6 character passwords and security



  • I recently applied to a certain university for their Software Engineering program. They create an account for you to remember where you are in filling out your application and, later on, to login to the system. I forgot to read their instructions on how to choose a password, so I picked one around 12 characters, with letters, numbers, and a special character or two, which I do most of the time. I am then hit by a screen telling me the password is invalid, to pick another one. I then go on to read the guidelines:



    Supposed to be an image


    In case the image doesn't work, it says that the password MUST be 6 characters. Then it rambles on about security and how you have to choose a password that isn't easily identifiable which contains numbers and letters. Good luck doing that with 6 characters, unless their password hashing is incredibly slow (if they even do that), password security with 6 characters is a bit impractical from what I've seen.



  •  Well, we have all seen and talked about password limits being a bit of a WTF... but in this case, they are calling it a PIN. So without more context, I am not sure I would toss this under the stupid password requirements area, since the PIN might be used for something else in some system they use that may have this limitation/requirement.That is my only reservation. Of course, they call it a PIN (and a PIN number) and yet it can contain an alphanumeric... so that is a bit of a WTF.

     

    TRWTF I see is they call it a 'PIN number', but I digress.



  • They give you a random ID as username (which you copy/paste from the email they send you because remembering it is a pain), and then ask you to choose a PIN, which serves no other function whatsoever than a password (it's not like a bank PIN at all, banks often use it to confirm transactions and stuff, but the university only asks it once to log in).




    If you accept an offer of admission, then you can login using the email address given by the university and an 8-character password, which is a bit better, but it's still limited.



    Also, a PIN is just a numeric password as far as I know.



  • wow... my school still one ups that in a way...



    When you get enrolled in the municipal education program (from the lower grades through college and any other education) they give you a login to this huge novell network that is available from all the municipal buildings. You get a 15MB "personal folder" and your login username and password are both set by and admin and you're NEVER allowed to change them, you can request 150MB space if you are enrolled in any IT related classes.



    The username is the first 6 digits in your SSN !? plus your first two initials in lower case.

    Great choice! Now no one will be able to figure it out!



    The password is worse, always 4 lowercase letters followed by two numericals.

    They assign a class with the same letters but different numbers, so they don't have the same...



    So to figure out a classmates login, you look at the class list of names, that lists your date of birth, which is the first 6 digits in your SSN And the full name of each student.
    Then you just go enter fake34, fake 35, fake36.. an so on based on your own password.

    If you also happen to have a class list printed in the same order as the admin had you can see how many numbers away the classmate is in the range.



    Really hard to get into that system...



    These IT techs are full of otherworldly WTFs. Their latest feat is installing Open Office.org on some of the computers instead of the far too expensive microsoft office (that they already own licences for)



  • @MasterPlanSoftware said:

    That is my only reservation. Of course, they call it a PIN (and a PIN number) and yet it can contain an alphanumeric... so that is a bit of a WTF.
     

    You mean you don't do your math with base 36 numbers?



  • @vt_mruhlin said:

    You mean you don't do your math with base 36 numbers?
     

    Bruce Schneier does, with his fists...



  •  Kind of reminds me of my bank: The login to the online service uses a 5-character "PIN" that may contain any character you can enter in the field. This is "secured" by locking out the account for 24 hours after entering a wrong pin 3 times. Good thing you also get a numbered list of transaction numbers and get told to enter one of them (by number) in order to transfer money somewhere.



  • @tamm said:

    So to figure out a classmates login, you look at the class list of names, that lists your date of birth, which is the first 6 digits in your SSN And the full name of each student.
     

    Which country has DOB as part of SSN?  Isn't that already a bit of a security WTF?

     



  • @cconroy said:

    @tamm said:

    So to figure out a classmates login, you look at the class list of names, that lists your date of birth, which is the first 6 digits in your SSN And the full name of each student.
     

    Which country has DOB as part of SSN?  Isn't that already a bit of a security WTF?

     

    Beat me to the punch on that one.



  • I suppose it's possible that Social Security Numbers are hashed from name and birth date and some other info, but in the US (the only country that calls it 'SSN' AFAIK) this is not the case.

    My brother and I share the same five digits of our SSNs, for example, and we were born 18 months apart, in different states.



  • @Rootbeer said:

    My brother and I share the same five digits of our SSNs, for example, and we were born 18 months apart, in different states.
     

    The first five digits are based on the location of where the SSN was obtained, not where you were born. This is why you have the same digits.



  • Where I work at University of Miami you get a username of no defined length, up to you to pick, and your password's limit is 255 characters. One uppercase, one lowercase, one number, at least 6 characters are the requirements. So if you want your password to be J28fj#2jso#1p38@pdjV38*92jD¢@#jfsi¥Å you could have that. I'm amazed more schools don't have systems like this in place. We run all of our authentication off of an Active Directory, and all of our apps communicate with it via LDAP calls, direct AD calls, or CAS. So far that I've seen the only other school that's sane about IT stuff is UW Madison. Not to say they're the only school that does things right; I haven't seen many school systems other than UW's and our own. I know Stevens Tech's system is a total WTF.

