From the "left hand doesn't know what the right hand is doing" department...



  • I'm upgrading to a new release of some software. I have an existing account on their site with a username and a strong password that has some punctuation in it.

    As I'm "registering" the new upgraded software, it asks for my username and password. I enter the proper username and password, and it rejects the password with "your password cannot have punctuation in it". Oh, ok, so I remove the punctuation, and try again. "Your password doesn't match the password we have on record". No s**t, sherlock.

    Good thing there's a "register later" button so I can finish the installation.



  • Companies that don't allow punctuation in passwords are the best. You just know it will be stored in plaintext somewhere for data analysis.



  • Reminds me of when I used to work at a very large company and the first time I changed my password through their support portal, everything went to shit. Based on later troubleshooting, I learned it was because my password had a space in it (because I use phrases). My best assumption was that there was a command-line utility was was being used to sync the password with other systems that didn't quote the arguments.



  • @realmerlyn said:

    Oh, ok, so I remove the punctuation, and try again. "Your password doesn't match the password we have on record". No s**t, sherlock.

    You'd think they'd at least have the decency to tell you what they had on record...


  • ♿ (Parody)

    I was trying to log into some site recently, and they told me I had the wrong password. Well...it was what was stored in my PW manager, so that was weird. So I went to reset, and tried using the saved password I had. It was some arbitrary 20 mixed character kind of thing, and I figured they had bad validation when I set it or something, and I'd find the error this way. They told me I couldn't use my existing password as my new password. WTF



  •  @boomzilla said:

    I was trying to log into some site recently, and they told me I had the wrong password. Well...it was what was stored in my PW manager, so that was weird. So I went to reset, and tried using the saved password I had. It was some arbitrary 20 mixed character kind of thing, and I figured they had bad validation when I set it or something, and I'd find the error this way. They told me I couldn't use my existing password as my new password. WTF

    I've been bit before where some password fields have a maxlength set and some don't.  That can cause mismatches.


  • Considered Harmful

    @anachostic said:

     @boomzilla said:

    I was trying to log into some site recently, and they told me I had the wrong password. Well...it was what was stored in my PW manager, so that was weird. So I went to reset, and tried using the saved password I had. It was some arbitrary 20 mixed character kind of thing, and I figured they had bad validation when I set it or something, and I'd find the error this way. They told me I couldn't use my existing password as my new password. WTF

    I've been bit before where some password fields have a maxlength set and some don't.  That can cause mismatches.


    I've used sites that silently truncate input when you set your password but not when they authenticate using it. So your password gets set to "1234" but you entered the much more secure "123456"; you won't be able to log in until you figure that out.


  • Trolleybus Mechanic

    @anachostic said:

    My best assumption was that there was a command-line utility was was being used to sync the password with other systems that didn't quote the arguments.
     

    If only there was some way to transform all those non-CLI friendly characters into a base set of acceptable ones. A base set of, say-- upper and lower case letters, numbers, and a couple control characters.  I'd say, ballpark, 64 characters might be enough.

    We could call it LorneEncode!



  • @Lorne Kates said:

    @anachostic said:

    My best assumption was that there was a command-line utility was was being used to sync the password with other systems that didn't quote the arguments.
     

    If only there was some way to transform all those non-CLI friendly characters into a base set of acceptable ones. A base set of, say-- upper and lower case letters, numbers, and a couple control characters.  I'd say, ballpark, 64 characters might be enough.

    We could call it LorneEncode!

    A little while back, I had to write a thing that interacted with a pretty terrible service to show a few things on a map. The service did some "validation" on any queries passed to it, and did not allow string literals. This was problematic, since we were mapping things based on a string search. The workaround was to pass everything as VARBINARY hex literals, and CAST them to NVARCHAR, until we had a better wrapper for the service (two or so versions later). On the plus side, I guess we don't have to worry about SQL injection? It was something like:

    [code]mapServer.whereClause = " and DriverName LIKE CAST(0x" + BitConverter.ToString(ASCIIEncoding.ASCII.GetBytes(NameParam.Value.ToString())).Replace("-", String.Empty) + " AS NVARCHAR)";[/code]


  • @anachostic said:

     @boomzilla said:

    I was trying to log into some site recently, and they told me I had the wrong password. Well...it was what was stored in my PW manager, so that was weird. So I went to reset, and tried using the saved password I had. It was some arbitrary 20 mixed character kind of thing, and I figured they had bad validation when I set it or something, and I'd find the error this way. They told me I couldn't use my existing password as my new password. WTF

    I've been bit before where some password fields have a maxlength set and some don't.  That can cause mismatches.

