Password Entry Limit - why just why?

Just be happy you don't have to deal with some of the password policies I have at work.
One of our partner websites that I need to use has the following:
6 - 10 chars
Must have 1 capital, 1 number, 1 special
Forced password change every month
Cannot use the previous 100 passwords

So, what most people at work do is, write the password on a post-it note and stick it to their screens.......
 
A lot of efficient hashing algorithms will take fixed sized inputs. E.g., you can split a uchar string into a list of int, e.g. every 4 bytes with some simple bit shifting becomes a 32bit int/ 8 characters for a 64 bit int. If you limit the password to 8 characters then you can quickly convert it to a long int before hashing/encrypting.
 
Rilot said:
Just be happy you don't have to deal with some of the password policies I have at work.
One of our partner websites that I need to use has the following:
6 - 10 chars
Must have 1 capital, 1 number, 1 special
Forced password change every month
Cannot use the previous 100 passwords

So, what most people at work do is, write the password on a post-it note and stick it to their screens.......
Click to expand...

sounds like where i work....
 
peterwalkley said:
Sloppy design. Short passwords are easier to brute force.
Click to expand...

Not necessarily, most people who brute force don't start with random 1 character then try all permutations of 2 characters and so on. They use dictionary atttacks first so somewith with 'password' (an 8 character password) would be easier to brute force than someone with 'L57w@Z' (a 6 character password).

Besides a max password attempt checker makes brute forcing pointless unless you can somehow access the program/website database directly and by-pass the program/website input so you can brute force against the database itself. And if someone has managed to gain access to that, them brute forcing internal passwords is the least of your worries.
 
Yeah, having policies like forced password change and no previous passwords is always going to result in a lot of people taking notes of their password.

Most people will use different passwords for each website, and being forced to change it frequently will just result in a lot of people forgetting it imho resulting in noting down passwords or other bad approaches to remember it :p
 
Rilot said:
Just be happy you don't have to deal with some of the password policies I have at work.
One of our partner websites that I need to use has the following:
6 - 10 chars
Must have 1 capital, 1 number, 1 special
Forced password change every month
Cannot use the previous 100 passwords

So, what most people at work do is, write the password on a post-it note and stick it to their screens.......
Click to expand...

Can't they just get a biometric scanner or something if they want logins to be super secure?
 
Rilot said:
Just be happy you don't have to deal with some of the password policies I have at work.
One of our partner websites that I need to use has the following:
6 - 10 chars
Must have 1 capital, 1 number, 1 special
Forced password change every month
Cannot use the previous 100 passwords

So, what most people at work do is, write the password on a post-it note and stick it to their screens.......
Click to expand...

This is why as a PC enthusiast, amateur programmer and SQL coder I cringe at the thought of working in IT and why most people in those departments frustrate the hell out of me.

It's as if they make decisions on simplistic logic and can't think "outside the box", or rather don't consider the practical realities of their policies. It all seems to be "My Windows course said forcing people to use a capital letter was good practice (which it is in isolation) therefore we enforce it" but fail to think of sum of all those policies.

At my work we have a similar, but slightly less restrictive, policy. 6 char minimum, at least one capital letter, at least 1 number, forced change every 3 months and no repeat of last 20 passwords. Most people just use one word then suffix it with a 1 and just increment that final digit by 1 everytime a change is enforced thus rendering that change pointless.
 
Rilot said:
Just be happy you don't have to deal with some of the password policies I have at work.
One of our partner websites that I need to use has the following:
6 - 10 chars
Must have 1 capital, 1 number, 1 special
Forced password change every month
Cannot use the previous 100 passwords

So, what most people at work do is, write the password on a post-it note and stick it to their screens.......
Click to expand...

I can't comment on our password policies (for obvious reasons) but if you wrote your password on a post-it and stuck it on your screen then it would be an automatic disciplinary and it would get picked up pretty quickly (we have random sweeps of the office to make sure that the clear desk policy is being followed and that machines are physically locked up).
 
Rilot said:
Just be happy you don't have to deal with some of the password policies I have at work.
One of our partner websites that I need to use has the following:
6 - 10 chars
Must have 1 capital, 1 number, 1 special
Forced password change every month
Cannot use the previous 100 passwords

So, what most people at work do is, write the password on a post-it note and stick it to their screens.......
Click to expand...


Which is fine for most instances.
My desk is fully of passwords, unless someone breaks into the building and goes hunting for passwords to system they know nothing about then there is no problem. We don't hold sensitive data although do have a load of military software/data on some of our systems.


Our worry is hackers gaining access to our systems remotely. If they break into the office we are more worried about them stealing our wallets etc.
 
Virgin Atlantic have between 6 - 10!

Really, really irritating; I mean, who has 6 characters for a password? I thought 1234 was good enough!
 
smogsy said:
any idea, why some websites, quite a few gaming companies that spring to mind where they only let your passwords be no more than 6-10 characters?

any ideas why they restrict your password lengths?:rolleyes:
Click to expand...

They probably store passwords in clear text. A 30 char password would play havoc with their databases.
 
If a website has a password size range that's a red flag for anything involving credit cards, you may as well just give the criminals your card number because that site is either storing your details in plain text or using very poor security measures. Just having such a short password means it can easily be brute forced.
 
I remember one website, which was used for some psychology ethics course, had some ridiculous limitations like you could only use lower case alphabetical characters and some very low character limit. I'm fairly sure it stored the password in plaintext as well. Disgusting.
 
Rilot said:
Just be happy you don't have to deal with some of the password policies I have at work.
One of our partner websites that I need to use has the following:
6 - 10 chars
Must have 1 capital, 1 number, 1 special
Forced password change every month
Cannot use the previous 100 passwords

So, what most people at work do is, write the password on a post-it note and stick it to their screens.......
Click to expand...
While I'd say the forced changes every month and 100 password history is a bit of an overkill, and likely to lead to people writing down their passwords, any PC that deals with credit card transactions over IP has to adhere to PCI DSS standards and that includes a similar password policy.
 
Last edited:
HSBC do this for their 'verified by visa'
which means I can't use the normal one I use for banking type stuff.

Every time it makes me create a new one because I can't remember whatever I typed last time.
For some pee ant website I wouldn't expect them to know what they are doing, but a global bank? Their CEO needs battering with a tea soaked keyboard.
 
Theres a suprising number of sites still using a simple 8-13 byte hash for passwords - even if you enter say a 30 char password it still uses a limited length hash :|
 
Rroff said:
Theres a suprising number of sites still using a simple 8-13 byte hash for passwords - even if you enter say a 30 char password it still uses a limited length hash :|
Click to expand...

Admittedly having a 13-byte (104-bit) hash would be pretty crap in this day and age. However, I'm fairly sure having a fixed-length hash for any given hashing algorithm is standard, at least with the ones I'm familiar with (e.g. SHA256 always produces a 256-bit/32-byte digest). If you start allowing the length of the password to influence the length of the digest in an obviously correlated (i.e. longer password = longer hash) way then you're giving away information about the hashed data which is a bad thing because it reduces the size of the space an attacker would have to search through in order to brute force the password and would make short, easy to attack passwords obvious.
 
You must log in or register to reply here.
Back
Top Bottom