    SSNs aren't used anywhere at UM. We assign a 9 character arbitrary ID that is non sequential for the most part. As far as I know it's essentially CYYXXXXXX where YY is two digit year, and X are random digits. C is quite literally the character C, standing for Canes. (Woo Miami Hurricanes) I may be wrong about the first two digits being the year, but I've seen about 2000 or more of these IDs and they all start with stuff like C00 - C08. I've only seen 08s show up this year, and last year 07s showed up, so I'm assuming it's year. 2000 is when we migrated from SSNs to that system, so it makes sense for the older people to start with C00.

    The worst you could do with my number is use the $1.84 balance I have on my account for vending machines. You could also give me free money. :p



  • No one should be using SSN as IDs anymore. But I like the first five digits ... all you need to go with it is a list of the last 4 digits which is also a typical "PIN"

    Although I knew a guy that had his identity "borrowed" apparently by an illegal immigrant. What effect did this have on his credit rating? It went [i]way up[/i] ... the thief was apparently pretty responsible, had a steady job, didn't actually use the ID to obtain much credit just basic services. But he did make my friend seem much wealthier by adding a decent income on top of his own. Of course the IRS was a problem ...



  • @medialint said:

    Although I knew a guy that had his identity "borrowed" apparently by an illegal immigrant. What effect did this have on his credit rating? It went way up ... the thief was apparently pretty responsible, had a steady job, didn't actually use the ID to obtain much credit just basic services. But he did make my friend seem much wealthier by adding a decent income on top of his own. Of course the IRS was a problem ...

    This is actually pretty common.  Illegal immigrants are usually considered a better credit risk because they are so afraid of being deported they always pay their bills on time. 



  • @cconroy said:

    Which country has DOB as part of SSN?

    Everyone in Sweden who is registered with the population census authority or has a tax card is given a ten-digit civic registration number. The first six digits are the year, month and day of birth, the following three are the birth number and the last is a control number: YYMMDD-BBBC

    The civic registration number is not secret and it is used almost daily.

    There are similar systems in Denmark, Norway and Finland.



  • @Druid said:

    YYMMDD-BBBC
     

    I wonder if anyone's done the math to see what size of group you need to apply the birthday paradox to this... what size of group is required for 50/50 odds of exceeding 999 people having the same birthday.



  • @MarcB said:

    @Druid said:

    YYMMDD-BBBC
     

    I wonder if anyone's done the math to see what size of group you need to apply the birthday paradox to this... what size of group is required for 50/50 odds of exceeding 999 people having the same birthday.

     

    You should ask Welbog. I hear he is a mathematician who is very confused on this concept.



  • @MarcB said:

    @Druid said:

    YYMMDD-BBBC
     

    I wonder if anyone's done the math to see what size of group you need to apply the birthday paradox to this... what size of group is required for 50/50 odds of exceeding 999 people having the same birthday.

     

     

    Here are some more facts that limit it even more:
    * The BBB number is odd for men and even for women.
    * Civic registration numbers can’t be reused.

    With all these limitations the system can handle 36 250 000 people. For a country with a population of about 9 000 000, with 100 000 born each year (273 per day) it is enough.

    The system was introduced 1947.
     



  • @Druid said:

    With all these limitations the system can handle 36 250 000 people
     

    Yes, but that still leaves a surprisingly large chance that there will be more than 999 people alive who share the same birth date. All you need is a good storm with prolonged power outage to boost the birth rate 9 months later.

    And then there's lifespan increases to consider as well: that 2 digit year isnt' "Y2k" compliant. 



  • @MarcB said:

    All you need is a good storm with prolonged power outage to boost the birth rate 9 months later.
     

     

     

    We have had
    a few big storms, the last one was in January 2005 where 100 000 was
    without power for a week, 25 000 for two weeks. And here are how many
    people that was born: 2007:107 421, 2006:105 913, 2005:101 346, 2004:100 928, 2003:99
    157, 2002:95 815.<o:p></o:p>

    There is however a problem with January 1 and July 1 for some years between 1950 to 1960. This is because immigrants without proper documentation was given these dates.<o:p></o:p>



  • @Druid said:

    @cconroy said:

    Which country has DOB as part of SSN?

    Everyone in Sweden who is registered with the population census authority or has a tax card is given a ten-digit civic registration number. The first six digits are the year, month and day of birth, the following three are the birth number and the last is a control number: YYMMDD-BBBC

    The civic registration number is not secret and it is used almost daily.

    There are similar systems in Denmark, Norway and Finland.

    Heh. Mexico's RFC and the "unique population registry code" CURP use YYMMDD notation for part of the code. Of course, it also includes lots of other information, so collisions are rare; it includes both surnames, first name, and in CURP it also adds up gender and birth state.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.