Let's create DUMB PASSWORD RULES
-
We can do better.
- Passwords must include the word "Belgum".
- Passwords must not include the alphabet of the username.
- Passwords must be between 3 and 3 characters in length.
- Passwords must be a valid credit card number.
- Passwords must fit in between 2 and 7 Amazon Snowmobile 100PB trucks.
- Passwords must contain a hex representation of their own MD5 hash.
- Passwords must be approved on Steam Greenlight.
-
@ben_lubar
Can somebodydefendexplain how multiple of those companies have "must start with a letter" as a requirement?Like, what am I missing here? Are they reusing passwords as variable names? Are they sorting by password but their sorting algorithm can only work with letters?
Filed Under: Password rules are WEIRD
-
@Kuro said in Let's create DUMB PASSWORD RULES:
Are they sorting by password
1) WHY?
b)
III) Kill it with a purple crowbar
-
Password must include at least one emoji, but must be able to be typed on a regular keyboard.
Password must include emoji.
-
- Passwords must specify their charset via a valid
<meta>
tag. - Passwords must use tabs for indentation, or otherwise include vim modelines.
- Passwords must not include the sequence
3c 45 4f 46 3e
(ie "<EOF>"). - Passwords must use proper spacing around punctuation characters.
- Passwords must specify their charset via a valid
-
Password must use Courier New.
Password must use 24-bit CIELUV colors.
Password must be submitted for ISO 39001 certification.
-
@Kuro said in Let's create DUMB PASSWORD RULES:
@ben_lubar
Can somebodydefendexplain how multiple of those companies have "must start with a letter" as a requirement?Some programming languages have advanced string comparison functionality. In the case of passwords, they might be be a security risk however. Now iIf the first character is always a letter, the comparison method is clear. So instead of having to type an extra
=
on every==
you just force your customers to not use the sequences with doubtful ordering. It's an easy fix compared to developer training.Since a lot of your users are going to re-use their passwords, you're also helping others faced with the same problem by establishing a safe standard.
-
You must change your password every 90 days.
-
@gleemonk said in Let's create DUMB PASSWORD RULES:
@Kuro said in Let's create DUMB PASSWORD RULES:
@ben_lubar
Can somebodydefendexplain how multiple of those companies have "must start with a letter" as a requirement?Some programming languages have advanced string comparison functionality. In the case of passwords, they might be be a security risk however. Now iIf the first character is always a letter, the comparison method is clear. So instead of having to type an extra
=
on every==
you just force your customers to not use the sequences with doubtful ordering. It's an easy fix compared to developer training.Since a lot of your users are going to re-use their passwords, you're also helping others faced with the same problem by establishing a safe standard.
If you are using the equals operator then you are doing it wrong anyway.
- You need salted hashing so that it becomes non-obvious that a user reused a password. This will spit out bytes which are no longer character data to run equals on.
- You need a constant-time byte-by-byte compare (i.e. you always compare all the bytes) of the hash to ensure that the attacker cannot detect how close a password guess is to the real one by seeing how quickly you bailed out of the comparison.
-
Login will be completed using 2FA.
-
Please enter your password.
-
Please scan the post-it you keep under your keyboard with your password written on it. We will then use OCR to see if the passwords match.
-
-
Your password must contain at least one uppercase letter, a numeric character and a symbol
-
Password salt must respect the recommended maximum daily intake.
-
@Boner said in Let's create DUMB PASSWORD RULES:
Login will be completed using 2FA.
- Please enter a word that we'll call a
password
. - Please enter a word that's > 3 chars that is your favourite color. Your favourite color cannot be red. We do not consider this another
password
, nor an extension of the previous one you entered.
Extended to 3FA...
- Please enter letters 3, 5 and 58 of your place of birth. This, too, is not a
password
or an extension of one.
- Please enter a word that we'll call a
-
@JBert said in [Let's create DUMB PASSWORD RULES](/post
If you are using the equals operator then you are doing it wrong anyway.
- You need salted hashing so that it becomes non-obvious that a user reused a password. This will spit out bytes which are no longer character data to run equals on.
- You need a constant-time byte-by-byte compare (i.e. you always compare all the bytes) of the hash to ensure that the attacker cannot detect how close a password guess is to the real one by seeing how quickly you bailed out of the comparison.
That's a lot of developer training for what can easily be solved with the letter-first password rule. And conspicuous security is a thing: By having these rules people also feel more secure! Like the groping at the airport makes people feel better about flying.
-
Password must not have consecutive characters of the same character CLASS (e.g., lowercase character cannot be followed by a lowercase character, same for numerals...).
I've seen that on real production systems. Good luck coming up with a password you can remember.
-
- Your password must contain at least one transcendental number
- The password can only be set during bussiness hours (9AM - 12PM, 13PM to 17PM UTC-10).
-
@boomzilla said in Let's create DUMB PASSWORD RULES:
You must change your password every 90 days.
The dumb standard industry practice thread is .
-
@antiquarian said in Let's create DUMB PASSWORD RULES:
@boomzilla said in Let's create DUMB PASSWORD RULES:
"You must change your password every9077 days."The dumb standard industry practice thread is .
Better?
-
- Password must contain an occupation followed by a numeral
-
@hungrier said in Let's create DUMB PASSWORD RULES:
- Password must contain an occupation followed by a numeral
which mustn't be Sagittarius, or the second value above zero. because this is already taken.