    I remember registering on some website with my student e-mail (which is basically name.surname@very.long.domain.com), and then trying to log in, only to hit the character limitation halfway through. Luckily it was only checked client-side, but Inspect Element still shouldn't be included in a basic login process.

    Turned out they also had the most basic SQL injection vulnerability in the very same form too - basically free admin access for all finance records. And I thought you can only stuff so much WTF in one two-field form.



  • From now on, the first password I'm going to try everywhere will be '; DROP TABLES; SELECT * WHERE TRUE

    For research, of course.



  • @TGV said:

    From now on, the first password I'm going to try everywhere will be '; DROP TABLES; SELECT * WHERE TRUE

    For research, of course.


    Msg 4145, Level 15, State 1, Line 1

    An expression of non-boolean type specified in a context where a condition is expected, near 'TRUE'.



  • @mikeTheLiar said:

    @TGV said:

    From now on, the first password I'm going to try everywhere will be '; DROP TABLES; SELECT * WHERE TRUE

    For research, of course.


    Msg 4145, Level 15, State 1, Line 1

    An expression of non-boolean type specified in a context where a condition is expected, near 'TRUE'.

    TIL true is not a boolean



  • @anachostic said:

    Reminds me of when I used to work at a very large company and the first time I changed my password through their support portal, everything went to shit. Based on later troubleshooting, I learned it was because my password had a space in it (because I use phrases). My best assumption was that there was a command-line utility was was being used to sync the password with other systems that didn't quote the arguments.

    I used to use passwords like ztebg kdgvg odgug uvqkh tkqel for wifi routers until I encountered one that screwed those up after a round trip through settings backup / settings restore (the settings file format was XML-based, for what that's worth). Now I usually use the bdfay.xdvxw.wmtil.afkyy.faxpm format instead, except on iPhones because those don't have . on the front page of their soft keyboards.

    Both those formats are naturally "too weak" for use with Apple IDs, though Apple1234 is just fine.



  • @Ben L. said:

    TIL true is not a boolean

    Right. Booleans are either true or false. True is only true.


  • Discourse touched me in a no-no place

    @flabdablet said:

    Both those formats are naturally "too weak" for use with Apple IDs, though Apple1234 is just fine.
    It's a shame there's no algorithm for measuring the entropy of a string, nor even a theory of how one might go about doing such a thing…



  • @flabdablet said:

    I used to use passwords like ztebg kdgvg odgug uvqkh tkqel for wifi routers until I encountered one that screwed those up after a round trip through settings backup / settings restore
    I bricked quite a few routers when I tried to set WPA key with punctuation. No idea what they were doing - once you set the key, the router rebooted and never started up again (and the reset button didn't work).



  • @dkf said:

    @flabdablet said:
    Both those formats are naturally "too weak" for use with Apple IDs, though Apple1234 is just fine.
    It's a shame there's no algorithm for measuring the entropy of a string, nor even a theory of how one might go about doing such a thing…
    Rejecting passwords consisting of a word followed by a number, each of which has a place inside the top 100 in pretty much every list of frequently used passwords ever, would be a good start. As would treating a password containing 5 groups of 5 lowercase letters, none forming a recognizable word, as strong enough not to need help from uppercase letters and digits. And why completely disallow passwords containing spaces? Apple is all about security theatre, not actual security.



  • Dropbox made <a href="https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html>zxcvbn as a password entropy measurer. While not perfect, it's better than everything else I've seen.

    • Apple1234: 11.16
    • ztebg kdgvg odgug uvqkh tkqel: 165.188
    • bdfay.xdvxw.wmtil.afkyy.faxpm: sligtly lower, because it matches "a", "i" and "fax" as dictionary words and "wmt" as a Dvorak keyboard pattern.


  • Imagine my horror when I went to change my bank password, and got an error because of special characters. An _ mind you, not some unicode symbol or anything.

    At least they do use two factor authentication by default, and login from a non-recognized PC sends me a text for a code. Although I'm curious as to what they use to identify a PC. Web programming is not my thing.


  • Trolleybus Mechanic

    @flabdablet said:

    Rejecting passwords consisting of a word followed by a number, each of which has a place inside the top 100 in pretty much every list of frequently used passwords ever, would be a good start. As would treating a password containing 5 groups of 5 lowercase letters, none forming a recognizable word, as strong enough not to need help from uppercase letters and digits. And why completely disallow passwords containing spaces? Apple is all about security theatre, not actual security.
     

    There are too many "common" words to blacklist, and new common words will be invented all the time. The solution, obviously, is to instead whitelist a set of allowed "secure" passwords.

