'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows Jeff Atwood, founder of the popular coding site Stack Overflow, has published an extended and entertaining rant about the lamentable state of password policy among developers. The post, subtly titled "Password rules are bullshit," points out that the current format for password rules, such as including a certain mix of …
And there are systems that disallow Paste on the password field, so I have to carefully type in the long complex password that my password manager generated, and then again for the confirmation. Which of course means that if it's not a critical security risk site, I'll shorten that generated password to make it less of a bother.
For those fields, I tend to just hit F12 to open developer tools and edit the form element to include value="[long password here]" and then do the same on the confirmation box.
I've not found many sites that prevent paste on the password box you use to login, but for the few I do know about, I've written a little greasemonkey script that gives me paste back.
That's all assuming a site is worth the effort of actually doing any of the above, sometimes I'll just go elsewhere
This post has been deleted by its author
Sometimes it does, sometimes devs go to great lengths to keep your keyboard from working right. For example Google (groups? forget) likes to catch "/" with JavaScrape and move your cursor to a search text box, so you can't use it there to trigger FF's quick plaintext search like you've been doing forever, so you have to hit Ctrl+F, which was ...insulting. Anyway, ITYM Ctrl+V? On the side, drag-select = copy and middle click = paste, in the other clipboard. Give *nix a try.
"Drunk piano player... you can't hit nothin. In fact, you're probly seein double."
"I have two guns, one for each of ya."
put H&R Block on your 'naughty' list.
They do list all the varied symbolic crap you must include
They do NOT allow Ctrl+V pasting
They do NOT allow middle-click pasting
They do allow drag&drop from another program where I pasted the thing HAH TAKE THAT
They do have a glorious 15-character limit which pisses in my chili because
alias mkpass='pwgen -cnysB 16 1'
This post has been deleted by its author
This is my biggest annoyance. Restricted password length and not dealing with certain characters such as speech marks, semi-colons etc. It is hit and miss if the system will allow spaces in the password too.
While far from the perfect solution, allowing people to write sentences or phrases with spaces gives a lot more protection. We will still see "this is my password1" as the most common password there but you can't cure stupid.
There is still the issue that most people once they remembered a suitably long complex password will re-use that password everywhere, so it only takes one site to be compromised that has poor storing of passwords...
"Restricted password length and not dealing with certain characters such as speech marks, semi-colons etc. It is hit and miss if the system will allow spaces in the password too."
This. I recently came across a suggestion that colons crept onto lists of disallowed characters because it's used as a separator in the *nix passwd file, but that smacks of lazy programming.
Cargo cult programming is a style of computer programming characterized by the ritual inclusion of code or program structures that serve no real purpose. Cargo cult programming is typically symptomatic of a programmer not understanding either a bug they were attempting to solve or the apparent solution (compare shotgun debugging, deep magic).The term cargo cult programmer may apply when an unskilled or novice computer programmer (or one inexperienced with the problem at hand) copies some program code from one place to another with little or no understanding of how it works or whether it is required in its new position.
This is my biggest annoyance. Restricted password length and not dealing with certain characters such as speech marks, semi-colons etc. It is hit and miss if the system will allow spaces in the password too.
However, knowing which characters are not allowed can help you decide if the site is vunerable to SQL injection attacks.
"Come now, you're exaggerating. The only institutions using simple rules capped at 8 characters are the unimportant and trivial ones where security isn't really a concern, like banks. Oh, hang on."
The UK Gov's National Savings & Investment (NS&I) website did until fairly recently have a maximum password length of 8 characters. They did change it last summer to a longer limit of (IIRC) twenty characters. Much better.
Another annoying trick that many websites use is not to reveal the password composition rules until AFTER you've typed in your new proposed password. Then they tell you it's a maximum of 10 characters, limited special characters, and only lower case letters or something equally silly.
Oh, now you did it - you got me started on banks...
Like the ones that talk big about "security", then ask you to download and run an app about which you know absolutely nothing - supposedly to "enhance your security".
Like the ones that are wide open to MITM attacks, as Firefox warns me...
Oh yes, banks. My bank (a local chapter of a big international financial institution) had a period when they called their clients with offers, starting the conversation with asking them for... the password.
The first time it happened I was very close to actually calling the police. I could not believe it wasn't a scam. Later they changed the policy to ask about my personal data (like month of birthday). My answer was still the same: "You are calling me so it is me who verifies you". At least they never tell get to give me the offer, which is a bonus.
Yup. I still cannot fathom my bank when there is a security question about the use of my card calls me and asks me to verify my account _before_ they will even talk about the problem. They have my email, and even my cell # and could quite simply text or email me that I need to call them about an issue and call the number they provide on a part of their web site, heck even part of my account page after I have logged in. You simply can't fix that level of stupid an yet we TRUST banks?
>some systems that: impose a maximum length on passwords,
Thank you for not mentioning our flagship product, Windows 10, by name. We've been thinking about allowing more than 16 character passwords, but you know how it is.
Would you like a new WinPhone? Going cheap.
