Stupid password rules

Soldato
Joined
1 Nov 2008
Posts
4,500
I just came across these rules for generating a password for a service online.

What on earth?!

How is this supposed to make the password more secure??

I had to read this three times to understand what the heck it was going on about.

This rule makes it harder to create a longer, more secure passphrase that might have repeating characters.

mOl6Uvb.png
 
For short obvious passwords (names, places, memorable words etc) then i'd agree that this would make the password more complex (assuming other rules are followed).

Mine are all generated with 30 characters consisting of upper and lower case letters, numbers and special characters. It's unlikely to make the password any weaker by using a duplicate character.
 
Arbitrary password schemes annoy me.

At work we use a single sign on system, so the password requires that you must have a capital, a symbol, a number (fairly standard) but it must begin and end with a letter. Everyone I've spoke to gets around this by chucking an "a" at the end of whichever password they've chosen. When the 90 day refresh rolls around they just change "a" to "b" and keep the same password :o
 
My favourite are the sites that have rules but don't tell you, so you create a password and try to login but it won't work, so you have to spend the next hour guessing what their arbitrary rules consist of
 
How is this supposed to make the password more secure??

It doesn't, as you've correctly pointed out it makes it harder to create a longer more secure pass phrase.

It could also arbitrarily deny some randomly generated password too for no good reason.
 
The stupidest thing is that longer > "complex"

10whitechurchlane takes longer to crack than 1@£hUb833_

17 trillion years vs 6 years

Also, today I learnt the word "Quinquatrigintillion" :D

Unless you live at 10 White Church Lane and that information is used.
 
Unless you live at 10 White Church Lane and that information is used.

Well yeah, but it depends if we are talking about bruteforcing random logins, or trying to phish data for a targetted approach.

I use my best friend's address as my work password, so pretty unlikely that they would be able to link my work ID number, to me as a person, and then my best friend's home address :D
 
I don't remember the details, but there is something around repeating characters that makes it slightly easier to crack on some algorithms, however I suspect largely irrelevant these days with newer schemes. This was a conversation nearly 20 years ago with a PhD cryptographer.

Wouldn't surprise me if you jump through the hoops to choose a "secure" password and then the password reset consists of them emailing it back to you in plain text :rolleyes:
 
That is a strange rule. Perhaps it is trying to reduce the risk of someone seeing you hit the same key and then guess from there?

Nah that doesn't sound right. It's just a stupid password requirement.
 
Well yeah, but it depends if we are talking about bruteforcing random logins, or trying to phish data for a targetted approach.

I use my best friend's address as my work password, so pretty unlikely that they would be able to link my work ID number, to me as a person, and then my best friend's home address :D

More likely they will link them now you've told us lol ;)
 
This was the full list of requirements, at least there was no character limit! That one also gets me.

4yD9weT.png

It is only really the first rule that is important, length. Ideally just enforce long passwords and check against a list of commonly used passwords.

The other stuff just seems to encourage people to forget passwords and or messes with password generators.

Do they allow spaces and unicode characters? Or have they arbitrarily forbidden them for no reason?
 
we've been given stupid ****** iphones (unnecessarily) at work, and cleverly - to aid security - they have to have an unlock password. this has to be between 8 and 12 chars and must include a number and 2 symbols. so given the ****** things go to sleep every few minutes, every time i need to open it i have to eff about on a stupid titchy keyboard and swap back and forth between alpha/num etc. why TF they decided this was a better idea than drawing a symbol or such like i don't know, but it probably won't be long before i accidentally drop my phone in the carpark.
 
Back
Top Bottom