Stupid password rules

[kinobestew123]

I can't remember which it was, but one of the banks prevents you from using three sequential numbers or three of the same number. Now I understand that this is to prevent you from using 123 or 987 or 111 or whatever, but it went further. It prevented you from using a seemingly harmless combination of the two such as 4889.

 

[FoxEye]

This is old-style security which most people who study human behaviour agree actually makes things less safe. People more likely to write passwords down, etc. Passwords easier to brute force and more difficult for humans to remember. It's backwards and out of date.

Lots of antiquated security practices continue to be held firm tho. Older security chaps love their password complexity rules.

 

[Kreeeee]

.

 

[timmeh]

we've been given stupid ****** iphones (unnecessarily) at work, and cleverly - to aid security - they have to have an unlock password. this has to be between 8 and 12 chars and must include a number and 2 symbols. so given the ****** things go to sleep every few minutes, every time i need to open it i have to eff about on a stupid titchy keyboard and swap back and forth between alpha/num etc. why TF they decided this was a better idea than drawing a symbol or such like i don't know, but it probably won't be long before i accidentally drop my phone in the carpark.

Is that some security requirement from your company? Apple don't force you to have 8-12 chars. I have a 4 digit passcode on my iPhone. Can't you just set up FaceID/TouchID?

I've been using 1Password for the past few years and it's so well integrated into iOS now that you'd be mad not to use some sort of password manager. iOS can pull auth codes from messages too now without opening the message so 2FA is a breeze.

 

[FoxEye]

Industry standard password rules change all the time, it can be hard to keep up.

Well last time I checked pass phrases were being advocated.

Ie nobody can ever remember !Th3pig30n#oOo~

But most people could remember thecosmicpigeonenteredhitlerssingularityengine

One of those is a lot more secure than the other, and way easier to remember to boot!

 

[touch]

There's 128 possible characters, so all the different combinations of a 4-letter string are 128 x 128 x 128 x 128 = 268,435,456 combinations.
There's maybe around 250,000 words in a dictionary, so the combinations of all possible 4-word strings are 250,000 x 250,000 x 250,000 x 250,000 = 3,906,250,000,000,000,000,000

you have quoted the worst case time instead of the expected time

No I havn't. Read the post again. I've quoted the total number of different combinations in each case. Not expected times or number of guesses.

 

[Pawnless Endgame]

The stupidest thing is that longer > "complex"

10whitechurchlane takes longer to crack than 1@£hUb833_

17 trillion years vs 6 years

Also, today I learnt the word "Quinquatrigintillion"

You live at 10 White Church Lane, Whitechapel, London and your Overclockers password is Quinquatrigintillion.

 

[Angilion]

Arbitrary password schemes annoy me.

At work we use a single sign on system, so the password requires that you must have a capital, a symbol, a number (fairly standard) but it must begin and end with a letter. Everyone I've spoke to gets around this by chucking an "a" at the end of whichever password they've chosen. When the 90 day refresh rolls around they just change "a" to "b" and keep the same password

Different password rules at my workplace, but the same result. The usual practice is to make the password from combining the name of the month, the year and an asterisk at the end because the arbitrary password rule requires a symbol. So passwords are almost always something like "march19*". When the mandatory password change comes round (every month? two months? too often, anyway), the same procedure works just fine, e.g. the next password would be "may2019*" or "june19*". I'd be willing to bet that at least half the employees use that system. When a business makes passwords an annoying inconvenience, people will try to devise a way to make them less annoying and inconvenient.

 

[UberTiger]

So I'm a little confused about the new claim that 4 dictionary words isn't as strong as the XKCD comic makes out, I was under the impression that pass phrases like that were the way to go these days. It actually makes sense that it could get cracked relatively easily using a dictionary word combination attack though I suppose.

I guess substituting silly things like 3s for Es and 1s for Ls wouldn't help too much as they can just expand their dictionary with all these substitutions?

I guess I really just need to get a password manager and use random generated ones.

What rule was it?

