back to article Either my name, my password or my soul is invalid – but which?

Try as I might, it won't go in. I have entered pretty much everything else so far but this time I'm getting a definitive "no". I respect that, of course, but it leaves me jolly frustrated. Despite all my powers of persuasion, I'm left standing in the cold with one hand on my lock. Yes, lock. The site keeps rejecting my …

  1. Anonymous Coward
    Anonymous Coward

    Why block Beatles songs as passwords? is it because we can work it out.

    1. Crisp

      Hey Jude

      Don't get hacked.

      Pick a bad password, and make it better.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hey Jude

        It's easier to pick one with a little help from my friend.

        1. This post has been deleted by its author

      2. Elmer Phud

        Re: Hey Jude

        Nothing to get hung about

    2. Prst. V.Jeltz Silver badge
      Flame

      minimum password reset time

      ...casually sabotage his own monthly New Password prompts by changing his password 11 times immediately.

      Which is why you should set a minimum time between changes - just dont be monumentally stupid about it.

      I worked at a place (I.T. provider) where they had set the minimum time to longer than the maximum time on one of the customers systems.

      Result - Impossible to change password. Do the server team give a shit? no! they arnt the ones dealing with outraged and frustrated customers and setting everyones password for them manually - no small task on top of my extremely overworked day. This went on for months. I attempted ease the situation by asking questions like "Hey guys, what are the actual password rules as people seem to be struggling". I was met with vague shit like "oh , its gotta be 8 and have a number in it, i think"

      It took for me to dig out the gpo editor , dig into the AD and find the policy - and the problem and wavi it in their faces.

      I said that like they then did something about it didnt I ? no such luck , no shits were given , they couldnt see the issue?!? It took more weeks of cajoling and bitching upstream.

      First job I ever resigned from without having a new job ready.

      My girlfriend worked there a few months longer , doing the accounts , and suddenly had a load of extra work when their accounts server died with no known backups , all data lost and they had to re-enter what data they could find from whatever paperwork they had filed!

      This is an I.T company! That sells backup solutions!

      1. tfewster

        Re: minimum password reset time

        > Which is why you should set a minimum time between changes - just don't be monumentally stupid about it.

        Ugh, even that brings its own problems. Being told you can't change a password that's been compromised because the minimum time hasn't elapsed. On one of our systems, a privileged generic* account password is retrieved several times a day by different people, but can only be changed once a day. So a bunch of people can re-use the password all day, with no accountability for who did what.

        A long password history usually means you don't need a minimum time. Until you meet That Guy who ruins it for everyone:

        >>...casually sabotage his own monthly New Password prompts by changing his password 11 times immediately.

        * Yes, they should have individual logins. But the ancient application doesn't support that, OR auditing,

      2. Wensleydale Cheese

        Re: minimum password reset time

        "accounts server died with no known backups , all data lost and they had to re-enter what data they could find from whatever paperwork they had filed!

        This is an I.T company! That sells backup solutions!"

        Reminds me of the company that sold a lot of word processing solutions in the early 80s.

        Their invoices were done on a typewriter.

  2. Pen-y-gors

    University

    A certain university somewhere in mid-Wales has password rules that forbid anything like a dictionary word in just about any known language, and checks it. They must have a Cray handling the password validation.

    Contain both upper and lower case characters (e.g., a-z, A-Z)

    Have digits and punctuation characters as well as letters, e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)

    Are at least six alphanumeric characters long.

    Are not a word in any language, slang, dialect, jargon, etc.

    Are not based on personal information, names of family, etc.

    If I remember rightly, you can't reuse the last 30. But at least it only forces a change every year.

    1. Rich 11

      Re: University

      in just about any known language

      Does that include Welsh?

      (Thanks for that one, Red Dwarf.)

      1. David 18

        Re: University

        What a monumentally stupid university! They are just absolutely ensuring that their users will write it down, almost certainly somewhere stupid.

        Whenever the subject of password strength arises here, I refer them to this:

        https://xkcd.com/936/

        Don't get me started on bloody stupid biometrics - they should never be used for anything but identification, never authentication. I haven't made any friends pissing on the parade of breathless tech junkies extolling the virtue of their super-secure fingerprint enabled phones. "But it HAS to be super secure, it's NEW and BIOMETRIC!"

        1. Anonymous Coward
          Anonymous Coward

          Re: University

          What a monumentally stupid university! They are just absolutely ensuring that their users will write it down, almost certainly somewhere stupid.

          Which is why the "interview" social engineering attack works well.

          Go for an interview, wear video recording glasses, and take a GOOD look around the cubbicles when you're show around. Match up name plates to the sticky notes on the monitors, and using the Email address the interviewer gave you as the guide, you now have lots of usernames and passwords.

        2. Anonymous Coward
          Anonymous Coward

          Re: University

          One argument for biometrics is that they are harder to shoulder-surf, especially compared with something you're likely to be able to reliably type on a phone. I'm not sure how good an argument that is, but it's not obviously silly.

          1. Mark 85

            Re: Biometric Login...

            If want your login bad enough, I take your finger with me to the computer/bank machine, etc.

        3. Raging Bool

          Re: University

          Someone has actually generated a website to provide such passwords:

          http://correcthorsebatterystaple.net/

          1. Anonymous Coward
            Big Brother

            Re: University

            You really, really do not want to use a website to generate passwords unless you are extremely confident both in the code it runs, the hardaware it runs on and the security of the connection between you and it.

            1. Doctor Syntax Silver badge

              Re: University

              "unless you are extremely confident etc."

              And the people running the site.

            2. The First Dave

              Re: University

              What I always do is generate half a dozen or so, and pick portions from each, so they have no way of knowing what I used, even if they can work out who I am, etc.

      2. herman

        Re: University

        Is Welsh a language?

    2. Prst. V.Jeltz Silver badge

      2 factor

      if the second factor is merely a detoured PIN sent to your smartphone: all a thief has to do is nick your phone and he sits and waits for the second password to light up in front of him.

      but , but , 99.% of people hacking your password have no idea who or where you are and probably arnt in the same country! so its not that easy for them to whack you over the head in the study with the metal pipe and nick your phone!

