Stupid password rules

[Rilot]

 

[Lopéz]

I only came in here to post this

 

[dowie]

we've been given stupid ****** iphones (unnecessarily) at work, and cleverly - to aid security - they have to have an unlock password. this has to be between 8 and 12 chars and must include a number and 2 symbols. so given the ****** things go to sleep every few minutes, every time i need to open it i have to eff about on a stupid titchy keyboard and swap back and forth between alpha/num etc. why TF they decided this was a better idea than drawing a symbol or such like i don't know, but it probably won't be long before i accidentally drop my phone in the carpark.

Eh? Surely you just need a finger print or face ID?

On the old ones when you had to type a code to unlock it was only 4 digits IIRC? Now pins are 6 digits.

 

[bazzabear]

In a little bit of irony, I wonder how many people out there now use the exact phrase "correct horse battery staple" as their password.

 

[Semple]

But who is my best friend?

Dave - cos everyone knows a Dave!

 

[Bickaxe]

Might be easier to remember than the 18 different passwords I have to use on a daily basis, each with their own login name.
Actually spectaclestesticleswalletandwatch might be easier as I had to scroll up to double check

 

[Kreeeee]

.

 

[Deleted member 77746]

I just came across these rules for generating a password for a service online.

What on earth?!

How is this supposed to make the password more secure??

I had to read this three times to understand what the heck it was going on about.

This rule makes it harder to create a longer, more secure passphrase that might have repeating characters.

What rule was it?

 

[Arsonist]

Arbitrary password schemes annoy me.

At work we use a single sign on system, so the password requires that you must have a capital, a symbol, a number (fairly standard) but it must begin and end with a letter. Everyone I've spoke to gets around this by chucking an "a" at the end of whichever password they've chosen. When the 90 day refresh rolls around they just change "a" to "b" and keep the same password

We pretty much have the same rule except for numbers. Queue passwords ending in 1, then 2, then 3 etc...I'm now on 14

 

[Mr Badger]

But who is my best friend?

Your best friend is imaginary and your password is "Neverland".

 

[wolfie138]

Eh? Surely you just need a finger print or face ID?

On the old ones when you had to type a code to unlock it was only 4 digits IIRC? Now pins are 6 digits.

apparently fingerprints etc mustn't be good enough for our tech-savvy higher-ups.

 

[touch]

You're not entirely right there. A dictionary attack would brute force your example password in seconds as it's just 4 tokens from the dictionary. It's effectively as secure as "hdjk".

That's not right.
There's 128 possible characters, so all the different combinations of a 4-letter string are 128 x 128 x 128 x 128 = 268,435,456 combinations.
There's maybe around 250,000 words in a dictionary, so the combinations of all possible 4-word strings are 250,000 x 250,000 x 250,000 x 250,000 = 3,906,250,000,000,000,000,000

(making some assumptions and guessing here, but you get the idea)

 

[malachi]

Stupid complex password requirements, after you finally create one (on the 8th attempt) and try to log in. You get hit with a Captcha which you cant hardily read

 

[Casdawer]

Just use a Password Manager like I do.

Auto-generates passwords so none of my accounts share the same password.

Easy peasy.

 

[krooton]

We pretty much have the same rule except for numbers. Queue passwords ending in 1, then 2, then 3 etc...I'm now on 14

19 here for my windows login, 8 for my database logins

 

[h4rm0ny]

I once did a hash search on a large client's database passwords table and found FOUR people with correcthorsebatterystaple as their actual password and a few more that had an easy variant on it. You shouldn't be storing unsalted MD5 hashes in a database these days anyway, in fact you shouldn't still be using MD5 hashes but that's another conversation. Point is that there were multiple people who both read XKCD and yet were also clueless enough to think that this would make a good password.

Also, that comic is flawed. It supposes that a longer password offsets the advantages of the shorter example given. But that's not true - the range of words most people will come up with is quite short and you can create reams of potential passwords programmatically which will guess most of these. It's not "44 bits of entropy" as the cartoonist suggests. But number of words to the power of how many you consider to be the maximum in a sequence. That's still a lot and if you want to guess a given individual's password will take quite some time. But if you have a stolen database of passwords and want to just find matching ones, a lot less so. Hence the importance of using modern password storage techniques not just salted MD5 hashes.

By the way, OP, want to name and shame where the example came from?

 

[bazzabear]

In a little bit of irony, I wonder how many people out there now use the exact phrase "correct horse battery staple" as their password.

I once did a hash search on a large client's database passwords table and found FOUR people with correcthorsebatterystaple as their actual password and a few more that had an easy variant on it.

I knew it!

 

[Dirk Diggler]

Our IT department blocks the use of USB data sticks unless they get encrypted. This is a massive PITA because the reason the guy wants to plug his stick in is because he already has stuff on there that he needs to transfer to the PC, so can't encrypt it! And the IT department think they win because they've made the system safe from his nasty files on his big bad dangerous data stick.

All that money spent to implement software in order to enforce this... when all you need to do is plug the stick in, upload to Google Drive and then download the files from Google Drive and on to the PC in question.

Mental.

 

[Kreeeee]

.

 

[glenimp617]

The more complicated it becomes, the greater chance people write it down. Seen it a million times.

You lose your notepad, someone knows all your passwords. Most people don't understand lockers or vaults.