit to passwords [that is much lower than your system can support]. A rule like that is dreadfully uninformed and reckless.

    Not so with a minimum required length.

    Since entropy increases exponentially with password length, shorter passwords form only a small portion of all possible passwords of reasonable length, so mandating 6+ characters does not significantly reduce password space, but instead forces the total set of used passwords to live in a high-entropy section of that space, thus increasing practical entropy.

    Ok, I KNOW Cassidy didn't read past the first sentence of my comment, and it doesn't look like dhromed did either.  Let me rephrase my post into one sentence so that you can read the whole thing.

    Password entropy is what matters, not password space; all rules decrease password space.  (See, I cheated and used a semicolon.  It's still one sentence!  Why am I typing this, I know you won't read it.)



  • @Sutherlands said:

    @Cassidy said:

    @Sutherlands said:

    ANY password requirement reduces the password space, including one that says the length must be 6+ characters.

    Yes, but short passwords are insecure.

    @dhromed said:

    @Sutherlands said:

    ANY password requirement reduces the password space, including one that says the length must be 6+ characters.

    Yes, but short passwords are insecure.

    You guys don't get it! Short passwords are insecure!

    I'll go get some popcorn.



  • @Ben L. said:

    @Sutherlands said:
    @Cassidy said:

    @Sutherlands said:

    ANY password requirement reduces the password space, including one that says the length must be 6+ characters.

    Yes, but short passwords are insecure.

    @dhromed said:

    @Sutherlands said:

    ANY password requirement reduces the password space, including one that says the length must be 6+ characters.

    Yes, but short passwords are insecure.

    You guys don't get it! Short passwords are insecure!

    I'll go get some popcorn.

    That's not really accurate.  But the original post that I replied to said that making the last character be a letter decreases password space... but it may very well increase entropy, since it's true that many users just put a rotating number on the end.  If so, it's not a bad rule.


  • ♿ (Parody)

    @Sutherlands said:

    But the original post that I replied to said that making the last character be a letter decreases password space... but it may very well increase entropy, since it's true that many users just put a rotating number on the end.  If so, it's not a bad rule.

    Premature password space optimization!



  • @boomzilla said:

    @Sutherlands said:
    But the original post that I replied to said that making the last character be a letter decreases password space... but it may very well increase entropy, since it's true that many users just put a rotating number on the end.  If so, it's not a bad rule.

    Premature password space optimization!

    Old: hunter2

    New: 2hunter



  • @Ben L. said:

    @boomzilla said:
    @Sutherlands said:
    But the original post that I replied to said that making the last character be a letter decreases password space... but it may very well increase entropy, since it's true that many users just put a rotating number on the end.  If so, it's not a bad rule.

    Premature password space optimization!

    Old: *******

    New: 2hunter

    Can you work around it?  Yes.  Will everybody? Probably not.  Does it increase entropy?  That would be for a study.  I'm not going to say it doesn't increase entropy just because you don't like the rule.



  • @Sutherlands said:

    Ok, I KNOW Cassidy didn't read past the first sentence of my comment, and it doesn't look like dhromed did either.
     

    I totally read the whole thing and understood your post.

    But I posted mine anyway because that's just how I am.

    More like an addendum, not a counterpoint.



  • @dhromed said:

    @Sutherlands said:

    Ok, I KNOW Cassidy didn't read past the first sentence of my comment, and it doesn't look like dhromed did either.
     

    I totally read the whole thing and understood your post.

    But I posted mine anyway because that's just how I am.

    More like an addendum, not a counterpoint.

    Yes, a counterpoint always begins with "Jane, you ignorant slut."

     



  • Sutherlands, you ignorant slut.

     

    Yea, I like it.


  • ♿ (Parody)

    @dhromed said:

    Sutherlands, you ignorant slut.

    Yea, I like it.

    Totally. I'm just here for the sluts, anyways.



  • @Sutherlands said:

    Ok, I KNOW Cassidy didn't read past the first sentence of my comment, and it doesn't look like dhromed did either.  Let me rephrase my post into one sentence so that you can read the whole thing.

    Password entropy is what matters, not password space; all rules decrease password space

    I think I was agreeing with you. Yet re-reading my post, I seem to be barking up the completely wrong tree there. 

    Must. Not. Post. When. Drinking.

     @Sutherlands said:

    (See, I cheated and used a semicolon.  It's still one sentence!  Why am I typing this, I know you won't read it.)

     Read what?

     



  • I signed up for League of Legends today. Their password requirements include "no spaces" and "no slashes". Are they storing passwords as filenames?



  • @Ben L. said:

    I signed up for League of Legends today. Their password requirements include "no spaces" and "no slashes". Are they storing passwords as filenames?
    So much fun.


Log in to reply