      1. earl grey
        Trollface

        Re: 2 factor

        whack you over the head in the study with the metal pipe

        Er, no. I think it was in the kitchen with a knife.

    3. David Roberts

      Re: University

      A!a?0@

      B!b?1@

      etc.

    4. Giovani Tapini

      Re: University

      and that is precisely why they get written on post-it's and left around

    5. Anonymous Coward
      Anonymous Coward

      Re: University

      Don't get me started. I've seen password policies by committee where the various factions couldn't be appeased, and now it's a four-branch combination of alphabet size and minimum length. I'll try to push for "min length 12, must contain 16 distinct letters" next time just to see if they twitch.

      1. kain preacher

        Re: University

        Make sure to include one special char and 2 Cyrillic numerals

      2. J.G.Harston Silver badge

        Re: University

        How about maximum length 12, must contain 16 distinct letters?

        1. Roland6 Silver badge
          Pint

          Re: University

          >How about maximum length 12, must contain 16 distinct letters?

          You mean it is possible to get a quart into a pint pot!

    6. Anonymous Coward
      Anonymous Coward

      Re: University

      *koff* That's almost certainly where I work. In the, *ahem* same department that makes these policies. It is a royal PITA changing passwords. Although, last time having rejected every complex definitely-not-a-word-in-any-language password I tried, the system suggested a much simpler, less complex alternative that was more acceptable to it.

      *shrug* Go figure.

      And yes, words in Welsh are also banned ;-)

    7. Stoneshop
      Trollface

      Re: University

      a dictionary word in just about any known language

      SQL?

      1. Waseem Alkurdi
        Joke

        Re: University

        That's like five words (dunno, SELECT, WHERE, FROM, DELETE, ADD?)!

  3. Anonymous Coward
    Anonymous Coward

    "Wrong" email addresses

    I do remember some years ago, that some sites where a bit "snobby" and not excepting users that had email accounts from the likes of Hotmail and Yahoo.

    1. Joe Werner Silver badge

      Re: "Wrong" email addresses

      And those idiot web interfaces (faeces?) that insist a domain name cannot contain a hyphen (well, a -).

      Most of my addresses have that. My domain names have them, my last two or three workplaces have that...

      Idiots.

      1. NonSSL-Login
        Meh

        Re: "Wrong" email addresses

        I know someone with an apostrophe in their email address, due to their irish O'whatever name. Despite the fact it's 50/50 whether the receiving email server will accept it or not, the admin has never enforced a policy that removes it when creating accounts.

        What annoys me is when you have to login somewhere else and it's not obvious they have a different country keyboard layout. Those special characters are not where they are supposed to be. So do I devise new passwords which only uses the characters that don't move say between US and UK layouts, thus weakening the password due to less entropy, or use them and struggle to login some places?

        Decisions!

        1. Robert Carnegie Silver badge

          "By pressing down a special key - It plays a little melody"

          In principle, whatever you type as password can be represented as character bytes in hexadecimal notation, or even just decimal (numbers). So, restricting the character set just means that each symbol has fewer random options, but you can make the whole thing more random again by making it longer. No special keys required.

          In practice, when I assigned random hexadecimal codes as passwords for a fleet of servers, some were rejected. Not apparent why, but I got around it by changing the format from 1a2b3c to 0qz1a2b3c - the start always being 0qz, the rest being random.

          When I had to change them all again, I used 1a2b3cqz0 - new random numbers, and qz0 at the end, so that the new password wasn't "detected" as "too similar" to the old one.

          Also if there is a fixed length - such as Wi-Fi key - then don't skimp on the randomness. I think that random alphanumerics are good enough in practice, though - although each character has about 5 or 6 bits of individual self-expression instead of 8. But a sentence in English has about 1 bit per character of variety, I think.

      2. I am the liquor

        Re: "Wrong" email addresses

        Plenty of systems won't accept emails where the TLD is more than 3 characters, because they used some half-baked regex copied off Stack Overflow. It was wrong long before the recent TLD proliferation, too: .museum has been around since 2001.

      3. WallMeerkat

        Re: "Wrong" email addresses

        Once had a friend with an email address that was similar to (but not) a.b.c@d-e-f.co.uk

        It was a useful one for testing email validation, the amount of times some web app would refuse to accept it showed that the devs were using some useless regex from the first search result that was stack overflow.

        1. J.G.Harston Silver badge

          Re: "Wrong" email addresses

          Why on earth is anybody using any sort of regex on email addresses? The only entity that knows - that is *capable* of knowing - if a particular email address is valid or not is the receiving email mailbox. This is as moronic as those sites that scream at me that my telephone number is wrong - the telephone number that is printed on my telephone right in front of me.

          The ***ONLY*** testable thing you can apply to an email address is that is has a '@' in it. (I used to say exactly one '@' and at least one '.', but I have a nagging feeling something like admin@net is fully legal.)

    2. DropBear

      Re: "Wrong" email addresses

      I'd say not excepting those users would have been the preferable approach...

    3. Roland6 Silver badge

      Re: "Wrong" email addresses

      I still encounter sites that don't accept email addresses with 3 character domain names, fortunately all, so far, have accepted gmail.com instead...

      But as Alistair alludes to, unless you have kept good notes (ie. little black book or used a password manager), it can be a bit of a nightmare when you revisit such a site and simply automatically enter your normal username...

      1. Wensleydale Cheese

        Re: "Wrong" email addresses

        Apostrophes in email addresses fall foul of some sites.

        If you look it up, they are perfectly valid. According to an Irish acquaintance with a name starting with O' it's quite good at minimising the spam he gets.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Wrong" email addresses

          a + in an email address is valid, and a very useful way to track who is leaking your email address as you can use unique gmail addresses when you sign up for crap stuff which all go into your single mailbox but I've found plenty of places will not accept it as a valid email even though it complies with rfc2822

          1. WallMeerkat

            Re: "Wrong" email addresses

            Though there was that one time I actually *won* a competition.

