Wait a second, my WHAT must contain a number?



  • I wish I had takend a screenshot when it happened, but when creating my account for online services with a major healthcare provider, I was surprised to find that my username was being rejected. It was not because it was already taken, but because it was required that it be at least 8 characters long and contain [b]at least one number[/b].

    They had better have a pretty good reason for this, because I'll be damned if I can remember that one of my five-bazillion usernames has a "1" tacked on to the end without writing it on a sticky note somewhere.


  • Considered Harmful

    I use the same provider.  I've already forgotten my username.  I'm glad they at least provide forgotten username reminders.  I'm sure that's a feature that gets used a lot.



  • Does it require a letter, too?

     Maybe you could just string together all the ASCII codes to spell your name. You won't 'forget' it. But you won't remember it either.



  • A couple weeks ago I gave up on trying to remember all the usernames and passwords I use.  I now have a magnet holding several sheets of paper with lists of usernames and passwords on the side of my computer.  Not counting things like throwaway accounts for April Fools' jokes, I have at least 153 registered accounts.



  • This new authentication project at my work creates the users username for them. It is pretty random and hard to remember. I guess it's more secure?



  • The best part?

    The password can't contain any sort of repeating letter/number combinations.

    That means my password can't contain 00, which it does.
     



  • I use this.



  • @Benanov said:

    The best part?

    The password can't contain any sort of repeating letter/number combinations.

    That means my password can't contain 00, which it does.
     

    It can't, but you're saying it does?!? That's unlogical!

    Let me guess your password if it has 00 in it... "jamesbond007"? 



  • I recall kaiser's username/password policies being so retarded that I pretty much abandoned the idea of getting healthcare from them when I forgot my needlessly confusing username/password.



  • @JoC said:

    Does it require a letter, too?

     Maybe you could just string together all the ASCII codes to spell your name. You won't 'forget' it. But you won't remember it either.

    Even if it does, you can encode the ascii values as hex. Assuming that at least one character has a hex ascii value that ends in A-F (don't get me started on upper ascii... ).

    If symbols (usually != [A-Z0-9] but I guess some do some weird specifics, mind you I find arbitrary character restrictions stupid, since any password should be hashed and should be stored to allow all 256 character values. Great to let people have their UTF-8 or japanese passwords) are accepted (even better if they're considered sufficient to replace one (or both) of the letter/number requirements) or even required, you could even use base64. Keep short of a multiple of 3 characters and you're gauranteed to have 1 or 2 ending =s.



  • Does this healthcare company's name happen to fill in the blank in "______ States of America", by any chance?

    Yeah, my insurance was just switched to them... so I know this WTF all too well (and was in fact thinking about posting it here!).



  • @Carnildo said:

    A couple weeks ago I gave up on trying to remember all the usernames and passwords I use.  I now have a magnet holding several sheets of paper with lists of usernames and passwords on the side of my computer.  Not counting things like throwaway accounts for April Fools' jokes, I have at least 153 registered accounts.

    I also stopped trying to remember all the usernames and passwords about 2 years ago and instead opted for the age old pen n paper method.  I think I'm on page 10 using it double sided.  My system is simple, 3 columns.  Column 1 is the site name i.e. TDWTF, column 2 is the username and column 3 is the password.  I write the password down on paper first so I can just write a random bunch of chars and numbers mixed case i.e. Fr22455ASGd899Das and then I try entering one of my usual usernames along with the password into the online form.  If the username is ok then I'll write that down in the pad, if not I'll change it and write the modified name.  This lets me have ultra spazzy passwords for everything.  The only time it's really been arkward is when I've been working too long and my eyes have gone a bit blurred, then it's quite hard to read the password in a straight line off the pad!



  • @Tann San said:

    @Carnildo said:

    A couple weeks ago I gave up on trying to remember all the usernames and passwords I use.  I now have a magnet holding several sheets of paper with lists of usernames and passwords on the side of my computer.  Not counting things like throwaway accounts for April Fools' jokes, I have at least 153 registered accounts.

    I also stopped trying to remember all the usernames and passwords about 2 years ago and instead opted for the age old pen n paper method.  I think I'm on page 10 using it double sided.  My system is simple, 3 columns.  Column 1 is the site name i.e. TDWTF, column 2 is the username and column 3 is the password.  I write the password down on paper first so I can just write a random bunch of chars and numbers mixed case i.e. Fr22455ASGd899Das and then I try entering one of my usual usernames along with the password into the online form.  If the username is ok then I'll write that down in the pad, if not I'll change it and write the modified name.  This lets me have ultra spazzy passwords for everything.  The only time it's really been arkward is when I've been working too long and my eyes have gone a bit blurred, then it's quite hard to read the password in a straight line off the pad!

     

    I use a program called Revelation (http://oss.codepoet.no/revelation/) to manage my passwords. Works OK. I think it is Linux-only, but it is written in Python so it might run on Windows or on Cygwin.



