Bad password policy...



  • Hello...long time reader of The Daily WTF, first time poster here.

    My wife and I recently signed up with an online backup service so that we can back up our irreplaceable pictures and all that offsite, in case the worst happens.  As part of the signup, I picked a password... say it was "Password12".

     Unfortunately I couldn't get rsync to work, nor could I log into their web site to see if I might have something wrong.  I was using the rsync command given as an example on the site and had no luck.  However, the client I downloaded for my laptop worked perfectly, so I knew I had the right password.

     After messing around with it a while, I finally decided that something must have gone awry when my account was created, so I tried the online chat for help.  The guy asked me my password (okay...), and I thought about it a second and realized there was nothing in the account anyway, so I gave it to him.  Then he said, "Try Password."  This worked perfectly for both rsync and web management.

     The explanation:  "We don't support passwords longer than 8 characters."  I was so amazed I said, "This day and age and you don't allow more than 8 characters in a password?"  He said no.

    At that point I started wondering whether I'd picked the right online backup provider.  Who would design a system that has a maximum of 8 character passwords?  At work we have a minimum of 12 character passwords.

    This probably isn't on the level as many of the WTFs posted on this site, but setting such a short upper limit on password lengths deserves a kick in the teeth or something...



  • @rmarquet said:

    Who would design a system that has a maximum of 8 character passwords? 

    Usually, some who stores passwords plaintext. Get out. They will be compromised.

    @rmarquet said:

    At work we have a minimum of 12 character passwords.

    But I'm not a big fan of that either. I'm guessing some permutation of "January$2011" will be a nice guess for most accounts at your work. "Longer passwords" does not automatically mean "safer".



  • Reminds me of the system of our university. It won't accept passwords longer than 8 characters either, but it has the added bonus that it doesn't generate any error message when you set your password to something longer. Instead, it does the only sensible thing and silently truncates your password to its first 8 chars. Naturally, this has led to some good hilarity with the support desk over the years.



  • @PSWorx said:

    Reminds me of the system of our university. It won't accept passwords longer than 8 characters either, but it has the added bonus that it doesn't generate any error message when you set your password to something longer. Instead, it does the only sensible thing and silently truncates your password to its first 8 chars. Naturally, this has led to some good hilarity with the support desk over the years.

    I believe that's the same behaviour the first dude posted. I find that scary stuff... Really no other words. I mean, throwin an error because of a too long/short/exotic password indicates bad policies, but decent handling of said policy. Silently adapting a password to 'make it fit' is just weird.



  • @b-redeker said:

    @rmarquet said:

    Who would design a system that has a maximum of 8 character passwords? 

    Usually, some who stores passwords plaintext. Get out. They will be compromised.

    @rmarquet said:

    At work we have a minimum of 12 character passwords.

    But I'm not a big fan of that either. I'm guessing some permutation of "January$2011" will be a nice guess for most accounts at your work. "Longer passwords" does not automatically mean "safer".

    At one place I worked, we had a minimum 7 character password (not too unreasonable) but it must be changed every 3 months.  Top management decided that every three months was too frequent, and unilaterally mandated a minimum 14 character password to be changed every 6 months.  The justification for this practice was because 14 character passwords are "twice as secure", so the password could be used for twice as long.  Needless to say, most users’ passwords could be found on a yellow sticky note under their keyboard.  The MIS actually recommended users just make their new password their old password typed twice.  As far as I know, this policy is still in place.

    (Maybe I should submit this to the main site.)



  • @PSWorx said:

    Reminds me of the system of our university. It won't accept passwords longer than 8 characters either, but it has the added bonus that it doesn't generate any error message when you set your password to something longer. Instead, it does the only sensible thing and silently truncates your password to its first 8 chars. Naturally, this has led to some good hilarity with the support desk over the years.

    This is what AOL did / (does?).  Great minds think alike.



  • @rmarquet said:

    couldn't get rsync to work
    rsync? I though these days it was all fancy Windows apps like Dropbox. @b-redeker said:
    Get out. They will be compromised.
    Relax, I'm looking at rmarquet's data right now and there's nothing here anyone would want.



  • Not gonna name-names?



  • @HighlyPaidContractor said:

    @PSWorx said:

    Reminds me of the system of our university. It won't accept passwords longer than 8 characters either, but it has the added bonus that it doesn't generate any error message when you set your password to something longer. Instead, it does the only sensible thing and silently truncates your password to its first 8 chars. Naturally, this has led to some good hilarity with the support desk over the years.

    This is what AOL did / (does?).  Great minds think alike.