            Found out by phone though.

            "Congratulations you won!

            ... we usually notify by email but we think something went wrong with our system as your email address is coming up as wall.meerkat+ourcompany@gmail.com"...

            1. Stoneshop
              Holmes

              Re: "Wrong" email addresses

              ... we usually notify by email but we think something went wrong with our system as your email address is coming up as wall.meerkat+ourcompany@gmail.com"...

              Couple of years ago I ordered some stuff from a webshop, using my standard pattern of "myname.webshop@surname.net". This resulted in them calling me to acknowledge the order, as their confirmation mail kept not getting sent (apparently they did pay attention to such things, good on them) and with it them expressing surprise at me having an account on their mailserver.

              Their software apparently had some hitherto unknown knicker-twisting properties

          2. Flexdream

            Re: "Wrong" email addresses

            Works with @hotmail.com too

        2. MOH

          Re: "Wrong" email addresses

          Yep, they're perfectly valid. Didn't stop Aer Lingus refusing to accept them for the first few years of online booking

        3. Anonymous Coward
          Anonymous Coward

          Re: "Wrong" email addresses

          "an Irish acquaintance with a name starting with O' "

          Oh, you know Robert O'Tables?

          1. Anonymous Coward
            Anonymous Coward

            Robert O'Tables

            "Robert O'Tables", love it!

            One of the people at my workplace not only has an Irish family name, but whose personal name is from another European language and contains an accented letter. I perhaps use this person's record on my dev server rather more than some others, as it's a really great name to test many corner cases or potential input/output data validation/security risks.

            1. Doctor Syntax Silver badge

              Re: Robert O'Tables

              "an Irish family name ...I perhaps use this person's record on my dev server rather more than some others"

              A certain large systems house on whom we all like to pour scorn were repeat offenders in sending badly formed XML with Irish names. After we'd explained it all to the developer doing the work they got it right. A few months later the developer we'd trained had had his visa run out and been replaced by another import, all ready to screw it up again.

        4. Loud Speaker

          Re: "Wrong" email addresses

          I take it your friend's name is O'DROP DATABASE';

    4. Wensleydale Cheese

      Re: "Wrong" email addresses

      "I do remember some years ago, that some sites where a bit "snobby" and not excepting users that had email accounts from the likes of Hotmail and Yahoo."

      That used to be a good way of avoiding spammers signing up for the sole purpose of posting a load of links.

    5. Anonymous Coward
      Anonymous Coward

      Re: "Wrong" email addresses

      It's still happening today, some don't accept email addresses from free email services - probably they believe you've just created one to give 'em to hinder them harassing you for the next several years...

      1. Elmer Phud

        Re: "Wrong" email addresses

        Shirley not!

        And no one ever uses them for FB accounts, either,

      2. Doctor Syntax Silver badge

        Re: "Wrong" email addresses

        "some don't accept email addresses from free email services - probably they believe you've just created one to give 'em to hinder them harassing you for the next several years."

        No problem. I use a paid email service and create addresses to stop them harassing me for several years. What's more, if I think I might need to use the service in the future I can keep the address in place but just set it to bounce until the occasion arises.

    6. David Nash Silver badge
      Facepalm

      Re: "Wrong" email addresses

      I seem to remember also that some sites only accepted email addresses from what they considered to be proper email, ie. hotmail, etc. Anything else wasn't a "known" email so was rejected.

    7. Hans Neeson-Bumpsadese Silver badge

      Re: "Wrong" email addresses

      "I do remember some years ago, that some sites where a bit "snobby" and not excepting users that had email accounts from the likes of Hotmail and Yahoo."

      In my recent experience I found the exact opposite. I tried signing up to The Times website so I could read news articles and it utterly refused to accept my email address (I have my own domain). Seeing as it wasn't for anything particularly important I used a throwaway Gmail address and sign-up worked first time.

  4. Anonymous Coward
    Anonymous Coward

    Idiot password checkers

    I use random (and I mean random: generated from proper randomness) strings of dictionary (/usr/share/dict/words / /usr/dict/words) words as passwords (well, passphrases). It's easy to show that these, if they are long enough, are harder to guess than normal line-noise passwords (the alphabet the symbols are chosen from is much bigger, the symbols are randomly chosen). But I still have to add a little bit of line-noise to the end of them to keep the stupid 'must be line noise' checker happy.

    1. Robert Carnegie Silver badge

      Re: Idiot password checkers

      For a password to remember, and easy to type: 6 random distinct consonants, then 2 numerals. I usually grab 20 letters https://www.random.org/strings/?num=1&len=20&upperalpha=on&unique=off&format=html&rnd=new - shuffle at random and pick out letters that fit e.g. Robert Carnegie -> Rbtcng95 (I don't actually use my name for this). That's the password, but to remember it, pick words that represent 5 or 6 of the letters. I find that after a few days, remembering the words e.g."Robot carnage" (possibly my name spell checked) brings up the letters and the numbers as well.

      An online password checker spotted that "Fiqbly45" contains a given name (Bly) and a dictionary word (Fiq with a Q, evidently), it must be a fiend at Scrabble.

    2. veti Silver badge

      Re: Idiot password checkers

      That's fine, but is it any more memorable than just a random string of gibberish?

      I've tried lots of approaches over the years. This is my current favourite.

      1. Anonymous Coward
        Anonymous Coward

        Re: Idiot password checkers

        Based on my experience (so, OK, sample of one, self-selected), passphrases made from random words are much easier to remember, yes. I think this is because we have specialised machinery in our heads for dealing with natural language, and while we don't have specialised machinery in our heads for dealing with written language (too recent, evolutionarily) the more general-purpose machinery we've trained to deal with it turns out to work really well. So if you see a string of words in a natural language you speak then you're remarkably good at remembering them even if they are randomly chosen.