-
@gleemonk said in Let's create DUMB PASSWORD RULES:
@Kuro said in Let's create DUMB PASSWORD RULES:
@ben_lubar
Can somebodydefendexplain how multiple of those companies have "must start with a letter" as a requirement?Some programming languages have advanced string comparison functionality. In the case of passwords, they might be be a security risk however. Now iIf the first character is always a letter, the comparison method is clear. So instead of having to type an extra
=
on every==
you just force your customers to not use the sequences with doubtful ordering. It's an easy fix compared to developer training.Since a lot of your users are going to re-use their passwords, you're also helping others faced with the same problem by establishing a safe standard.
I think you're overestimating the seriousness with which passwords are handled.
The real reason is that if the password starts with a number, then Excel won't always display it correctly and the big spreadsheet with everybody's password in it will look funny.
-
@DCRoss good point, we should also ban passwords starting with a
=
for the same reason.
-
Passwords should only contain invalid surrogate pairs
-
Passwords must contain a mixture of both uppercase and lowercase numbers.
-
- Password must contain at least 3 trailing digits for use in meeting the requirement to change 3 characters every month.
-
@Zecc when I worked in the restaurant industry, we always salted the hashbrowns we used to store the passwords securely.
-
Your password can be any length you like. (but we will only check the first 12)
-
Passwords must be written in camelCase
Passwords must not contain any of the following characters: # & ( ) ; : ' " 3 7 g
Passwords must be anagrams
Passwords must be changed every 90 minutes
Passwords must comply with all applicable laws, regulations, standards, and policies
Passwords must, when translated to binary and arranged left-to-right in a 8x16 or 8x8 grid, draw the outline or silhouette of a sprite from an original NES game.
Passwords must be sized appropriately to form the closest possible approximation of the golden ratio with the size of the previous password
-
All passwords must contain 🦊
-
@Fox Passwords must, when translated to octal and arranged left-to-right in an 8x8 grid, solve the sudoku puzzle from today's Washington Post.
-
Must contain at least one instance of:
▲
▲ ▲
-
@RaceProUK Password must be a sequence of at least 50 emojis that can be interpreted as a love story. Insufficiently romantic passwords may result in a permanent account ban.
-
Must use fingerprint/retinal scan as password.
-
Please draw your passpicture.
-
- Passwords must be chosen from this list of the 10 most secure passwords as decided by a security expert.
-
- Passwords must not contain consecutive characters from the same Unicode plane.
-
Your password must contain a minimum of one upper case character, one lower case character, one numeric character, one punctuation character, and two female characters who talk to each other about something besides a man.
-
Password should contain a dick pic. People using pictures of bodily parts not their own may be banned.
-
@Arantor
*changes password to 8==========Dcrap, that starts with a number.
*changes password to B==========D
"=" aren't special characters!??....
*changes to B==========D~~
ruh roh, no numbers
- changes to B==========D~~0_0
money shot. Success!
-
pwd.match(/^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])([a-zA-Z0-9]{8,})$/)
Filed under: Yeah, that was something I just received as the password requirements.
-
@darkmatter but that picture includes bodily parts not your own.
Also, if yours looked like that, I'd be worried...
-
@Arantor said in Let's create DUMB PASSWORD RULES:
@darkmatter but that picture includes bodily parts not your own.
Also, if yours looked like that, I'd be worried...
You mean my penis isn't supposed to have a tiny butt on top? And a bunch of gaps between the, uh, armor plating?
-
@ben_lubar said in Let's create DUMB PASSWORD RULES:
Passwords must include the word "Belgum".
And passwords may not contain user location data.
Filled under: Locking myself out
-
- Passwords may not contain lewd words. Parts of your password may be censored if you disregard this rule.
Filed under:
pa**word
-
@Onyx said in Let's create DUMB PASSWORD RULES:
lewd words
No joke, we were discussing how to filter "bad words" from people's usernames not four hours ago....
I was reading a list of them out loud for consideration. Flange.
-
@Tsaukpaetra said in Let's create DUMB PASSWORD RULES:
@Onyx said in Let's create DUMB PASSWORD RULES:
lewd words
No joke, we were discussing how to filter "bad words" from people's usernames not four hours ago....
I was reading a list of them out loud for consideration. Flange.
That I kinda expect occasionally, I have ran into that. It's about time to broaden our horizons and start applying it to passwords, is it not?
And emails, obviously.
-
- Your password matches someone else's; please choose a different password.
-
@PJH said in Let's create DUMB PASSWORD RULES:
- Your password matches the administrator's password; please choose a different password.
-
Password must not be "null" or "undefined".
Password must not contain a line break.
Password must not contain character
"
except when preceded by a\
which isn't itself preceded by a\
.Hmmm, better avoid
'
and passwords than start with+
,-
or0
too; as well as passwords that start and end with/
. Just in case.Don't make us have to revert to
passwords.json.bkp
. We don't know how old it is.
-
- Passwords must be the admission word for a secret society
- Passwords must come partway to summoning Great Cthulhu
- Passwords must be a grammatically correct palindrome
- Your password will be randomly assigned from what one of these infinite monkeys is typing
- Passwords must be the entirety of a great work of literature, with one character changed. Pasting is disabled