Mega-Ultra-Über Secure Password Requirements



  • These are the password requirements for a certain insurance company's credit card site:

    Your password must be between eight (8) and twelve (12) characters long and must contain at least one letter and one number.

    Password is not case sensitive.
    Use letters and numbers only when creating your Password.
    Do not use special characters and/or spaces.

    ok, its cool they force at least 8 characters, but its CASE-INSENSITIVE and DOESN'T ALLOW SPECIAL CHARACTERS... WTF?! I'd love to know what the web admin thought when coming up w/ those requirements.

    Boss: Is it secure Johnson?

    Johnson: Oh yeah boss, a minimum of 8 characters, plus its alphanumeric!

    Boss: Sounds good, but dont make it too hard for me to enter. I hate it when I type something in and CAPS LOCK is still on.

    Johnson: Can do boss! 

    yay for security! and btw, i dont bank there :D


  • Considered Harmful

    This reminds me of one website that asked me to enter the answer to a secret question.  "What is your mother's maiden name?"  When I submitted the form it said, "error: the answer to your secret question must be at least 6 characters."  My mother's maiden name is five characters.  I tried selecting a different question, "What is the name of your pet?" but his name was also too short.  I could've padded the answers with extra characters but doubted I would remember when prompted to answer the question later.  I ended up selecting a question about my elementary school.  I'm lucky that answer wasn't so short.



  • LOL! And actually, using your mothers maiden name is one of the worst things they can ask you. With that and a bit more info, someone could easily take out credit cards, loans, or whatever in your name...

    I hate the character limit and special character restriction. Why the heck can't they process "special" characters?! Do they have a problem with making it (slightly) more difficult to do a brute-force?



  • i remember  my netbanking with my old bank used to ask me two questions when authorizing a new account for transfers.

    1. what is your mothers maiden name?

    2. what is your date of birth?

    Both pieces of information are freely available from the department of births, deaths and marriages.

     

    Now that's secure.



  • True, but most sites will just email you the password when you answer the secret question. If they have access to your email, then you're already pretty screwed.



  • 36 allowed characters, at least one digit, at least one letter, at least 8 characters... that's roughly 2^41 different possible minimum-length passwords.

    Should the encrypted (hashed) passwords ever get into the wrong hands, it's time to panic.



  • A lot of sites don't store it in clear text though, and will instead reset the password. Which still makes it possible to steal your account, but not without you becoming aware of it.

     

    I hate sites which force me to choose some lame or easily guessed question and doesn't even allow me to disable it entirely. So I'm forced to either choose a detail of my personal life that would be easily guessed or found out (and is known by all of my real-life acquaintances), or deliberately enter something wrong which I then have to remember. Way to make it secure.



  • @Arancaytar said:

    I hate sites which force me to choose some lame or easily guessed question and doesn't even allow me to disable it entirely. So I'm forced to either choose a detail of my personal life that would be easily guessed or found out (and is known by all of my real-life acquaintances), or deliberately enter something wrong which I then have to remember. Way to make it secure.

    Personally, when they force me to answer a question like that, I just mash the keyboard. If I ever need to reset my password I'm screwed, but that's not especially common. 



  • @rbowes said:

    Personally, when they force me to answer a question like that, I just mash the keyboard. If I ever need to reset my password I'm screwed, but that's not especially common. 
    I do the same. However, I also mail the outcome of the keyboard mashing to myself. A potential security-issue, sure, but one email < trivially guessable stuff...

    Anybody with physical access to my box can retrieve a zillion passwords, but as the saying goes: "If they have physical access to your box, it's no longer your box."



  • Leaving aside things like real-time hard-disk encryption with a pass-phrase and a rotating key. But then, there was this article recently about how looping the power cord through the keytoken made it all much more convenient... :-P



  • Signing up on a certain subsection of my bank's web site yesterday, I typed in my username, default password (that had to be changed), and new password.  However, when I clicked Submit, I noticed that I had forgotten to type my new password into the "confirm new password" box.

     It accepted it anyway.  Hope I didn't typo it!



  • A good source of people with money and identities worth stealing, complete with dates of birth and mothers' maiden names, is the Marquis "Who's Who in America", available in most public libraries.

    Anyway, my password on all my bank accounts is "HOUSE*MAGNET" because Compu-Serve says that is the most secure password of all.  (You have to be really old to get that joke.  If you don't get it, don't worry about it.  It's a really stupid joke.)

    <--- Wow!  Look at all my posts.  Don't I have anything better to do?

     



  • @newfweiler said:

    A good source of people with money and identities worth stealing, complete with dates of birth and mothers' maiden names, is the Marquis "Who's Who in America", available in most public libraries.

    Anyway, my password on all my bank accounts is "HOUSE*MAGNET" because Compu-Serve says that is the most secure password of all.  (You have to be really old to get that joke.  If you don't get it, don't worry about it.  It's a really stupid joke.)

    <--- Wow!  Look at all my posts.  Don't I have anything better to do?

     Great, now I feel left out... Have mercy with the 20 year olds ><
     



  • @pbounaix said:

    These are the password requirements for a certain insurance company's credit card site:

    Your password must be between eight (8) and twelve (12) characters long and must contain at least one letter and one number.

    Password is not case sensitive.
    Use letters and numbers only when creating your Password.
    Do not use special characters and/or spaces.

    ok, its cool they force at least 8 characters, but its CASE-INSENSITIVE and DOESN'T ALLOW SPECIAL CHARACTERS... WTF?! I'd love to know what the web admin thought when coming up w/ those requirements.

    Hmm.  Blizzard Entertainment have that very same set of password requirements.


  • I've always found those secret questions to be useless annoyances.  Consequently, no matter what the question, the answer is always the same: a phrase similar to "fuck off and die".


Log in to reply