        This works, surprisingly, even if you have never seen the words before: I just ran my generator for a three-word passphrase and it came up with 'cinephotomicrography franchisal lineation': I don't think I've ever used any of those words, or probably even seen them before, but I typed all but the first without looking back at the window I'd covered.

        1. Spamfast

          Re: Idiot password checkers

          XKCD again as mentioned earlier.

          But the problem is that many systems won't let you use passphrases. Either they won't accept passwords that long or they insist on 'at least one upper, lower, digit, rune' etc as in Dabbsie's original article.

          Every place I go I email the IT admins the link to the XKCD cartoon but unfortunately your average Microsoft-only IT bod doesn't understand what 'entropy' means - or anything else about real, effective security.

          Also, Windows only supports the 'enforce password compexity' (runes!) option so that's what the IT twonks enforce.

          1. John Miles

            Re: Idiot password checkers

            Different cases are easy to deal with - You naturally put a capital for a name or first word of phrase or sentence and rest lower case. You can include a number in the phrase or a word that sounds like a number and there are some symbols that can be substituted for words - so you could take the correct horse battery staple" and turn it into "correct horse and battery free staple" which becomes "Correcthorse&battery3staple" which I find easy to remember and type and still meets the stupid password rules (unless they limit length too short)

            1. veti Silver badge

              Re: Idiot password checkers

              (unless they limit length too short)

              Which they normally do. Honestly, what percentage of sites even allow you to have a password of more than 16 characters?

              Worst of all, those that allow you to enter such a password, but silently truncate it without telling you. Then reject the full password when you enter it later.

              I've learned to limit myself to 10 characters. Most places accept that. OK, it's not as secure as it could be, but like the old joke says: "I don't have to run faster than the bear, I just have to run faster than you". There are plenty of people way easier to hack than me, and that's what matters.

    3. Shadow Systems

      Re: Idiot password checkers

      I like to use Elder Runes. It means my password is unique & anyone attempting to say them aloud winds up summoning an Elder God. It's a self-Darwinian method of password security. =-)p

      1. Anonymous Coward
        Anonymous Coward

        Re: Idiot password checkers

        Well, yes, of course. I didn't specify what /usr/share/dict/words on my machine contains, or exactly what LANG is set to, and perhaps I should not do that.

        I have found an interesting thing regarding this: encryption is not enough. Even looking too closely at the encrypted contents of the disk is enough to cause quite nasty things to happen to potential eavesdroppers. The results are usually fatal, and I imagine the eavesdroppers are glad of that, at least until their minds go.

    4. Spamfast

      Re: Idiot password checkers

      #!/usr/bin/python3

      import secrets

      with open('/usr/share/dict/words') as f:

      words = [l.strip().lower() for l in f.readlines()]

      xkcd = ' '.join([secrets.choice(words) for i in range(4)])

      print(xkcd)

    5. Anonymous Coward
      Anonymous Coward

      Re: "proper randomness"

      You should bottle that up! I hear it is very sought-after.

  5. krivine

    Plus sign in email addresses is often fun

    When registering with some sites I add '+${siteName}' between my username and @. This makes for easier classification using Gmail labels. Many sites reject the plus sign, although it's a valid character in email addresses. Morrisons supermarket took it one step further, by letting me register username+morrison@gmail.com, but then refusing to let me log in with it. I gave up on them.

    1. Andraž 'ruskie' Levstik

      Re: Plus sign in email addresses is often fun

      Yeah - I ran into that one way to many times. At least the register lets me do it.

    2. Pen-y-gors

      Re: Plus sign in email addresses is often fun

      I find it's easier to have an extra domain e.g. getstuffed.org.uk and then use different names for every site - tesco@getstuffed.org.uk, ukgov@ etc.

      Forward everything to another a/c but it's handy for throw-away things.

      1. Doctor Syntax Silver badge

        Re: Plus sign in email addresses is often fun

        "Forward everything to another a/c"

        Why? Just use that domain as your email domain. All the aliases come into a single mailbox (you can check the alias name in the To: field if you need to see who spammed) and set up, tear down or set to bounce as you please.

    3. 's water music
      Trollface

      Re: bait and switch sign up

      Morrisons supermarket took it one step further, by letting me register username+morrison@gmail.com, but then refusing to let me log in with it. I gave up on them.

      A rarer favourite of web coders who have grown bored of "you failed my validation but if I tell you hwo I'll have to klill you" is to accept an overlong password value and simply truncate it to the length they were anticipating before creating your account. Similar fun can be had with the username. Those super secure password/unique email wonks don't like it up 'em.

    4. Anonymous Coward
      Anonymous Coward

      Re: Plus sign in email addresses is often fun

      I had an account on photo.net which (a) changed at some point so it would not let me use my account-with-+-in-it and (b) kept on sending me junk mail to that address and ignored my requests to delete it or make it work again. If I had more than one suitcase nuke I think I would have used one of them to deal with this cretinism.

      There are, I believe, RFC-822 parsers out there (as in: there are hundreds): why can't these fuckwits just use one to tell if email addresses are valid rather than use some half-baked regexp of their own devising which doesn't actually work.

      1. Richard 12 Silver badge

        Re: Plus sign in email addresses is often fun

        No. Just no.

        You should never, ever attempt to "validate" an email address.

        Ok, it's worthing checking that it's got at least one "@" followed by at least one printable character, but beyond that?

        Not worth the cycles.

        Just send an email to it - after all, you don't actually care whether it's RFC compliant, you care whether there's a mailbox at the end of it.

    5. Flexdream

      Re: Plus sign in email addresses is often fun

      The + label is a great tip. Seems to work with @hotmail.com too.

  6. Vagnerr

    Got to watch those password lengths

    I have had at many experiences where there was an upper limit on the password length ( usually a red flag that they may just be saving passwords in plaintext). No big problem usually as I generate random passwords anyway but its a bit of a shame if it has to be a shorter one.

    However...

