I first remember that happening years ago on a mainframe system. Luckily, we had the advanced 3278 terminals, where you could program function keys to record & playback character sequences, and someone noticed how handy this would be to solve this annoyance. A copied sheet of instructions for doing this was passed around the shop, and soon most of the employees had this set up so that playing PF1 would do the whole logon sequence, while playing PF2 would just send your password.
Made it much more convenient for those of us trying to do our work there. I don’t suppose that it helped with security much. But we didn’t care much – our security staff never quite understood that inconvenient does NOT = secure.
Nowdays, on PC’s, don’t most of them have keyboard macros that can do the same thing? Seems like that would be a way to deal with this.
I have a total of 10 passwords listed in an Excel file that I have to use since I am not Rain man and I cannot remember this many passwords, all of which must consist of arcane combinations of letters (upper and lowercase), numbers and symbols and be of a minimum length, cannot contain any three-or-more-letter-string that is in the dictionary, all of which change frequently and not at the same intervals. Oh, and you can’t revert to any of your last 20 passwords used. Since I am not Rain Man, I have no choice but to make a list of them. I have been here long enough to have gone through all the names of my cats (past and present), so now I am using variations of rock band names.
Generally, the logic for checking this is very simplistic. A simple way to bypass it is to use sequences:
Start with TB123456, next month use TB234567, then TB345678, etc. That’s generally different enough that the system doesn’t see it as reverting, but all you have to remember is the starting digit for this month.
I combine these strategies. I think of the first one as the “keyboard dance” – that is, it makes some easy pattern to type, but it looks random. Then I tack on the obligatory sequential-number-to-make-it-different-from-last-month’s-password. Our IT folks actually advise us to do the add-a-number thing.
Can’t wait 'til we all get our subcutaneous microchip IDs.
Interesting. I was mulling a Pit thread for highly sensitive systems that don’t accept complex passwords. My bank’s online credit card site, for example, accepts numbers and letters only — no punctuation of any kind, no spaces — and must be between 8 and 10 characters. And what’s more, it’s not case sensitive. It took me four tries, successively dumbing down my entries, before I came up with one it would take.
What’s their password validation system running on, a Commodore 64?
Me, I’d rather have a too-rigorous key, than one that could be guessed by a random-character generator inside of five minutes.
Can I suggest Password Safe ? Remember just one password to strongly encrypt all the others. It even allows you to cut and paste passwords and IDs. I keep mine on a USB stick on my keyring.
As I say, your mileage on applications may vary. At work, almost every app we have that requires a login is using either LDAP or an SSO solution, so the AD account/pw combination works with them.
It’s not compatible with Win 95/98, but … not an issue for me.
They probably have to manage a mix of systems that includes mainframes and PCs. If you delve into computer archeology and the history of computer networks, a common problem was defining a character set that was compatible with all the computers on the network. That means no case sensitivity, no accented letters, and a very limited set of non-alphanumeric characters. Just because you can type it on computer X does not mean that it will be properly handled by computer Y.
And only half-understood it. They got the bits about making it hard to use dictionary attacks, or just plain guessing, but missed the classes on Social Engineering and Cognitive Psychology.
Funny. We have dozens of mainframes here, plus thousands of *nix servers and more Windows boxes than I could hope to count. The Tandem servers keep chugging along despite my dreams that they explode and do not get replaced, and I just know that there’s a Coleco ADAM in there somewhere.
The mainframes are limted to eight characters and a smallish subset of “special” characters, and the Tandem servers will not accept any special characters or even mixed case.
Yet, our customer-facing stuff has no least-common denominator or arbitrary restrictions on password complexity.
Yes, I know; I’m in IT and we manage a broad scope of cutting-edge and legacy systems. It just strikes me funny that the organizations most likely to manage highly sensitive information are also the organizations which are so technologically conservative that they wind up being hamstrung in situations like this. In this case, it’s a bank; the same goes for the hospitals I used to work with. It’s amusing, in a sad, stupid way.
Probably because the software was designed to handle non-native character sets. Even then, you still have the problem that a customer can create a password with one computer that he is unable to generate on another computer.
Wahoo! My campus bought me a new laptop with a fingerprint recognizer on it; I scanned my index finger and just need to touch the scanner-thingy to log in.
Here’s what I do to get around the upper/lower/symbol/number requirement: Come up with a word that’s easily associated with a number and connect them with an equal sign.
For example:
Answer=42
-or-
Hastings=1066
This seems to satisfy most systems and it’s easy to remember.
My trick: come up with a sentence related to the system you’re coming up with a password for. For instance, my sentence for the SDMB could be “There are 10 public fora on the Straight Dope Message Board.” Now, change the number so that the sentence is false: something like “There are 88 public fora on the Straight Dope Message Board.” Lastly, delete everything but the number and the first letter of each word, leaving behind “Ta88pfotSDMB”. And you have a password that’s easy to remember and hard to guess.
Furthermore, you can write down the true sentence, and as long as you remember the incorrect number, you can guess the password much more easily than an attacker (not to say that the system is perfect, but it’s a damn sight better than writing down your actual password and hoping that no one finds it).
That’s pretty much what I do. Or I come up with a sentence and replace some of the words with numbers.
For example “For what we are about to receive” will become 4WWaa2r
THIS is what pisses me off the most. It is 2008 now, not fucking 1993. A program or site should not impose STUPID RULES on passwords. I have one basic password for everything - it is a quite secure one comprised of two equally meaningless (to anybody else including those who know me) parts -something arcane about Australian railways, and something else equally obscure about a British children’s book (a little known one). I change it a little in logical (to me alone) ways for different sites.
Or I at least WOULD if the sites and programs were sane. But it’s ridiculous that in this day and age I have to deal with sites and programs that specify:
must be alphanumeric
-must contain at least one non-alphanumeric character
-must be exactly six characters long
-must be exactly eight characters long
-must be the length of the coder’s dick, measured in some obscure Mesopotamian unit.
Fer fuck?
And the stupid fuckers at work insist I change my password at least once every six weeks, or I get locked out and have to telephone across the country to speak to a cretin to get access again. Luckily, I just change it to 123456 for ten seconds and then change it right back to my original. They’re happy with that.
They got the bits about making it hard to use dictionary attacks, or just plain guessing, but missed the classes on Social Engineering and Cognitive Psychology.