Reserved keywords for usernames and passwords



  • I've just been informed that it's "industry standard" to prevent users from using common and easily guessed passwords, and our implementation of this "standard" is to make a list of strings that cannot appear within any user's username, password, or password hint. Here are some examples of items on that list, progressing from reasonable to WTF:

    admin
    administrator
    @dm1n
    P@5sword
    hello
    hello123
    test
    12345
    abc123
    changeme
    password
    smps
    bob
    twi
    hre
    mri
    ulo
    tnu

    I feel sorry for any user named bob or someone who wants to use something like nightwing as a password, especially considering how non-specific the error message is sure to be.



  •  twi? smps? How is that common in bad passwords?

    However, the real WTF is of course "@dm1n". The insinuation that some people with admin rights really used it makes Little Baby McAfee(TM) cry.



  • According to the Microsoft Password Checker (https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx), "smpsbobtwihremriulotnu" actually rates "Strong" ...

    (Not, I hasten to add, that I vouch for the said checker - indeed, I'd not heard of it until I googled a couple of minutes ago).

    And why FFS try to control the content of hints? If I want to use my Uncle Bob's street address as my password, I have to call him "Uncle Robert" in my hint?



  • No mention of "swordfish"? I am disappointed.



  • Seems to me like you have two options:

    a) fight the good fight, which in this case means "pointing out the lunacy of this rule by enforcing it thoroughly", probably even adding some common strings to the 'illegal' list.  

    b) put "changeme", "password", and their 'leet' variants in the list, leaving all others out, and call it a day.  

     

    if the moron who requested this idea will stand up and champion it in front of a room full of people, use option (a) and watch the sparks fly.  

    on the other hand, if the asshat who requested the 'illegal' list will forget soon enough, just do option (b) plus some simple validation on length and forget about it.  



  • @_leonardo_ said:

    if the moron who requested this idea will stand up and champion it in front of a room full of people, use option (a) and watch the sparks fly.  

    on the other hand, if the asshat who requested the 'illegal' list will forget soon enough, just do option (b) plus some simple validation on length and forget about it.

     

    Or, if you don't know, do option (b) to test him. If he insists the filter must be strong, do option (a) and make sure everybody knows why.

     



  • @Sparr said:

    our implementation of this "standard" is to make a list of strings that cannot appear within any user's username, password, or password hint
    The crux of the WTF.

    Why is "aud$#f09a8dsf&8sdf+gab8<7a)ds8*ygadministrator" any less safe than "aud$#f09a8dsf&8sdf+gab8<7a)ds8*yg"?



  • @Zecc said:

    @Sparr said:

    our implementation of this "standard" is to make a list of strings that cannot appear within any user's username, password, or password hint
    The crux of the WTF.

    Why is "aud$#f09a8dsf&8sdf+gab8<7a)ds8*ygadministrator" any less safe than "aud$#f09a8dsf&8sdf+gab8<7a)ds8*yg"?

     

     

    Why would you think they have max password size larger than 20 and min password size larger than 8?

     



  • @Sparr said:

    our implementation of this "standard" is to make a list of strings that cannot appear within any user's username, password, or password hint
    I hadn't even noticed those (even though Sparr had said "I feel sorry for any user named bob"). Dafuq?

     



  • @Sparr said:

    Filed under: standard just means something that's been documented and published

    Not even documented if it's a reference implementation! For example, I'm pretty sure the HTML 5 spec is now the source to WebKit.



  • This reminds me of a set of apps that a company has for android and iOS.  They have language filters in the games that work on a similar principle and thus prevent you from posting messages that contain bad strings (don't have to be whole word matches).  The initial list was good, but they at some point decided it was not good enough and decided to uberfy it.  They added a whole bunch of three letter combinations that are totally meaningless to the list and so a whole bunch of legit messages would get flagged.  My personal favorite was 'pal' considering that several of the games contained a decoration called a 'palm tree', and one game contained a monster called a palmwing.  I had fun sending them a message explaining that they are either doing something completely stupid or exposing little kids to horrible words in their family friendly games.



  • @Sparr said:

    I've just been informed that it's "industry standard" to prevent users from using common and easily guessed passwords, and our implementation of this "standard" is to make a list of strings that cannot appear within any user's username, password, or password hint. Here are some examples of items on that list, progressing from reasonable to WTF:

    admin
    administrator
    @dm1n
    P@5sword
    hello
    hello123
    test
    12345
    abc123
    changeme
    password
    smps
    bob
    twi
    hre
    mri
    ulo
    tnu

    I feel sorry for any user named bob or someone who wants to use something like nightwing as a password, especially considering how non-specific the error message is sure to be.

    So, what is your administrator's user name?