    On one occasion the max password length was 20 characters. Not bad. ... Except that was the limit for creating the password. The limit for entering your password to login was only 18 characters! </slowhandclap>

    1. Justicesays

      Re: Got to watch those password lengths

      Similar very recently.

      Set a password (randomly generated).

      Copy and paste same password into login box - doesn't work?

      Read login FAQ :

      Passwords cannot contain quotes(")

      Then WTF did you

      a) let me set one with a "

      b) put "must contain a special character such as a symbol" in the listed rules , but not point out that excludes "

      Not to mention it implies your back-end is vulnerable to injection, and your covering it up with sticking plasters.

      In anther case, putting "#!/bin/bash" as part of a long password worked for the game login, not so good on the website as it was eventually blocked by the websites IPS as a potential injection attack... The password change tool was on the website...

      1. Spamfast

        Re: Got to watch those password lengths

        SQL injection is ridiculous. They take some random HTTP POST value and concatenate it onto a SQL statement and run it? Duh!

        Even if they run it through a sanitiser it's a risk and moreover it's ridiculously inefficient.

        Every program (web service or otherwise) I've ever written that takes user input (or input from a comms channel) for an SQL (or "a Sequel" if you prefer) query binds the input variables to placeholders in the query string. Usually the statements are pre-prepared since that avoids a layer of parsing for frequently executed statements.

        This is trivially easy to do in PHP, Python, Perl, Ruby etc. and not much more complicated in C/C++ with most client libraries.

        To paraphrase Holly, "The highest form of life in the universe is Man and the lowest is a man who works as a web developer."

        1. Loud Speaker

          Re: Got to watch those password lengths

          SQL (or "a Sequel" if you prefer)

          No

          Sequel was something entirely different - an IBM product predating SQL. MS don't want you to know this. Sequel was NOT GOOD.

          Emojis of sexually explicit vegetables should only be used for passwords on porn sites. Think of the children!

        2. Dave559 Silver badge

          Re: Got to watch those password lengths

          > To paraphrase Holly, "The highest form of life in the universe is Man and the lowest is a man who works as a web developer."

          I agree very emphatically with everything else in your comment, apart from that sentence. Yes, there are a lot of numpty so-called web developers out there, but not all of us!

    2. Flexdream

      Re: Got to watch those password lengths

      I most enjoyed the system which rejected three different new passwords for being non-compliant without saying why, then locked me out for three failed password change attempts.

  7. Wensleydale Cheese

    "It's not a lack of awareness, it's a clear admission from within the security industry itself what a pain in the arse it is to sign in again and again dozens of times a day with different credentials."

    BTDT. Back when I was managing a fleet of servers I had to login to over 20 different system after a network outage. These were systems which would lock you out after too many password failures. A single password per group of logically related systems was the sanest choice.

    Fortunately there was a smartcard system for the PC, so at least I didn't need to remember all the separate passwords for mail, timesheets, project management systems et al that ran on that.

  8. imanidiot Silver badge

    Nothing wrong wirh reusing passwords

    I reuse the same password or a variation thereof on multiple sites. None of them critical ofcourse. Thing like my spam email, fora like El Reg, etc, that don't contain payment info and the like all use the same password. Banking and work accounts ofcouse get their own passwords

    1. paulf
      Thumb Up

      Re: Nothing wrong wirh reusing passwords

      About 8 years ago a system I use regularly started enforcing password changing via AD. There was much grumbling as the change timer is about 3 months and the old password cannot be a prefix of the new password which immediately rules out changing totalBollocks to totalBollocks1. Then someone pointed out to me that adding numbers into the password means it's treated as a completely different password. Thus:

      totalBollocks

      total1Bollocks

      total2Bollocks

      are all unique passwords.

      This has served me well for the last 20 odd password changes.

      1. Anonymous Coward
        Anonymous Coward

        Re: Nothing wrong wirh reusing passwords

        Well, the system is (you hope) storing only hashes of the passwords, so when changing password it can know, at most, the current and new plain texts and the hashes of the previous n passwords. So the very best it can do is ensure that the new password is sufficiently different to the current one and that it is different in some way (but now how different) from the previous n.

  9. bondyboy

    Barclays for security?

    I always smile at the irony of all the Barclays "we care about security" messages after having to deal with one of their bank accounts that was being used to funnel scam money through having its address changed to mine.

    Nine separate contacts to Barclays informing them of this error and scam yet the account was still open 3 months after I first reported to them, on average each month saw around £40,000 coming in and being transferred out, who says crime doesn't pay?

    1. Pen-y-gors

      Re: Barclays for security?

      If you can document it, that sounds like some sort of offence has been committed by Barclays.

      1. Justicesays

        Re: Barclays for security?

        From

        https://www.gov.uk/government/organisations/hm-revenue-customs/contact/money-laundering

        Report suspicious activity

        Call HMRC if you’re an individual who needs to report suspicious activity in relation to money laundering.

        Telephone:

        0800 595 000

        Opening times:

        24 hours a day, 7 days a week

      2. Anonymous Coward
        Anonymous Coward

        Re: Barclays for security?

        You have to understand: Barclays has a special "scandal deployment department" whose job it is to regularly involve the company in high profile scandals - allowing the in-crowd to short the stock, and then buy it back on the cheap, just after the fine is paid.

    2. Roland6 Silver badge

      Re: Barclays for security?

      Barclays used to be good about security, they initially provided Prevx (now integrated into Webroot) to their customers and then swapped this for Kaspersky. But since the US campaign against Kaspersky they haven't offered a free securtiy tool to their customers...

      But hats off to them for their scamming awareness campaign.

    3. Tromos

      Re: Barclays for security?

      Their current TV campaign is actually badly flawed as far as security is concerned. The message it puts over is to never reveal your full PIN. What it should be saying is to never reveal ANY part of your PIN as no genuine bank will ever ask for it. Your bank might ask for a couple of characters from a security code, but this is completely different from a PIN.

  10. Elmer Phud

    Customer Delight Providers

    The Seamstresses of the IT world.

