Stupid password rules

UberTiger · 4 Mar 2019 at 10:01

I just came across these rules for generating a password for a service online.

What on earth?!

How is this supposed to make the password more secure??

I had to read this three times to understand what the heck it was going on about.

This rule makes it harder to create a longer, more secure passphrase that might have repeating characters.

UberTiger · 4 Mar 2019 at 10:57

This was the full list of requirements, at least there was no character limit! That one also gets me.

UberTiger · 4 Mar 2019 at 17:35

So I'm a little confused about the new claim that 4 dictionary words isn't as strong as the XKCD comic makes out, I was under the impression that pass phrases like that were the way to go these days. It actually makes sense that it could get cracked relatively easily using a dictionary word combination attack though I suppose.

I guess substituting silly things like 3s for Es and 1s for Ls wouldn't help too much as they can just expand their dictionary with all these substitutions?

I guess I really just need to get a password manager and use random generated ones.

mrbell1984 said:
What rule was it?

The one in the image you quoted

h4rm0ny said:
I once did a hash search on a large client's database passwords table and found FOUR people with correcthorsebatterystaple as their actual password and a few more that had an easy variant on it.

That's hilarious

h4rm0ny said:
By the way, OP, want to name and shame where the example came from?

It was when creating an account for the online filling out of PCI compliance data for a credit card terminal for a small business.

Angilion said:
So passwords are almost always something like "march19*". When the mandatory password change comes round (every month? two months? too often, anyway), the same procedure works just fine, e.g. the next password would be "may2019*" or "june19*". I'd be willing to bet that at least half the employees use that system.

I ended up doing something similar when I worked for a company that required you to change your password every few months. Made one decent one and just amended the month and year to it.

UberTiger · 5 Mar 2019 at 08:59

Weird, must have been imgur playing up.

UberTiger · 5 Mar 2019 at 14:16

mrbell1984 said:
Brute forcing isn't what it used to be. Most services only let you try 5 times or something within a period of time and then it locks the account out so it can't be forced any more. You would never get a successful password from that account.

What if you get a hold of a leaked database, then presumably you could brute force the password to a specific user, which may give you access to that account if they haven't changed it, or expose a password pattern that they use to allow you access to other accounts.

UberTiger · 13 Mar 2019 at 14:52

I guess password rules help with situations like this:

Who can 'hack' his password from the gif?

UberTiger · 7 May 2019 at 10:54

(Warning some bad language)