  • @Sparr said:

    I've just been informed that it's "industry standard" to prevent users from using common and easily guessed passwords, and our implementation of this "standard" is to make a list of strings that cannot appear within any user's username, password, or password hint. Here are some examples of items on that list, progressing from reasonable to WTF:

    admin
    administrator
    @dm1n
    P@5sword
    hello
    hello123
    test
    12345
    abc123
    changeme
    password
    smps
    bob
    twi
    hre
    mri
    ulo
    tnu

    I feel sorry for any user named bob or someone who wants to use something like nightwing as a password, especially considering how non-specific the error message is sure to be.

    The list is misssing God, Sex, Love, and Secret


  • Considered Harmful

    @russ0519 said:

    The list is misssing God, Sex, Love, and Secret

    But then the CTO would have to change his password.



  • Happy to see I can still use 'hunter2'!

     


  • Trolleybus Mechanic

    @pkmnfrk said:

    @Sparr said:
    I've just been informed that it's "industry standard" to prevent users from using common and easily guessed passwords, and our implementation of this "standard" is to make a list of strings that cannot appear within any user's username, password, or password hint. Here are some examples of items on that list, progressing from reasonable to WTF:

    admin
    administrator
    @dm1n
    P@5sword
    hello
    hello123
    test
    12345
    abc123
    changeme
    password
    smps
    bob
    twi
    hre
    mri
    ulo
    tnu

    I feel sorry for any user named bob or someone who wants to use something like nightwing as a password, especially considering how non-specific the error message is sure to be.

    So, what is your administrator's user name?

     

    So, what is your administrator's password?



  • @Lorne Kates said:

    @pkmnfrk said:

    @Sparr said:
    I've just been informed that it's "industry standard" to prevent users from using common and easily guessed passwords, and our implementation of this "standard" is to make a list of strings that cannot appear within any user's username, password, or password hint. Here are some examples of items on that list, progressing from reasonable to WTF:

    admin
    administrator
    @dm1n
    P@5sword
    hello
    hello123
    test
    12345
    abc123
    changeme
    password
    smps
    bob
    twi
    hre
    mri
    ulo
    tnu

    I feel sorry for any user named bob or someone who wants to use something like nightwing as a password, especially considering how non-specific the error message is sure to be.

    So, what is your administrator's user name?

     

    So, what is your administrator's password?

    So, what is your administrator's social security number?



  • @Fjp said:

    According to the Microsoft Password Checker (https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx), "smpsbobtwihremriulotnu" actually rates "Strong" ...

    zxcvbn estimates it at 82 bits, which is pretty decent.


  • BINNED

    @Sparr said:

    I've just been informed that it's "industry standard" to prevent users from using common and easily guessed passwords
    I didn't have to read any further to know that whatever followed would be a royal WTF. That sort of thinking ("Everyone else is doing it, so if it doesn't work I won't be blamed.") is responsible for my bank's sorry excuse for two-factor authentication and countless other WTFs.



  • Most of my passwords are invectives : d1p$hit, $hit4brains, etc



  •  Clbuttic.

     They forgot to include "myvoiceismypassword".



  • @operagost said:

     Clbuttic.

     They forgot to include "myvoiceismypassword".

    Yeah, how come Wesley Crusher never recorded Captain Picard when he activated the self-destruct on the enterprise, then set it to play back at random times? Oh, right, because he's not a suicidal lunatic...



  • @ekolis said:

    Yeah, how come Wesley Crusher never recorded Captain Picard when he activated the self-destruct on the enterprise, then set it to play back at random times? Oh, right, because he's not a suicidal lunatic...

    Because self destruct required two senior officers to engage, so Wesley would need a second one of those sentence mixing devices from the episode where Data fucked Tasha Yar.



  • @_leonardo_ said:

    a) fight the good fight, which in this case means "pointing out the lunacy of this rule by enforcing it thoroughly", probably even adding some common strings to the 'illegal' list.  

    b) put "changeme", "password", and their 'leet' variants in the list, leaving all others out, and call it a day.  

     

    For either option, pin up a leaderboard containing bets on how long this lunacy will last until someone at higher level becomes a cropper and demands this policy be dropped.

     


  • Trolleybus Mechanic

    @ekolis said:

    @operagost said:

     Clbuttic.

     They forgot to include "myvoiceismypassword".

    Yeah, how come Wesley Crusher never recorded Captain Picard when he activated the self-destruct on the enterprise, then set it to play back at random times? Oh, right, because he's not a suicidal lunatic...

     

    I always hoped those voice-auths were one time use only. But then again, you never see a computer crashing, or anyone calling tech support. Which means either everyone is a computer genius, or the computers were made to be so unbelievably easy and simple-- targetting at the lowest common denominator.

    Which means usability over security.

    Which means never making someone remember more than one password.

    =(  Boom.

     


Log in to reply