    1. paulf
      Mushroom

      Re: Customer Delight Providers

      If some jumped up MBA type PHB (or shyster HR skank, for that matter) changed my job title from something meaningful to "Customer Delight Providers" the dying embers of their lifeless corpse would be in the bottom of a skip by the end of the day; their only company being the charred remains of the piss stained mattress, which every skip seems to contain, that was cremated with them.

      Sorry, It's been a long week and I think we ran out of Coffee by Wednesday afternoon.

      1. Teiwaz

        Re: Customer Delight Providers

        Sorry, It's been a long week and I think we ran out of Coffee by Wednesday afternoon.

        Priceless....

        I'm in the same mood, but all I've had to drink all week is coffee (although, might be a fair amount of whisky in it).

    2. Lyndon Hills 1

      Re: Customer Delight Providers

      better than deskside support, which often got auto-corrected to the strangely appropriate despised support..

    3. Teiwaz

      Re: Customer Delight Providers

      Customer Delight Providers

      The Seamstresses of the IT world.

      hem, hem. Oh, and two needles.

  11. Nila

    Gave up on stupidity a while ago

    It would not be too bad if all sites password complexity rules would be the same letting me use the same password for all irrelevant sites. Anyway - the only reason you need to register and log on to most of them is so they can send you spam.

    Now I just use "forgot my password" link and enter a new password of required giberrishness every time I need to log on. Even with extra hops it is much easier and even quicker than to come up with and remember unique passwords for each site. I do have a proper password for my email...

    I wish login prompts for all sites would contain their password policy upfront - so I can enter required additional symbols in required quantity after my normal password. As it is now I have to go over password reset procedure every time to find that out...

    So that's security for you.

    1. Nick Ryan Silver badge

      Re: Gave up on stupidity a while ago

      I'm speccing a new website service and am semi-seriously contemplating not bothering with passwords at all and just emailing the user a one-shot login code. It's not the kind of website service that a user is going to use very often, I suspect once ever or maybe once every year or so and forcing a user to deploy yet another password just for this seems a but silly when I suspect that the most commonly used function on the site will be "reset password".

      1. DanielsLateToTheParty

        Re: Gave up on stupidity a while ago

        "contemplating not bothering with passwords at all and just emailing the user a one-shot login code"

        I too have a pending website due and this sounds ideal. Will pitch it to the client right away! Thanks for the suggestion.

  12. This post has been deleted by its author

  13. Dr_N
    Black Helicopters

    " If I'm facially scarred in a road accident, for example...

    ...my biometric passport will no longer work."

    They aren't that clever. You'd still be able to fly.

    1. Anonymous Coward
      Anonymous Coward

      Re: But...

      They don't let him sit up there after the LAST time. So now he has to let the pilot do all the flying.

  14. Halcin

    DNA to replace passwords? Has no one seen Gattaca?

    I was also going to say that replicating DNA is "easy" for those that know how. But even easier would be to say "bleed on this will you?"

    1. Teiwaz

      DNA to replace passwords? Has no one seen Gattaca?

      I was also going to say that replicating DNA is "easy" for those that know how. But even easier would be to say "bleed on this will you?"

      Gattaca? I thought it was a dreary Corporate training film....

      There's DNA in piss* isn't there? That's always an option

      * there is in faeces, hey, if they want a sample, might as well have something I'll be dumping at some point during the day anyway. I prefer to get lightheaded and trippy in my own time.

      1. Doctor Syntax Silver badge

        "there is in faeces"

        A lot of it is bacterial.

        1. Anonymous C0ward

          Probably some from the various animals I've been eating too.

    2. Doctor Syntax Silver badge

      I was also going to say that replicating DNA is "easy" for those that know how.

      Of course it is. I've been doing it all my life.

  15. PerlyKing
    Facepalm

    Really special characters

    I recently had to do a factory reset on my Android phone. When it came to signing in to my Google account afterwards, I discovered that my randomly-generated password contained a character which is not available in the stock Android keyboard. Now that's secure! ;-)

  16. Doctor Syntax Silver badge

    Let's call out the bollox of using email addresses as login IDs. A user ID and a password taken together are a long string. Doesn't it make it easier to guess the string if you're given half of it? And an email address is one thing that you do tend to give out. It's a mitigation, but no more, if you're able to set up individual addresses for individual sites but the basic rule should be to have email address as a separate field.

    Example 1. PayPal. The ID is the email address. OK, I can set up a unique address for this but I then find that hands out that address to merchants. Evidence? I had to change the PayPal ID (a pain in itself) because a merchant to whom I purposely hadn't given an email address decided it was a good idea to spam me using my PayPal ID. So PayPal, acting as a banker in that it's able to handle my money, is happy to hand out half my login credentials to a 3rd party. I'd like to think that they've stopped that crap under GDPR but I don't expect they have.

    Then there's the assumption that an email address is a guaranteed to be unique and permanent ID personal. It's neither.

    It doesn't necessarily have to be a unique individual address. Companies who adopt this tactic are quite happy to tell you to contact them on something like sales@numptiesrus.crap.

    And it certainly doesn't have to be permanent, especially if it's an ISP provided address.

    Example 2. I have a login at IBM which includes the name of my second (or last but one) ISP who, before I left them, had been taken over at least 3 times and hasn't been a valid, or at least a used, email address for at least 10 years. They won't allow it to be changed but do at least allow a separate, working, address to be provided.

    1. David Nash Silver badge

      Paypal

      Agree - I too had the experience of giving a merchant my preferred email address for them, and receiving email from them to my paypal login instead.

    2. Loud Speaker

      The purpose of using an email address for login is that the average idiot can remember his email address. He probably can't remember a password with more than 4 characters, but he can use the "reset password" button - much easier than typing 32 character passwords.

      1. Anonymous C0ward

        The other reason, is that anything other than randomly generated gibberish, even firstname+lastname+birthdate-of-first-hamster, is usually already taken.