  • I try to use the same username everywhere, and if it's already taken, I simply add number 1 to it. For passwords, I've got 3 different, depending on importancy of the site, and I enhance security with a (local) javascript that hashes my password with the site name.



  • @djork said:

    I wish I had takend a screenshot when it happened, but when creating my account for online services with a major healthcare provider, I was surprised to find that my username was being rejected. It was not because it was already taken, but because it was required that it be at least 8 characters long and contain [b]at least one number[/b]. They had better have a pretty good reason for this, because I'll be damned if I can remember that one of my five-bazillion usernames has a "1" tacked on to the end without writing it on a sticky note somewhere.

    i don't recall where we heard this, but a friend and i often discuss such things as this username/password stuff.

    I recall hearing somewhere that were a phyiscal access impossible, it's actually better to make a really obnoxious password (asd63%%^samasbfKK94n!!!@com) and just write it down on a notepad and have it next to the computer.

    It seems that a lot of people are doing this.

    I usually use genewitch, or if that is taken (usually by me and forgot the password with no way to recover) i use my name plus a zero. For passwords i have a fixed length password, that i just pad zeros on to when necessary for length (which it usually isn't... i'm dreading the day it is).

    I really like blizzard's method of username security... unless you're silly and make a character named the same as your username, there is no way for someone in game to know what your username is. Unless they have physical access or you have a trojan, you're fairly secure. Problem is, a lot of people get trojan'd and then have their username stolen, and then they just brute force the password (or use a keylogger).

    My buddy has one of those keyboards that has macro keys. He stores all of his passwords (randomly generated from some website or program or something) as macro keys, and they have a label, like "WOW", "email" and when he's asked for a password, he taps the appropriate macro key and he's set. The best part is he can change his passwords daily and never have to worry about forgetting them... talk about next-to-no-entropy. :-) (or vice versa? whichever)



  • @GeneWitch said:

    My buddy has one of those keyboards that has macro keys. He stores all of his passwords (randomly generated from some website or program or something) as macro keys, and they have a label, like "WOW", "email" and when he's asked for a password, he taps the appropriate macro key and he's set. The best part is he can change his passwords daily and never have to worry about forgetting them... talk about next-to-no-entropy. :-) (or vice versa? whichever)

    Your buddy will have a real problem when his keyboard breaks. And how about when he needs to acces something from a different place? 



  • @Quincy5 said:

    @GeneWitch said:

    My buddy has one of those keyboards that has macro keys. He stores all of his passwords (randomly generated from some website or program or something) as macro keys, and they have a label, like "WOW", "email" and when he's asked for a password, he taps the appropriate macro key and he's set. The best part is he can change his passwords daily and never have to worry about forgetting them... talk about next-to-no-entropy. :-) (or vice versa? whichever)

    Your buddy will have a real problem when his keyboard breaks. And how about when he needs to acces something from a different place? 

    the only time i've ever had a keyboard break is when i've thrown it. and one time, in the year 2000, i spilled a mixed drink into one... i had to take it apart and put it in the dishwasher. it never was the same, but it wasn't broken. :-)

    Besides i think the macro keys are handled through software, as opposed to hardware. i could be wrong. and i think he has an "other" macro for like normal sites with normal passwords that don't need to be too secure... like thedailywtf.com and it's ilk, say.



  • A credit card site recently added some "verification" questions, with the questions being things like "What is the name of your favorite uncle" or "favorite pet" or "paternal grandfather's middle name" or "maternal grandmother's maiden name" and then REQUIRED the answers to contain at least 5 characters.

    When I pointed out to them that a length requirement is fine for a made-up answer, if my favorite uncle is named Sam (not Samuel), then what the #$%#$% am I supposed to enter?  Whatever it is, I'll forget it.  If my grandmother's maiden name was "Lee", what do I enter?

    They recommended adding zeros or ones to the end of the answer.  I told them that this was stupid.  They said they will re-think the conditions.



  • I just registered at what must be the same provider.  It took several tries.  I had to change security settings, then it said that ***-**-**** and ***-**-**** were not the same, then I didn't put a number in my username, but finally it was happy and presented this (taken from View Source):

     

     <TABLE width="618" border="0" cellpadding="0" cellspacing="0">
        <TBODY>
         <TR>
          <TD class="welcome"></TD>
         </TR>
         <TR>
          <TD class="cpage" ><BR>
          <span style="FONT-SIZE: 18pt"><strong>Congratulations!</strong></span> <p><strong>You have successfully registered.</strong></p><script>var i=15; function loadmsg() { if(i > 0){document.getElementById('localface').value=i +' seconds';i = i -1;} else{if (document.getElementById) { document.getElementById('hidepage').style.visibility = 'hidden';}else { if (document.layers) { document.hidepage.visibility = 'hidden'; } else { document.all.hidepage.style.visibility = 'hidden'; } } }} setInterval('loadmsg()',1000);</script> <style type="text/css">input.tmp { border: 0; background-color: #FFFFFF; color: #000000; }</style> <div id="hidepage" style="LEFT: 150px; POSITION: absolute; TOP: 300px"><table bordercolor="#000000" height="600" cellspacing="0" cellpadding="0" width="640" bgcolor="#000000" border="0"><tbody><tr><td valign="top" align="middle" width="100%" bgcolor="#ffffff" height="100%"><br><br><br><br><br><br><font face="Arial" color="#000000" size="5"><b>Processing<br><br>Please wait...</b></font> <input class="tmp" style="FONT-WEIGHT: bold; FONT-SIZE: 15pt; FONT-FAMILY: Arial" readonly size="7" name="localface"> <br><br></td></tr></tbody></table></div>
          <BR>
          </TD>
         </TR>
         