    Remember that Gawker story a few weeks ago? They were doing that too... you only needed the first 8 characters to sign in.



  • Along similar lines; I was recently sent a parcel by a company whose name relates to C6H2(NO2)3CH3. I was given a tracking code that looked like this (only not so predictable): 123456789

    Along with that tracking code, I was given two URLs (different ones in the HTML and text versions of the notification email - there's a WTF for you) that I could use to track the delivery. The URL from the HTML version showed me a 404. The URL from the text version showed me the results for shipment 12345678 - one character shorter than mine - even though I could clearly see the correct code 123456789 in the URL. When I tried putting my tracking code into the input field on their site, it showed me the details for 12345678 again. Seems that their stupid system didn't expect to be given a tracking code of more than 8 characters, so it just ignored everything after the 8th character, and showed me someone else's delivery information. Still, I can see that someone in Chester got their fashion delivery, and it was signed for by UNREADABLE.



  • @TarquinWJ said:

    C6H2(NO2)3CH3

    "an explosive consisting of a yellow crystalline compound that is a flammable toxic derivative of toluene".



  • @b-redeker said:

    "an explosive consisting of a yellow crystalline compound that is a flammable toxic derivative of toluene"
    In much the same way as C8H18 (aka. CH3(CH2)6CH3) is "any isomeric saturated hydrocarbon found in petroleum and used as a fuel and solvent". I'm pretty sure these compounds have more familiar names...



  • @b-redeker said:

    At one place I worked, we had a minimum 7 character password (not too unreasonable) but it must be changed every 3 months.

    I think this is the default policy for Windows domains, you'll find a lot of places like this. I've never really found a decent policy that works. No matter what you do, people will use stickies or just rotate through passwords or do incremental passwords. And the worst offenders are always the people that should have secure passwords like management and HR/finance people.



  • @b-redeker said:

    @rmarquet said:

    Who would design a system that has a maximum of 8 character passwords? 

    Usually, some who stores passwords plaintext. Get out. They will be compromised.

    It's more likely they're using crypt(3) instead of properly salting and hashing the password.



  • @rmarquet said:

    Who would design a system that has a maximum of 8 character passwords?  At work we have a minimum of 12 character passwords.

    If this makes you cringe, don't ever use American Express' web accounts. They make you use a case-insensitive alphanumeric password (no special characters!) between 6 and 8 characters.



  • @Heron said:

    @rmarquet said:
    Who would design a system that has a maximum of 8 character passwords?  At work we have a minimum of 12 character passwords.

    If this makes you cringe, don't ever use American Express' web accounts. They make you use a case-insensitive alphanumeric password (no special characters!) between 6 and 8 characters.

    Oh no. They're storing the passwords in plaintext on a mainframe. I know it. Oh God.



  •  @PSWorx said:

    Reminds me of the system of our university. It won't accept passwords longer than 8 characters either, but it has the added bonus that it doesn't generate any error message when you set your password to something longer. Instead, it does the only sensible thing and silently truncates your password to its first 8 chars. Naturally, this has led to some good hilarity with the support desk over the years.

     As someone else guessed, that's exactly what it did.  Their standalone application must automatically truncate to the 8 characters, but of course the rsync login and web login don't.  Not that they couldn't, of course, and no one would be the wiser (which makes me wonder how many other sites do it this way).

     @DOA said:

    @rmarquet said:

    couldn't get rsync
    to work
    rsync? I though these days it was all fancy Windows apps
    like Dropbox.

    I was specifically looking for an rsync-enabled host so I could automate backups from my home server (running Linux).  :)

    @b-redeker said:
    Get out. They will be
    compromised.
    Relax, I'm looking at rmarquet's data right now and
    there's nothing here anyone would want.

    Thanks for the laugh!  :)  It's true though.  It's just pictures and perhaps some other stuff - it's not really anything someone else would want (oh, look, there they are in Chicago... there they are getting married... there's a picture of the cat being really cute...).  I'm sure we'll come up with other stuff along the way (checkbook file backup comes to mind), but really it's for the pictures.

     Of course someone with the password could delete said pictures.  So it's not like it doesn't matter at all.

     The company is iBackup.com.  I looked at reviews (I know, reviews on the internet...), and some of them date back to 2004, so it's not like they just appeared overnight.   Some of the reviews I came across were from websites/magazines (PCMag.com comes to mind), as opposed to just someone logging into a ratings site and shilling.  I realize those aren't necessarily unbiased either, but I give them a bit more weight than just some random user posting on a review site.