    3. J.G.Harston Silver badge

      But an email address is the only thing that is close to 100% going to be unique to you and nobody else. JohnSmith? Millions of them. InitSurname? Millions of them. XYZyyymmdd? Thousands of them. youremail@yourdomaim? ONE. By definition.

      I had to set up a user list for just 30ish people. I hadn't got past 'A' before getting a clash with almost all naming methodologies.

  17. Anonymous Coward
    Anonymous Coward

    retarded rules on password

    "I should have known he'd come up with a daft suggestion like that. This is the bloke who would casually sabotage his own monthly New Password prompts by changing his password 11 times immediately and, for the twelfth, reset it to his old one again so he could carry on as before. He even kept his 11 non-passwords on a sticky note attached to his display bezel so that he could run through the same routine in the same order every month."

    I have no idea how "pro" security IT don't see incoherent/retarded AND different across multiple systems password rules in the SAME company, with different expiration dates of course, would do anything in favor of security !

    Every single staff I know in mine is doing as follows:

    - get the magic prefix that works on all systems

    - increment the number every change

    End of the day, there is virtually NO change in passwords ! It's not possible nor manageable !

  18. Katy_B

    I've noticed that many government sites which deal with things like your tax and NI record, and also most banks, will not accept special characters in passwords. Some don't even call for a capital letter as long as you have a numeral in there.

    It may be just me but I would have thought that banks and the government might think safer passwords were a good idea?

    1. Robert Carnegie Silver badge

      p!a!s!s!w!o!r!d!

      It's not really safer. And some systems choke on non-alphanumeric symbols in a password - I suspect one of our systems can't take a !

      A password of 8 genuinely random letters is safe. I standardise on Abcdef78 - as format, not as actual password - as concession to stupid system rules (and with all consonants, like I think I said above), and I put ! at the end if I really have to. But a password of a word with $ for S isn't safe because hackers have already got all those combinations in their dictionary.

    2. J.G.Harston Silver badge

      The HMRC site barfs on "special" characters anywhere you use them. "Note: 50% of income in 2015-16 after the first £500..." Barf! Sorry, can't accept that! No reason given, but by experimentation you have to remove : % - and - !!!! - £. When trying to submit your bloody taxes!

      1. AndyFl

        I share your pain

        Yes, you cant even put a <CR> into the box where you add more information which makes it close to impossible to write anything even remotely readable when it is more than a few word in length.

        And as for prohibiting the percent sign! Words fail me - it is a fscking finance site!

        I have several times put a complaint into the feedback link - never got a response either.

        I had a huge problem signing up on the HMRC site in the first place as I was in Qatar. The password mail took 3-4 weeks to arrive but was only valid for 2 weeks. When I called them up to ask what I was supposed to do they suggested I got it sent to someone in the UK who could phone it to me. I think they have completely lost the plot. After all, what is the point of insisting they send out a super secret code then because they fscked up the expiry telling people to send it to someone else!

    3. J.G.Harston Silver badge

      HMRC won't even accept "special" characters in the damn text fields! You have to spell out £ % - & + / in full. Won't even accept newlines, so you have to run everything in one huge paragraph like Infant School.

  19. Anonymous Coward
    IT Angle

    Obligatory Dilbert reference

    He feels your pain.

    http://dilbert.com/strip/2005-09-10

  20. AndrueC Silver badge
    Facepalm

    I had a similar issue when I tried to sign up with Samsung several years ago (I had a good reason, I wanted a firmware update for my TV so I could get into the engineering console). Anyway it refused to let me create an account so eventually I had to resort to a less legitimate source. I've since found out that it was my DEA system that caused the problem. Samsung will not let you register an email address with 'samsung' anywhere in it. Of course it never actually tells you that :-/

  21. CAPS LOCK

    I would have thought that, by now, everyones password would be

    correcthorsebatterystaple. Mine certainly is.

    1. TomPhan

      correcthorsebatterystaple

      Our in-house training still recommends that as an example of a secure password.

  22. allthecoolshortnamesweretaken

    Re: "I bet you wish I'd captured all this on my webcam."

    Yes.

  23. Terry 6 Silver badge

    Teachers' passwords

    I used to see a lot of schools. In September everyone's password had either expired because it ran out at the end of the previous month, or been forgotten. If the former there'd be a queue to call IT support for the first day or two. If the latter it'd be post-it search time or a call to IT......

    Except for the teachers that had a memorable password and stuck a number on the end. They'd be the ones logged in and getting lesson plans and stuff printed before the kids came in. The others would be huddled in a panic waiting for their turn to talk to IT and trying to remember what it was they'd spent hours planning a couple or three weeks earlier.

  24. Anonymous Coward
    Anonymous Coward

    Stupid email address checks are the worst.... Most annoying* is FaceBook, which prevents you from using email addresses whose name is "mail", ... tough luck if your address is "mail@<mydomain>.com".

    * Though in hindsight, maybe it's a good idea to have a "fb@<mydomain>.com" that FaceBook cannot link to any of my online activity...

  25. Anonymous Coward
    Anonymous Coward

    Idiotic Clients

    One of my clients has insisted that users can have the same username, this client also insists that username and password can be the same. They want to make it as simple as possible for the users to login, I might as well throw my security certifications in the bin.

    I still work for them, mostly because they pay lots of cash.

    Anonymous obvs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Idiotic Clients

      My neighbour wants me to remove my fence and the lock on my gate so he can have access to the public highway through my yard - from his yard that is unfenced and open to the highway and the great wild public at his end.

  26. toffer99

    Anyone got advice on password managers? I'm thinking of jumping to one.

    1. Giovani Tapini
      Black Helicopters

      use any one you like but dont be surprised if the NSA discover all your credentials soon after...

    2. Flakk
      Trollface

      One that hasn't been hit with security vulnerability disclosures? Oh wait, they all have. Nevermind. ;)

      It's not especially easy to use, and password data replication is a largely manual affair, but I like VeraCrypt (which, of course, also had vulnerability problems a few years ago). For me, it hits the sweet spot between the strong encryption that I like and the PITA factor that I believe is actually called for in some circumstances (the more sensitive the asset, the more difficult it should be to access it).