Yours,
Sinovskella
Hmmmm, all I know is that my cloud-backed Win 10 account (it's not my primary machine, I have very little confidentials on it so I couldn't be bothered to fish out what might/might not work wo MS Live or whatever) chokes on >16 chars outta the box.
Presumably for the reason you mentioned.
The exact cause is less important than the fact that the default, strongly encouraged by MS, set up has that limitation.
When a website asks for a password with at least 1 capital letter, most people tend to make it the first letter in their pasword...
And if people are forced to also use at least one or two numbers, you can be allmost sure they put those at the end...
Maybe it's time to educate people about password strength again...
Why not just have an increasing delay between logon attempts?
Car radio I had years ago started with a 5 second delay after the first attempt. Then just kept doubling. Doesn't matter how much CPU you throw at a problem if there's a 24 hour delay between attempts.
Password124 wouldn't be so bad then!
Pretty much everything already has protection in terms of repeated logon attemps, typically the account will get locked out after a certain number of failed logins or whatever. This password strength concern is about what happens when someone gets hold of the encrypted password DB and starts trying to decrypt it.
^^this^^
Putting a delay in after submitting each requst essentially moves the problem into a different space. Even is one can create a number of passwords at a prodigious rate, if the reponse to accept the submitted password is delayed, then the entire cycle is extended - by a lot.
It doesn't matter how fast you can create the passwords, it is how fast each one can be tested. This squarely puts the onis on the websites/devices to implement this.
I have a 10 year old Dell laptop and if one mistypes the BIOS boot password, it delays additional time (like 5 seconds more) for the next try and then on the 3rd time even more time. Try automating the cracking of that. This method has been used for at least 10 years, where the fuck are the website designers/operators?
It wouldn't even impact 99.99% of users, as they will enter their password correctly the first time, only retries (during a hack attempt). HELLO (Website Designers)...
This is one of "those" cases where faster (website response) isn't always better.
Of course this only applies to brute-force/dictionary attacks, cookies, sql injection etc, maybe not so much.
I don't think it necessarily implies the storing of failed logins.
One possible compromise would be that if the login is not successful, just delay the rejection response for a period of time, for example, 10 seconds. There's nothing stored, the entity attempting to login wouldn't attempt another. For this to work though a successful login response time may have to be randomized so that the bot doesn't immediately know after 2 seconds that its guess wasn't correct. On the plus side, radomized response times might help load balancing.
I have to admit, I'm not sure how websites handle simultaneous attempts at logging in with the same username - if it's allowed as multiple sessions or if there's a check to see if the user is already logged in. I suspect that this is implementation dependent as I've seen different behaviours from different sites.
Well, I'm sure nothing will come of the suggestion anyways, as with most security, it requires additional work (and money) which we all know businesses don't deem necessary. Not to mention the endless bitching from endusers that will result when it takes an additional second or two to login..
I don't think it necessarily implies the storing of failed logins.
One possible compromise would be that if the login is not successful, just delay the rejection response for a period of time, for example, 10 seconds.
So now you are open to DoS via resource depletion. What's your next plan?
One possible compromise would be that if the login is not successful, just delay the rejection response for a period of time, for example, 10 seconds.So now you are open to DoS via resource depletion. What's your next plan?
How so? So user Tom38 has a 10 second or so wait before his next login attempt shows up (some pages take longer than that to load!), or ip 118.234.567.8910 takes 10 seconds before the page comes through. How's that a DoS? Only those who have typed a wrong password get the delay. I fail to see how that is a DoS?
It does require the site to store failed login attempts though or at least flag accounts. Could not that be used in a site attack?
Only to get people's accounts locked out. My bank gives you a limit of 3 failed logins after which IIRC you have to visit a branch to reset the account. You may be able to do it via phone banking, but I believe it requires a branch visit. No, not going to test it!
Aside from getting people locked out, I can't see any attack vector from storing failed attempts?
Tell me what happens when there's been an infiltration attempt and Joe Bloggs user then attempts to logon - only to be told that next allowed logon attempt is in 24 hours? Or are you going to restrict by host/ip - which then restricts a whole system from logging on?
Tell me what happens when there's been an infiltration attempt and Joe Bloggs user then attempts to logon - only to be told that next allowed logon attempt is in 24 hours?
What's wrong with that? Many banks do that or make it so you have to visit a branch to get your account reset. If someone is trying to crack my account I'd much rather the account be locked out then they get another go in a few hours (that said, a few hours lockout is enough to make my account not worth touching)
Or are you going to restrict by host/ip - which then restricts a whole system from logging on?
3 failed attempts at IMAP/SMTP and a couple of other services on my system gets your IP blacklisted for 5 hours. 3 failed attempts at SSH gets your IP blacklisted indefinitely. To many failed attempts from your IP range gets your IP range blacklisted indefinitely, maybe with some notes to your ISP. Course, there's only a small few people who currently use my system so it's not an issue.
True, there should be protections against brute-force dictionary attacks, say, by increasing the delay between attempts. On the other hand, you need "defence in depth": if the password file is lifted through some sort of vulnerability, you need (at a minimum) to have those passwords salted and hashed. Not reusing passwords across sites is another sensible level of defence. Hope for the best, but plan for the worst.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