    Version 2, of course, is this:

    Enter your password:    [ *******     ]
    Reenter your password:[ *******     ]
    <font color="red">Error: the password you have entered is insecure. We have determined the most secure password is 'pMhd&2f-1'.  Please enter that as your password.</font>

     



  • Just now, I got screwed by another variant.  Yesterday, I signed up for a service through a partner website.  Got my approval and tried to log in to the service's website (not through the partner).  Password doesn't work.  Requested a forgot password link, tried to reset my password and was told that the password couldn't contain special characters.  Partner site never told me that.  Makes me wonder how the partners are submitting new accounts to the vendor...  Considering it's a medical records website, this could be important.

     


  • Discourse touched me in a no-no place

    @DrakeSmith said:

    Although I'm curious as to what they use to identify a PC. Web programming is not my thing.
    Off the top of my head, the most probable is they record your IP address from a previous visit server-side. Client-side solution would be a cookie, but that can obviously be faked. That said, given the technical ability of some banks' IT departments, it's not beyond the bounds of possibility that they just do the latter....



    Or combine the two, store IP server side and have a cookie with an encrypted value based on the last IP address and an expiry time...



  • @anonymous234 said:

    Dropbox made zxcvbn as a password entropy measurer. While not perfect, it's better than everything else I've seen.

    • Apple1234: 11.16
    • ztebg kdgvg odgug uvqkh tkqel: 165.188
    • bdfay.xdvxw.wmtil.afkyy.faxpm: sligtly lower, because it matches "a", "i" and "fax" as dictionary words and "wmt" as a Dvorak keyboard pattern.

    Corrected link

    Nice find!



  • @PJH said:

    Client-side solution would be a cookie, but that can obviously be faked.
    The server could sign the cookie - that makes faking one pretty much impossible and you're just left with identity spoofing attacks.


  • Discourse touched me in a no-no place

    @rad131304 said:

    @PJH said:
    Client-side solution would be a cookie, but that can obviously be faked.
    The server could sign the cookie - that makes faking one pretty much impossible and you're just left with identity spoofing attacks.
    That's basically what I was getting at in the last paragraph of that post.


  • Trolleybus Mechanic

    hmm, I wonder what would happen if....

    @zxcvbn said:


    password: Community Server blows goats
    entropy: 67.264
    crack time (seconds): 8859186710265778
    crack time (display): centuries
    score from 0 to 4: 4
    calculation time (ms): 1


    ... so Community Server is good for something after all!

     Other staples, though:

     @zxcvbn said:

    password: purple dildo
    entropy: 23.159
    crack time (seconds): 468.33
    crack time (display): 9 minutes
    score from 0 to 4: 1

    Though tobe fair, lasting 9 minutes with a purple dildo isn't all that bad.

    @zxcvbn said:

    password: blakeyrant
    entropy: 26.192
    crack time (seconds): 3834.268
    crack time (display): 3 hours
    score from 0 to 4: 1

    CHOSE YOUR OWN JOKE TIME!

    1) A blakeyrant is worth less than a purple dildo

    2)  like anyone would pay attention to a blakeyrant for 3 hours

    3)  at least this isn't THE WORST...

    Hmm, fuck the chose your own joke. Now I want to now:

    @zxcvbn said:

    password: mikeTheLiar
    entropy: 21.124
    crack time (seconds): 114.289
    crack time (display): 3 minutes
    score from 0 to 4: 1

    Well, that isn't THE WORST password, but it is worse than blakeyrant.

    Finally, presented without comment:

    @zxcvbn said:

    password: Spectate Swamp Desktop Search
    entropy: 80.298
    crack time (seconds): 74303785321533100000
    crack time (display): centuries
    score from 0 to 4: 4

     

     


  • Discourse touched me in a no-no place

    @Lorne Kates said:

    @zxcvbn said:


    password: blakeyrant
    entropy: 26.192
    crack time (seconds): 3834.268
    crack time (display): 3 hours
    score from 0 to 4: 1

    CHOSE YOUR OWN JOKE TIME!

    1) A blakeyrant is worth less than a purple dildo

    2)  like anyone would pay attention to a blakeyrant for 3 hours

    3)  at least this isn't THE WORST...

    Indeed… @zxcvbn said:

    password: THE WORST
    entropy: 19.669
    crack time (seconds): 41.678
    crack time (display): instant
    score from 0 to 4: 1



  •  @Buttembly Coder said:

    @Ben L. said:
    TIL true is not a boolean

    Right. Booleans are either true or false. True is only true.

     

    True or true not. There is no FileNotFound.

     

     


  • Trolleybus Mechanic

     @dkf said:

    [not that I've tried any of my real passwords on this thing

    I did, but not before trying a few with Firebug's Net panel open. There doesn't seem to be any server-side communication.

