Jump to content











Photo
- - - - -

Ridiculous password rules


  • Please log in to reply
16 replies to this topic

#1 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15540 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 03 February 2013 - 04:58 PM

Recently one of my e-mail accounts had an hiccup.

 

Seemingly the good guys (offering the account for free :thumbsup:) implemented a new password policy and (either because they made some BIG mess or because I did not promptly - or promptly enough - changed password/accessed the account) the result was that all stored e-mails were deleted.

 

No actual damage was done, as I had a copy of the "important" things and all that was lost was just the list of contacts (which I have mostly anyway).

 

But the actual new rules for the new password did make me a little bit perplexed:

 

 

 

Must be at least 8 characters long.
Must contain at least one uppercase letter.
Must contain at least one lowercase letter.
Must contain at least one numeric character.
Must contain at least one special character.

Those might represent some good advice, and I would accept those as guidelines, but since it is my account, I would have preferred (since it stores nothing for which I have to worry, for privacy or other reasons) to have a plainer password, insecure as it might be, and having THEM prevent brute force attacks, NO MATTER the complexity of the password.

 

I looked a bit around, and it looks like I am not the only one in the world thinking along these lines.

 

I find both these articles to be worth reading (and representing some matter for thought) :thumbup:

http://blogs.securit...p/archives/1068

http://blogs.securit...p/archives/1906

 

:cheers:

Wonko



#2 Brito

Brito

    Platinum Member

  • .script developer
  • 10566 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 03 February 2013 - 05:14 PM

What was the email provider? (If for some reason you don't wish to share this detail, then please disregard the question).

 

I've had the same experience with my banking account. The site made the new login system so difficult that I need a special link, a grid with entrance numbers printed in paper and to manually type a lot of things just to get inside my bank account.

 

Another banking site (US), asks me a question from a list of personal questions and I need to answer correctly. They ask for a list with five questions, in one of them I wasn't so sure about the answer and so failed the login procedure since it does not show me another question for some odd reason. Had to call the bank to unblock the site access and allow other questions to appear on the login page.



#3 panreyes

panreyes

    Member

  • Members
  • 56 posts
  •  
    Spain

Posted 03 February 2013 - 05:19 PM

Many websites store their passwords as a simple MD5 of that password. Because of that, it is always recommended to get a good password, so the google search of its MD5 won't retrieve the original password.

 

Anyway, password hashes should be done with a pattern or including the user at least in the hashing variable.



#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15540 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 03 February 2013 - 06:08 PM

What was the email provider? (If for some reason you don't wish to share this detail, then please disregard the question).

 

Domain or provider?

@techemail.com, managed by everyone.net

 

panreyes,

sorry to say so :(, but you are completely missing the point.

If there is enough protection about:

  • multiple connections (to same account)
  • multiple connections (from same originating IP to different accounts on same domain)
  • repeated login attempts within a given timeframe

the complexity of passwords becomes completely and utterly irrelevant, and a plain 6 characters, all small letters, no numbers, no special characters suddenly becomes more than enough.

 

Just for the record, the previous password was 13 characters long, did include numbers and was all small letters, thus achieving  a level of entropy comparable with the required 8 characters with at least one special character, at least one number and at least one capital required by the new policy, see:

http://en.wikipedia....andom_passwords

the real issue being that no human-generated password will ever be "random" (and just for the record, the old password did NOT contain letter e nor the number 5, though I like pressing the 5 key ;))

 

:cheers:

Wonko



#5 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 03 February 2013 - 07:30 PM

Wonko you miss the point.
The password change has nothing to do with security or the company wanting to protect your privacy or whatever garbage they were feeding you.

This is about liability and nothing else.
If some judge or politician, who has no clue about IT security, says the min security standard should be XXX, then every business trying to cover it's own .... will implement it.

We have here in Germany a long history of proposed IT laws, which were proven to be pointless and even idiotic by IT professionals, still every single one got ratified.

When politicians and lawyers speak, intellect has to yield!

That's why only in Germany are credit cards 100% secure.


:cheers:
  • Brito and homes32 like this

#6 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15540 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 03 February 2013 - 07:42 PM

Wonko you miss the point.
The password change has nothing to do with security or the company wanting to protect your privacy or whatever garbage they were feeding you.

This is about liability and nothing else.
 