     My other idea was to work out an agreement with my brother or my father-in-law (both computer people) and have each of us build a NAS that could backup the other's data.  Somewhat more expensive up front, and it'd require occasional drive upgrades and all that, but on the other hand, it's sitting with someone I trust. I still think this is a good idea.  It doesn't have to have perfect connectivity.  They each live about 2 hours' drive away, so in event of emergency it would be easy to physically go get the data instead of trying to pull it back over the net.



  • @rmarquet said:

    Who would design a system that has a maximum of 8 character passwords? 

     

    HP-UX , it has a limit of 8 character to password, silently ignore remaining. Not really a problem to user, he never knows the last 6 character with special letters behind his 14 letters password are ignored, he feels secure....

    Added bonus: passwords hashed with a DES algorithm :)



  • @rmarquet said:

    My other idea was to work out an agreement with my brother or my father-in-law (both computer people) and have each of us build a NAS that could backup the other's data.  Somewhat more expensive up front, and it'd require occasional drive upgrades and all that, but on the other hand, it's sitting with someone I trust. I still think this is a good idea.  It doesn't have to have perfect connectivity.  They each live about 2 hours' drive away, so in event of emergency it would be easy to physically go get the data instead of trying to pull it back over the net.

     

     

    2 Solid USB key + vault in the basement. Minimum investment, minimum risks. Only usefull for backups you don't write often (eg: when you are done with a client, you backup all it's data because you must still legally keep them for whatever reason during 10 years)



  • @error_NoError said:

    @b-redeker said:
    At one place I worked, we had a minimum 7 character password (not too unreasonable) but it must be changed every 3 months.

    I think this is the default policy for Windows domains, you'll find a lot of places like this. I've never really found a decent policy that works. No matter what you do, people will use stickies or just rotate through passwords or do incremental passwords. And the worst offenders are always the people that should have secure passwords like management and HR/finance people.

    My place does this too. During orientation we had an HR person give a presentation about information security (you can imagine how hilarious/sad that presentation was). We were told that 3 months was chosen because it's "the amount of time it takes a hacker to figure out a password" of the standard windows domain required complexity.



  • (dropbox has a linux client, just so you know)



  • @Daid said:

    (dropbox has a linux client, just so you know)

    Thanks. I wasn't really familiar with Dropbox at all. It looks like it would do the job just fine (albeit possibly requiring extra software installed). I wanted to use rsync because I'm familiar with it and knew I could script it to do exactly what I wanted, without having to install extra software, so I can do regular backups automatically. I knew I didn't want a GUI that I couldn't script at all, but it looks like Dropbox offers a command line option.

    After spending a day and a half copying 30 GB of pictures over, I'm going to stick with iBackup for now...I've set a password consisting of completely random characters. :)



  • @HighlyPaidContractor said:

    @PSWorx said:
    Reminds me of the system of our university. It won't accept passwords longer than 8 characters either, but it has the added bonus that it doesn't generate any error message when you set your password to something longer. Instead, it does the only sensible thing and silently truncates your password to its first 8 chars. Naturally, this has led to some good hilarity with the support desk over the years.

    This is what AOL did / (does?).  Great minds think alike.

    And Amazon, too. (Still does, just checked. At least the German version.)



  • @error_NoError said:

    I've never really found a decent policy that works.
    Reminded me of this (from notalwaysright.com) :

    Customer: “I’m having issues with my Outlook.”

    Me: “Show me the problem you’re having so I can see if I can fix it for you.”

    (She
    has six passwords each over twenty characters long, Bios password,
    Windows password, Zone Alarm Password, Outlook Password, etc…

    Me: “You don’t need to have your passwords that long for security’s sake.”

    Customer: “I read on the internet that sniffers give up if the password is too long.”

    Me: “I’m happy you did your research, but you don’t have to have it longer then 15 characters long.”

    Customer:
    “Well I’m afraid if someone steals my laptop, the programs that can
    recover passwords can’t detect past twenty letters.”

    Me: “That’s
    true, but no one really does that anymore. In this business we have
    customers coming in all the time to have us remove the password for them
    because they forgot it. For instance, I can get into your laptop in
    less then 2 – 3 minutes without your help.”

    Customer: “No way. I’ve made precautions.”

    Me:
    “I will be more then happy to show you that I can. But I would have to
    charge you a half hour fee and you would have to sign the work order
    giving me permission to.”

    Customer: “And if you can’t? ”

    Me: “Then I will be more then happy to refund you the money and you would have won this war.”