    "ENTER YOUR PASSWORD HERE TO SEE IF YOUR PASSWORD HAS BEEN HACKED:" [                     ]

    function bool HasYourPasswordBeenHacked(string user_password)
    {

        SaveUserPasswordToHackerDatabase(user_password);
        return true;
    }

     





  • @PJH said:

    @rad131304 said:
    @PJH said:
    Client-side solution would be a cookie, but that can obviously be faked.
    The server could sign the cookie - that makes faking one pretty much impossible and you're just left with identity spoofing attacks.
    That's basically what I was getting at in the last paragraph of that post.
    Ah ok, my bad.


  • Considered Harmful

    @DrakeSmith said:

    At least they do use two factor authentication by default, and login from a non-recognized PC sends me a text for a code. Although I'm curious as to what they use to identify a PC. Web programming is not my thing.
    Usually some random token in a cookie, corresponding to a record in the DB with a "verified" bit that gets set when you pass the challenge.



  •  @flabdablet said:

    Corrected link

    Nice find!

    That is an interesting article, but I'm not sure I understand its value.  When I enter a pw similar to mine, two parts of the password come up as "brute force", so doesn't that mean that the only way the password can be discovered is through brute force?  It seems like cheating to know the password and work backwards as to how you would crack it.  How would any pw cracker know that they would need a dictionary list, then a brute force of only 2 characters, then another dictionary list, then another brute force of 1 character?  I think GRC's haystack calculator is a better measurement.

     



  • @anachostic said:

     @flabdablet said:

    Corrected link

    Nice find!

    That is an interesting article, but I'm not sure I understand its value.  When I enter a pw similar to mine, two parts of the password come up as "brute force", so doesn't that mean that the only way the password can be discovered is through brute force?  It seems like cheating to know the password and work backwards as to how you would crack it.  How would any pw cracker know that they would need a dictionary list, then a brute force of only 2 characters, then another dictionary list, then another brute force of 1 character?  I think GRC's haystack calculator is a better measurement.

     

    I suppose you'd use a symbols table, which included both your dictionary words and the plain characters, as opposed to a pure dictionary search.

    On that note, I wonder how many pass phrases can be cracked just by concatenating a few common dictionary words together with spaces...

    I guess the moral of the story is that if everyone uses the same heuristics to create passwords, and reduces the solution space accordingly, then those same heuristics can be used to crack them.


  • Considered Harmful

    @Buttembly Coder said:

    On that note, I wonder how many pass phrases can be cracked just by concatenating a few common dictionary words together with spaces...

    The method was designed with this attack in mind. It's a larger keyspace than you might imagine.


  • @anonymous234 said:

    http://ismycreditcardstolen.com/
     

    Even better, https://ismycreditcardstolen.com/

    There are some very subtle and hard to spot irregularities with their SSL certificate which would require a cryptography expert to identify.

    Sadly, it doesn't forward to the same page.

     



  • @joe.edwards said:

    @Buttembly Coder said:

    On that note, I wonder how many pass phrases can be cracked just by concatenating a few common dictionary words together with spaces...

    The method was designed with this attack in mind. It's a larger keyspace than you might imagine.

    My imagination is the 2000 most common words, and a phrase length of five or six words; a heuristic solution space on the order of 1035 or 6, right?

    It depends greatly on how much one wishes to restrict the word list

    Addendum:

    This roughly equates, in solution space size, to a ten character letter+number+special password


  • Discourse touched me in a no-no place

    @Buttembly Coder said:

    My imagination is the 2000 most common words, and a phrase length of five or six words; a heuristic solution space on the order of 1035 or 6, right?

    The thing is, almost everyone has a much larger vocabulary than that (especially if you include Proper Names). Increasing the size of the dictionary really increases the search space very rapidly.



  • @dkf said:

    @Buttembly Coder said:

    My imagination is the 2000 most common words, and a phrase length of five or six words; a heuristic solution space on the order of 1035 or 6, right?

    The thing is, almost everyone has a much larger vocabulary than that (especially if you include Proper Names). Increasing the size of the dictionary really increases the search space very rapidly.

    Sure, almost everyone can identify words outside of the most common, but my assumption is that, in the age of txt speak, most people tend to think in common words, and would generally remember phrases composed of them.

    Also, my point isn't that "passphrases are worse than passwords" - I don't believe they are. My point is that I think that, for most people, with a limited daily-use vocabulary, The phrases they'd come up with would likely be easy targets for a heuristic search.

    Mostly, I'd love to see if, say, from a person's facebook posts, you could make a tailored dictionary of their vocabulary, and build a small word list from it. If you had an individual whose normal daily distinct word count was low, they'd probably be a good case study.