Yep, I know, as a matter of fact I got it so much that I raised the issue ;).

 

:cheers:
Wonko



#7 homes32

homes32

    Gold Member

  • .script developer
  • 1030 posts
  • Location:Minnesota
  •  
    United States

Posted 28 February 2013 - 04:36 PM

As I work in IT for a financial institution I can say the the password requirements/complexity/2 factor authentication aren't just there for fun. in the US we are heavily regulated and audited and are required to implement such measures, weather they make any sense or not. lot of the people making the rules have very little actual knowledge/experience with such things. as medivil says. it all comes down to liability.



#8 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 28 February 2013 - 05:15 PM

Several years ago I decided for a simple solution.

I use KeePass to maintain my passwords.

I only have to remember my master password for KeyPass.

 

With KeyPass all passwords can be generated according the server's rules, and look as strange as "1cPgT5IPcVDQNc6UGcHw".

 

Because they are really not keepable in mind, at my car keychain (which I usually have with me, when I'm out of my home) I have an USB stick with KeyPass and it's database.

In my home FireFox with the KeyPass plugin does everything necessary.

 

Peter



#9 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15540 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 28 February 2013 - 05:46 PM

Several years ago I decided for a simple solution.

I use KeePass to maintain my passwords.

I only have to remember my master password for KeyPass.

 

With KeyPass all passwords can be generated according the server's rules, and look as strange as "1cPgT5IPcVDQNc6UGcHw".

 

Because they are really not keepable in mind, at my car keychain (which I usually have with me, when I'm out of my home) I have an USB stick with KeyPass and it's database.

In my home FireFox with the KeyPass plugin does everything necessary.

 

Peter

..and when you really need to (say) access your e-mail, from a friend's smartphone with no USB connection for your USB stick you cannot.

No, not an ideal solution.

Please do read the given blog posts, then take some time studying entropy of passwords, and you will soon be able to understand how it is perfectly possible to have secure enough passwords (actually more secure than those stupid rules allow) without need of strange characters. a-z/A-z/0-9 are more than sufficient as long as the password is long enough.

Consider how your bancomat/credit card is considered "secure" with a 4 or 5 long password (or PIN) made only of 0-9. 

 

:cheers:

Wonko



#10 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 28 February 2013 - 06:05 PM

I just described my configuration, and that this solution is the best for me. Evaluation, critics, tests, etc. of my solution are not asked.

I did not suggest to anybody to do similar.

 

 

Peter :cheers:



#11 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15540 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 28 February 2013 - 07:14 PM

 Evaluation, critics, tests, etc. of my solution are not asked.

 

... but provided nonetheless (and for free). :)

 

:cheers:

Wonko



#12 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 28 February 2013 - 07:38 PM

In spite you did not ask for this, I'll send you by mail a package filled with bullsh**.

 

Because it is for free, I'm sure that you will appreciate it.

 

Peter :cheers:



#13 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 28 February 2013 - 07:54 PM

Quote Must be at least 8 characters long. Must contain at least one uppercase letter. Must contain at least one lowercase letter. Must contain at least one numeric character. Must contain at least one special character.

 

As a possible easyly to fullfill solution:

 

@Wonko-1

The benefit: I'm sure that you can preserve it in mind, and do not need KeyPass or similar.

 

Peter :cheers:



#14 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 28 February 2013 - 08:17 PM

Here is A fun site about the password Topic:

http://howsecureismypassword.net/

I tested my wi-fi password and i got "12 trillion years"


  • Brito likes this

#15 ziadkiwan

ziadkiwan

    Member

  • Members
  • 43 posts
  •  
    Lebanon

Posted 10 March 2013 - 02:58 PM

whenever i encounter a site that inforce those ridicolous security rules i leave the site and don't register xD



#16 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15540 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 18 March 2013 - 07:53 PM

Just for the record, xkcd made the point very clear :
http://xkcd.com/936/
 

Spoiler
 
:cheers:
Wonko



#17 ziadkiwan

ziadkiwan

    Member

  • Members
  • 43 posts
  •  
    Lebanon

Posted 19 March 2013 - 03:22 PM

Just for the record, xkcd made the point very clear :
http://xkcd.com/936/
 
Spoiler
 

:cheers:


Wonko

:cheers:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users