    (Customer then pays the fee and signs the work order.)

    Me: “Give me a moment.”

    (A minute later.)

    Me: “Here you go, I’m logged in to your Outlook.”

    Customer: “Oh my God! How did you do that?”

    Me: “If your really worried about someone stealing your laptop, you shouldn’t have laminated your passwords to the laptop.”



  • @derula said:

    And Amazon, too. (Still does, just checked. At least the German version.)

    Wow. That's kind of disturbing. I'll bring this to the attention of our security team.



  • @tchize said:

    2 Solid USB key + vault in the basement. Minimum investment, minimum risks. Only usefull for backups you don't write often (eg: when you are done with a client, you backup all it's data because you must still legally keep them for whatever reason during 10 years)

    No basement in my house. :) So I don't really feel comfortable that anywhere in the house is safe from a fire.



  • @rmarquet said:

    @tchize said:

    2 Solid USB key + vault in the basement. Minimum investment, minimum risks. Only usefull for backups you don't write often (eg: when you are done with a client, you backup all it's data because you must still legally keep them for whatever reason during 10 years)

    No basement in my house. :) So I don't really feel comfortable that anywhere in the house is safe from a fire.

    Toilet tank.




  • My favourite Australian government department, Centrelink, insists upon passwords being a maximum of eight characters.

    What a great way to safeguard a lot of my personal information... postal address, phone numbers, income details, the ability to report my income... all there, guarded by eight characters.

    I guess their saving grace is that they insist that you throw a number and a capital letter in there as well.





    Also, for those who are puzzling overC6H2(NO2)3CH3, it's Trinitrotoluene.



  • @Douglasac said:

    My favourite Australian government department, Centrelink, insists upon passwords being a maximum of eight characters.

    What a great way to safeguard a lot of my personal information...

    Better than clipping the password after the eights character transparently without even telling the user.



  • @rmarquet said:

    @tchize said:

    2 Solid USB key + vault in the basement. Minimum investment, minimum risks. Only usefull for backups you don't write often (eg: when you are done with a client, you backup all it's data because you must still legally keep them for whatever reason during 10 years)

    No basement in my house. :) So I don't really feel comfortable that anywhere in the house is safe from a fire.

    Fireproof safe.



  • @Douglasac said:

    My favourite Australian government department, Centrelink
     

    Back when I was at uni and getting Youth Allowance and then New Start (c. 2004-2005) they'd send me a letter every fortnight and tell me that I could report income online - but then every attempt told me I had to go into the office. Then the following fortnight I'd get another letter to report online again. Fail.



  • @Zemm said:

    @Douglasac said:

    My favourite Australian government department, Centrelink
     

    Back when I was at uni and getting Youth Allowance and then New Start (c. 2004-2005) they'd send me a letter every fortnight and tell me that I could report income online - but then every attempt told me I had to go into the office. Then the following fortnight I'd get another letter to report online again. Fail.

    Do Australians really use "fortnight" regularly?



  • @Heron said:

    @derula said:
    And Amazon, too. (Still does, just checked. At least the German version.)

    Wow. That's kind of disturbing. I'll bring this to the attention of our security team.

    If you go into your account settings and reset your password (even to the same password), it won't happen anymore. (Apparently the issue was fixed at some point, but only for passwords that were created or reset after the fix was deployed. For obvious reasons I can't go in to more detail.)



  • @Douglasac said:


    My favourite Australian government department, Centrelink, insists upon passwords being a maximum of eight characters.

    What a great way to safeguard a lot of my personal information... postal address, phone numbers, income details, the ability to report my income... all there, guarded by eight characters.

    I recently had to take some unemployment while looking for a job. The State of Minnesota Unemployment office has, as the login, your social security number and a 6 character max, case-insensitive password. Risk here is that someone signs into my unemployment account and reports that I was working, thus turning off the unemployment account and leaving me with no unemployment check.



  • @Quietust said:

    @b-redeker said:

    @rmarquet said:

    Who would design a system that has a maximum of 8 character passwords? 

    Usually, some who stores passwords plaintext. Get out. They will be compromised.

    It's more likely they're using crypt(3) instead of properly salting and hashing the password.

     

    crypt(3) is smarter on some systems than on others.  For example, current versions of the GNU userland (for Linux, etc...) use [url=http://www.akkadia.org/drepper/sha-crypt.html]SHA-256 or SHA-512[/url] for crypt(3) (by default, iirc).  You can tell if these were used because the password hashes in /etc/shadow will start with $5$ or $6$ respectively.  If you're root that is and can read /etc/shadow.