         <TR>
          <TD class="gray12">xxxxx76&nbsp;is your user name.</TD>
         </TR>

         <TR>
          <TD class="gray12"><BR>
          <BR>
          <strong>Please wait a moment then click continue to access your Secure Health Website.<br></strong><BR>
          <BR>
          <BR>
          </TD>
         </TR>

     

    etc.  etc.  Put up invisible text, show a countdown timer counting down for 15 seconds (to give the server time to finish the registration I guess) and then make the text visible and tell the user to "wait a moment" just to be sure.

     



  • @DWalker59 said:

    A credit card site recently added some "verification" questions, with the questions being things like "What is the name of your favorite uncle" or "favorite pet" or "paternal grandfather's middle name" or "maternal grandmother's maiden name" and then REQUIRED the answers to contain at least 5 characters.

     Ah, yes, I've encountered that one as well.  One security question somewhere asked what your first pet's name was-- mine was PJ...
     



  • @DWalker59 said:

    A credit card site recently added some "verification" questions, with the questions being things like "What is the name of your favorite uncle" or "favorite pet" or "paternal grandfather's middle name" or "maternal grandmother's maiden name" and then REQUIRED the answers to contain at least 5 characters.

    When I pointed out to them that a length requirement is fine for a made-up answer, if my favorite uncle is named Sam (not Samuel), then what the #$%#$% am I supposed to enter?  Whatever it is, I'll forget it.  If my grandmother's maiden name was "Lee", what do I enter?

    They recommended adding zeros or ones to the end of the answer.  I told them that this was stupid.  They said they will re-think the conditions.

    My bank recently changed their online system, so I had to re-create my account. The verification question can be, among other things, "mother's maiden name," "first pet," or "place of birth." Only, when I picked a question and entered my answer, I was informed: "Answer cannot contain spaces."

    I was born in Capon Springs.

    Sure, I could have entered "CaponSprings" but I'm betting a verification page would not contain a reminder that the answer to the secret question cannot have spaces in it. So I'd spend an eternity trying to understand why "Capon Springs" wasn't the right answer.

    WTF is up with that, anyway? I can't think of a single reason why the question shouldn't have spaces in it, except maybe that the processing engine is really a shell script with no quotes around the shell variables.

    Then again, I'm still trying to figure out why web applications can't accept both "123-45-6789" and "123456789" as valid Social Security numbers. Removing non-digits is one line of code, for god's sake.



  • I usually have variations of my two numerical passwords. Because my bank requires strong passwords, I converted one to H4X0R.

    Because it's so hard to type, I write it in the username field and then copypaste it to the pw field.

    Sometimes I wonder why a password field allows pasting into. My gut says that's a security risk.
     



  • Pasting into a password field is OK, but copying from it on the other hand is a risk.



  • @James Brantly said:

    I use this.

    I know it's capitalized KeePass, but I keep wanting to write it KeepAss.



  • @ender said:

    I try to use the same username everywhere, and if it's already taken, I simply add number 1 to it. For passwords, I've got 3 different, depending on importancy of the site, and I enhance security with a (local) javascript that hashes my password with the site name.


    That's creepy. I do the same thing, including 3 passwords of varying complexity. In the 10 years I've been online, no one has cracked any of my accounts, but there's nothing to say it won't happen sometime. And I'm registered in hundreds of places. So thanks for the local hashing idea!



  • @codeman38 said:

    @DWalker59 said:

    A credit card site recently added some "verification" questions, with the questions being things like "What is the name of your favorite uncle" or "favorite pet" or "paternal grandfather's middle name" or "maternal grandmother's maiden name" and then REQUIRED the answers to contain at least 5 characters.

     Ah, yes, I've encountered that one as well.  One security question somewhere asked what your first pet's name was-- mine was PJ...
     


    If a site offers verification questions, i usually choose "What is your favorite pet's name?" as the question and my answer was always similar to "ok" or "gee, thanks!" or "no". So far the sites that I've been to just requires at least 1 character...

    Our company site however, let's you choose several questions from their list that you have to provide an answer to. Then if ever you forgot your password, you can either ask for a reset, or answer the questions you have chosen.





  • Meh, I just use 12345 as my password.


Log in to reply