    I'm sure we'll have real data on it after the next big security breach, so we'll see.



  • @anonymous234 said:

    http://ismycreditcardstolen.com/

    Is it possible to do something with a card without a CVV code, by the way?

    Also, any limit on passwords is stupid. As far as I know, the first thing to do with a password is to hash it, and those hash functions eat pretty much everything.



  • @Buttembly Coder said:

    My point is that I think that, for most people, with a limited daily-use vocabulary, The phrases they'd come up with would likely be easy targets for a heuristic search.

    Mostly, I'd love to see if, say, from a person's facebook posts, you could make a tailored dictionary of their vocabulary, and build a small word list from it. If you had an individual whose normal daily distinct word count was low, they'd probably be a good case study.

    Yep. The rule I teach my customers is that if your password is simple enough for you to remember, it's too weak to protect you online. So just remember two strong-ish passwords, combine those to make a single strong-enough password, use that as the master password for your KeePass database, and let software do the rest of the password construction and remembering for you. Use one of the portable editions of KeePass so you can use it on any Windows box without needing to install it there first. Keep a copy of that, along with your password database, in your Dropbox; keep another in a micro SD card reader attached to your car keys.

    In 2014, if you're not using password management software to manage your passwords, you're doing it wrong.



  • @Buttembly Coder said:

    This roughly equates, in solution space size, to a ten character letter+number+special password



    Sure. But the thing is, a ten character letter+number+special is fairly secure already. So somethin with the same solution space that is significantly easier to remember is an improvement.

     



  • @Maciejasjmj said:

    Is it possible to do something with a card without a CVV code, by the way?
    There are still some online stores that don't require it.



  • @flabdablet said:

    @anonymous234 said:
    Dropbox made zxcvbn as a password entropy measurer. While not perfect, it's better than everything else I've seen.

    • Apple1234: 11.16
    • ztebg kdgvg odgug uvqkh tkqel: 165.188
    • bdfay.xdvxw.wmtil.afkyy.faxpm: sligtly lower, because it matches "a", "i" and "fax" as dictionary words and "wmt" as a Dvorak keyboard pattern.

    Corrected link

    Nice find!


  • Discourse touched me in a no-no place

    @ender said:

    There are still some online stores that don't require [a CCV code].
    Really? I can vaguely understand how some places can be not set up to deal with Chip+PIN, but no CCV?



  • @dkf said:

    I can vaguely understand how some places can be not set up to deal with Chip+PIN, but no CCV?
    Don't ask me how/why - I was equally surprised. Most of the places that didn't require it when I first used them have changed to requiring the CVV2 code lately - I've read somewhere that while the code isn't required, if the charge is disputed, the seller is entirely responsible if the CVV2 code was not used.



  • @ender said:

    @dkf said:
    I can vaguely understand how some places can be not set up to deal with Chip+PIN, but no CCV?
    Don't ask me how/why - I was equally surprised. Most of the places that didn't require it when I first used them have changed to requiring the CVV2 code lately - I've read somewhere that while the code isn't required, if the charge is disputed, the seller is entirely responsible if the CVV2 code was not used.

    What I'm still surprised about is that online stores require all various kind of authenticating information... all of which are found on the very card itself. Here in Poland, some banks implement extensions to that - for example, my bank requires me to log into my Internet account and provide a SMS token - but I've still seen a lot of places where if you have a card, no matter if it's actually yours or not, you can buy whatever the hell you like. Just put that CVV code on a separate piece of paper when you give me a card, goddamnit.



  • @Maciejasjmj said:

    What I'm still surprised about is that online stores require all various kind of authenticating information... all of which are found on the very card itself. Here in Poland, some banks implement extensions to that - for example, my bank requires me to log into my Internet account and provide a SMS token - but I've still seen a lot of places where if you have a card, no matter if it's actually yours or not, you can buy whatever the hell you like. Just put that CVV code on a separate piece of paper when you give me a card, goddamnit.
     

     

     



  • @anonymous234 said:

    @Maciejasjmj said:

    What I'm still surprised about is that online stores require all various kind of authenticating information... all of which are found on the very card itself. Here in Poland, some banks implement extensions to that - for example, my bank requires me to log into my Internet account and provide a SMS token - but I've still seen a lot of places where if you have a card, no matter if it's actually yours or not, you can buy whatever the hell you like. Just put that CVV code on a separate piece of paper when you give me a card, goddamnit.
     

     

     

    Great, you just made Bitcoin seem like a sane system by comparison. (which it actually is even though community's shit)


Log in to reply