The one in the image you quoted

I once did a hash search on a large client's database passwords table and found FOUR people with correcthorsebatterystaple as their actual password and a few more that had an easy variant on it.

That's hilarious

By the way, OP, want to name and shame where the example came from?

It was when creating an account for the online filling out of PCI compliance data for a credit card terminal for a small business.

So passwords are almost always something like "march19*". When the mandatory password change comes round (every month? two months? too often, anyway), the same procedure works just fine, e.g. the next password would be "may2019*" or "june19*". I'd be willing to bet that at least half the employees use that system.

I ended up doing something similar when I worked for a company that required you to change your password every few months. Made one decent one and just amended the month and year to it.

 

[wolfie138]

Is that some security requirement from your company? Apple don't force you to have 8-12 chars. I have a 4 digit passcode on my iPhone. Can't you just set up FaceID/TouchID?

I've been using 1Password for the past few years and it's so well integrated into iOS now that you'd be mad not to use some sort of password manager. iOS can pull auth codes from messages too now without opening the message so 2FA is a breeze.

yeah. just one more retarded policy from the company that wanted us all to have macs then decide they're unsuitable, and we need the phone to run a security pin generating app; so a £400 phone instead of a 50p RSA token like we already use...for a £2k machine we're probably never going to use.

 

[Deleted member 77746]

The one in the image you quoted

There wasn't an image just a placeholder lol. I can see it now though!

 

[UberTiger]

Weird, must have been imgur playing up.

 

[h4rm0ny]

A fun one I had once was going over to the US to do a small job. I had a £ symbol in the password I'd set up with them which was fine until I had to use one of their laptops and there wasn't such a symbol on it. Nor could I log into the machine to do anything like look up the symbol online to copy paste it or change the keyboard settings.

 

[dirtychinchilla]

Well yeah, but it depends if we are talking about bruteforcing random logins, or trying to phish data for a targetted approach.

I use my best friend's address as my work password, so pretty unlikely that they would be able to link my work ID number, to me as a person, and then my best friend's home address

This doesn't make sense. People trying to crack passwords don't spend ages researching you and what you like. They try and crack your password by trying as many attempts as possible, so that password will be strong simply based on the fact that they would have to try millions of addresses in order to get to that password.

 

[Nasher]

Yea some are just stupid. 3 random words and a symbol is enough.

This doesn't make sense. People trying to crack passwords don't spend ages researching you and what you like. They try and crack your password by trying as many attempts as possible, so that password will be strong simply based on the fact that they would have to try millions of addresses in order to get to that password.

Depends what they are trying to do. Many people are targeted.

 

[Deleted member 77746]

Brute forcing isn't what it used to be. Most services only let you try 5 times or something within a period of time and then it locks the account out so it can't be forced any more. You would never get a successful password from that account.

 

[Hades]

I don't mind passwords rules but this drives me nuts:

"Please click on all images with a store front in them"
click, click, click
"Incorrect. Please click on all images with a bridge in them"
click, click, click
"Incorrect. Please click on all images with hills in them"
Aaaaaaaaaarrrrrgghhhh!!

 

[G J]

The worst is when you have to remember them all for various sites as this very site I forgot my password for the forums and after 3-5 attempts you basically get IP banned / site does not respond for 24-48 hours so after waiting I think I know the right password and try again and nope access denied. My own lazy fault as now I just reset the password.

 

[Deleted member 77746]

The worst is when you have to remember them all for various sites as this very site I forgot my password for the forums and after 3-5 attempts you basically get IP banned / site does not respond for 24-48 hours so after waiting I thnk I know the right password and try again and nope access denied. My own lazy fault as now I just reset the password.

That's what a password manager is for, just make sure that doesn't get compromised.

 

[UberTiger]

Brute forcing isn't what it used to be. Most services only let you try 5 times or something within a period of time and then it locks the account out so it can't be forced any more. You would never get a successful password from that account.

What if you get a hold of a leaked database, then presumably you could brute force the password to a specific user, which may give you access to that account if they haven't changed it, or expose a password pattern that they use to allow you access to other accounts.