    3. Doctor Syntax Silver badge

      "Anyone got advice on password managers?"

      Run it locally. KeepassX is what I use but then I use a single laptop most of the time so it's not too much trouble to occasionally copy the file if I need to but I'm planning on using a Nextcloud server at home so that will make synchronisation even easier. I believe Android & iThing versions are also available.

  27. Barry Rueger

    Gmail addresses with dots

    For many years my primary email has been :

    firstname.lastname@gmail.com

    The period in the middle does seem to make everything clearer.

    Still, nearly ten years later, and despite Gmail owning 75% of the webmail market, there are sites that reject that dot.

    1. Andy A

      Re: Gmail addresses with dots

      Could be worse.

      One place I worked at used

      <firstname>.<lastname>@<country>.<division>.<companyname>.com

      Luckily, in my case <country> was just uk, but any number of services couldn't cope with the total length of the string, and many more borked at the dots. It's annoying to find there isn't room in the box to type the whole email address.

      Kept the spam down though.

    2. CAPS LOCK

      Re: Gmail addresses with dots

      Fear not. Gmail doesn't 'see' the dots so you can use 'firstnamelastname@gmail.com' instead.

      1. Anonymous Coward
        Anonymous Coward

        Re: Gmail addresses with dots

        I regularly get spam emails to my <myemail>@gmail.com - which were actually addressed to <my.email>@gmail.com

        There also appears to be 3 other people somehow with the same <myemail> , 1 in the UK and a couple in the USA, which is deeply disturbing.

        The drawback of having a relatively simple email address.

  28. Anonymous Coward
    Anonymous Coward

    Dvorak typing

    I'm not sure the Dvorak layout increased my speed (it did decrease my RSI) but if you switch back to Qwerty and type "Thisismypassword" you'll actually enter "Kjg;g;mtra;;,soh" or something similar and I've never met a password checker that doesn't think that a "strong" password.

    1. Dave559 Silver badge

      Re: Dvorak typing

      That sounds a risky endeavour. Possibly typing "Kjg;g;mtra;;,soh" won't actually summon an elder god, but some of the passwords that you might come up with would do...!

      (Hmm, working in the IT department at Miskatonic University must be an "interesting" experience...)

  29. J.G.Harston Silver badge

    I once worked at an organisation that rolled out logon ids that were First Initial, Last Initial, Payroll Number (eg lh891234). Except for our small department who had started before this roll-out. Whenever we contacted the HelpDesk we had to go through the rigmarol of "your ID is your payroll number..." No it isn't! "Yes it is, your ID is your payroll number..." No! Listen to me!

    It was a struggle, but we eventually forced them to migrate us to the "standard" logon ID scheme.

    1. Wensleydale Cheese

      " your ID is your payroll number..." No! Listen to me!"

      The company running a course I was taking couldn't make up their minds what my real name was. Their correspondence had me down as firstname lastname middle name and lastname middlename firstname.

      Start the course and the lecturer says he's set accounts up in the form of firstname.lastname.

      No combination of the above variations worked. I had to ask the lecturer what the system thought my login was, and he couldn't understand the question, simply repeating "Firstname dot lastname".

      We set up a completely new id in the end.

  30. TomPhan

    My standard password anecdote

    A place I briefly worked at was very big on security and automatically generated random passwords for everyone at the end of every month. Which were printed and left in an envelope on your desk to start using the next day.

  31. earl grey
    Facepalm

    1-2-3-4-5

    That's the kind of combination an idiot would put on his luggage!

    Sorry, couldn't resist.

    1. Sureo

      Re: 1-2-3-4-5

      "That's the kind of combination an idiot would put on his luggage!"

      Might as well, the TSA and all the crooks know how to open it anyway.

  32. Terje

    I just don't understand why so many sites try to force you to weaken your passwords by specifying you must have at least one upper case character one number and one non alphanumeric character. there are ten numbers, there are in reality something like 16 special characters that is ever likely to get used...

    Just enforce a decent length password. and for the love of god don't ...ing limit the password length at say 32 characters, if the function you use to hash the password can't handle arbitrary long input (within reason) then fix your hash function don't force the user to limit the password.

  33. Kevin McMurtrie Silver badge
    Trollface

    New password: Z?+>&d-*OT[,AwIHLuiM

    And simply click "Forgot password" if I come back.

  34. Flexdream

    "..all a thief has to do is nick your phone and he sits and waits for the second password to light up in front of him."

    And your better alternative to this is?

    1. EnviableOne

      Doesnt even have to knick your phone, can re-route using SS7, NIST, NCSC et al. have recommended against SMS second factor for an age.

      IMHO, the best second factor available at the minute is the OAuth2.0 TOTP.

      However why people are still dreaming up passwords i dont know, just plug the rules into your pwd manager hit generate, et voila ... PLus it evades the 5$ wrench method. I dont even know what most of my passwords are!

      password size limit is redundant, a hash comes out the same length no matter the input.

      forcing types is useless, length trumps complexity. even if its all lower case a 14 char pwd takes longer to brute force than an 8 char alpha num with specials and uppers.

      force a minimum of 12 chars, tie this to the pwnedpassword database, and dissalow anything that was breached, or in a sector/site specific common words list, and roberts your parents male sibling

      1. Robert Carnegie Silver badge

        @EnviableOne

        I'm not quite sure I like this. Is it saying that I can't have password = 5000358745115 because someone else on planet Earth once had that password?

        It's not actually my password, it is the bar code of Tesco Omega 3 linseed oil tablets - which may not do you any good, it turns out.

  35. Anonymous Coward
    Anonymous Coward

    My password would be

    Drop_Table <password.h>;

  36. J.G.Harston Silver badge

    Why am I commenting on a thread that is eight months old? How did I not notice this thread was eight months old? How did this thread bubble up to the top of Reg's news page making me think it wasn't eight months old?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like