  • @Heron said:

    @Heron said:
    @derula said:
    And Amazon, too. (Still does, just checked. At least the German version.)

    Wow. That's kind of disturbing. I'll bring this to the attention of our security team.

    If you go into your account settings and reset your password (even to the same password), it won't happen anymore. (Apparently the issue was fixed at some point, but only for passwords that were created or reset after the fix was deployed. For obvious reasons I can't go in to more detail.)

     

    When was this fix implemented? Just wondering if I should bother, since I changed my Amazon password just a few weeks ago.



  • @Someone You Know said:

    When was this fix implemented? Just wondering if I should bother, since I changed my Amazon password just a few weeks ago.

    The fix was implemented several years ago. (That means anyone who has this issue hasn't changed their password for at least that long... ;)



  • @HighlyPaidContractor said:

    Do Australians really use "fortnight" regularly?

     

    Why the bloody hell not?



  • @Zemm said:

    @HighlyPaidContractor said:

    Do Australians really use "fortnight" regularly?

     

    Why the bloody hell not?

     

    VMS, or some other old operating system I can't remember at the moment, had some system configuration parameters for timeouts measured in microfortnights.



  • @Someone You Know said:

    VMS, or some other old operating system I can't remember at the moment, had some system configuration parameters for timeouts measured in microfortnights.
     

    What kind of fucked interval is ~1200 seconds?



  • @dhromed said:

    @Someone You Know said:

    VMS, or some other old operating system I can't remember at the moment, had some system configuration parameters for timeouts measured in microfortnights.
     

    What kind of fucked interval is ~1200 seconds?

    ~1200 seconds is 1000 microfortnights (or one millifortnight). A microfortnight is ~1.2 seconds, and ISTR was chosen because it would stop users complaining when they specified things in seconds and the result ended up being slightly out.



  • I mistook micro for mili.

    My bad. Continue.



  • @dhromed said:

    I mistook micro for mili.

    My bad. Continue.

    It's still a total WTF and possibly the dumbest unit of measurement evar.



  • @b-redeker said:

    @dhromed said:

    I mistook micro for mili.

    My bad. Continue.

    It's still a total WTF and possibly the dumbest unit of measurement evar.

    No dumber that mils (0.001 inch), which are commonly used in US machine shops.  Clearly a more sane unit would be 1024ths of an inch.

     



  • @frits said:

    @b-redeker said:

    @dhromed said:

    I mistook micro for mili.

    My bad. Continue.

    It's still a total WTF and possibly the dumbest unit of measurement evar.

    No dumber that mils (0.001 inch), which are commonly used in US machine shops.  Clearly a more sane unit would be 1024ths of an inch.

     

    Remember when computers measured time in Ticks (1/60th of a second)? What's this millisecond crap! I want my Ticks back!



  • @Heron said:

    @Someone You Know said:
    When was this fix implemented? Just wondering if I should bother, since I changed my Amazon password just a few weeks ago.

    The fix was implemented several years ago. (That means anyone who has this issue hasn't changed their password for at least that long... ;)

    Alright

    goes change his password to the same one he had before to make sure it's safer... wait...

    goes change the password to something else >.<



  • @blakeyrat said:

    Remember when computers measured time in Ticks (1/60th of a second)? What's this millisecond crap! I want my Ticks back!



  • @HighlyPaidContractor said:

    Do Australians really use "fortnight" regularly?

    Yes, regularly. But only once a fortnight.

    (Now I've done my quota with the f-word for the next two weeks.)



  • @blakeyrat said:

    @frits said:

    @b-redeker said:

    @dhromed said:

    I mistook micro for mili.

    My bad. Continue.

    It's still a total WTF and possibly the dumbest unit of measurement evar.

    No dumber that mils (0.001 inch), which are commonly used in US machine shops.  Clearly a more sane unit would be 1024ths of an inch.

     

    Remember when computers measured time in Ticks (1/60th of a second)? What's this millisecond crap! I want my Ticks back!

    Those were originally known as "jiffies" back in the old 8-bit days.



  • @Douglasac said:


    Also, for those who are puzzling overC6H2(NO2)3CH3, it's Trinitrotoluene.

    2nd hit on google for C6H2(NO2)3CH3 links you to the Wikipedia page of Trinitrotoluene. Even Bing managed to find some slitghly hintfull pages for that term (although it's results are a LOT crappier then google's results....)
    If you are puzzling to find out what C6H2(NO2)3CH3 is, you have failed your online tests and should´t be posting here anyways .. ;)


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.