Https is still susceptible to keyboard sniffers. Challenge-response is not.
I always thought so. My old employer used a payroll company that had like 30 password requirements and required changing the password every 30 days. HR hated constant phone calls asking for a new temporary password to login so they had a big meeting telling everyone how to structure their passwords to pass the requirements and have an obvious progression. Easier for them, but if I know John Marksberry is suggestible and employee number xxxxx82 on the list and he probably signed up in October then his password is Jn82My!5.
Of course that was fairly useless, as the site obscured SS numbers, names, addresses, rate of pay, and everything else worth snooping through. But that non information sure was secure!
Your password will expire in 22 days. Would you like to change your password now?
[QUOTE=manson1972]
I can’t think of a reason to make a password be EXACTLY 8 characters.
[/QUOTE]
Legacy systems often have the exactly 8 requirement. They’re from happier pre-Internet times when the risk was primarily from someone physically in the office trying to use your access and we didn’t have to worry about some yutz in Estonia trying to access things from their bedroom.
Windows NT had hashing algorithms that actually made a 7-character password more secure than 8 or more.
Old Oracle stuff could handle 6-8 characters.
Old Solaris Unix systems would cheerfully ignore anything after 8 characters. If your password was Birthday, you could successfully log in with BirthdayCake or BirthdayParty.
Some current mainframe systems ignore case, so RedDog#2 will work just as well as reddog#2 or REDDOG#2 :smack:
ETA: You probably don’t want to know how much of this fantastically old stuff is still running in banks, and how much effort is put to mitigating the risks when some important program written in 1994 can only run on Oracle 2.6.
oh yeah, I’m familiar with the legacy/NT/ignore case issues in the past. It is just really surprising to see a new “Internet presence” feature “new, improved on-line access” need a password that needs EXACTLY 8 characters 
:eek:
I assumed you meant network-packet sniffing. What manner of challenge response is common for EU banks?
It seems like some administrators have conflated ‘complex’ and ‘secure’ with ‘hard to remember’ - and although there is some overlap, there definitely is a whiff of “Haha! fuck you!” coming off some of the password formatting rules I’ve seen in the last couple of years - as well as a hint of “I don’t know how to configure this these rules, so I clicked every option!”
Haha1fuckyou! would make a pretty good password.
It might be a legacy system, but *Non-alphanumeric character check have at least 1 of the following non-alphanumeric characters: _, _ * is a new requirement.
I had a system, but it was based on 8 chara, not 7.
I heard of setting up your account with your mother’s maiden name as either “I can’t tell you that” or “Fuck you”, which would make for interesting account validation conversation when you call your credit card for any reason.
I’ve been the agent on the other end. “Ok, I’m not asking you that question”.
What I don’t understand is why none of the sites with ridiculous password rules ever give an error message when attempting to login “that password is impossible with our ruleset, for a reminder when you set your password it had to fit these rules…” In fact the only reminder of the rules you tend to get is when you try to change it, and it won’t accept your new attempt.
Our internal database support site spells it out quite clearly.
But as far as many users are concerned, we may have filed it at the bottom of a locked filing cabinet in a disused lavatory. It’s not like they read the emails they get, never mind actually looking for useful information. If it doesn’t fall like manna from the sky, they wouldn’t know about it.
One of the worst systems I’ve ever used is for my online grad school classes. First, there’s no “forgot your password?” link for students. Faculty have one, but students have to call the help desk during working hours if you forget a password (which you’re pretty likely to do, since there are at least three different logins you need to access the system, some of which you desperately need exactly once a semester).
But the best part is that there are password rules that are not published anywhere, except as error messages if you don’t follow them. And those error messages flash on the screen at the speed of computerthought before disappearing, leaving you with a blank password field. It’s infuriating.
For one of my accounts I have userid, password, and ‘memorable word’. I enter the full userid and password then get a page that says something like “select characters 2, 4, and 9 of you memorable word” It uses drop down selection lists for the characters which (I think) will defeat keyloggers. When I set up a new outgoing payment recipient a number appears on the screen, then my phone rings with an automated call from the bank. I enter the number on the screen into the phone and the transaction is confirmed.
Yes. As in, passwords are easily brute-forcible on that system. The only thing stopping it would be a limited number of tries–but that won’t matter if someone gets access to the password file.
Not that they probably have good encryption there, either.
I use baseball players. My system doesn’t restrict me to eight letters, but no words of even two letters, so I just use the first initial off each word with a=4, e=3,o=0. I add a stat to the end. So the sticky on my monitor says “rfhr” Ok, my right fielder is Ritchie Zisk. Pitch at risk to Ritchie Zisk. P4rtRZ. Next I add my character. I use the same one everything’s#. Then his homeruns. P4rtRZ#207.
If I had to do 8 characters exactly, I’d do initials, set character, position, set character, stat. So the hint “3 finger so” means Three Finger Brown’s shutouts. MB#rp$55.
My very first job in IT was to write algorithms to prevent users from using offensive words in their password. That’s when I learned that “why should anyone care, and how would they find out” are not questions to be asked by junior level programmers.
Regards,
Shodan
That’s pretty close to my actual work password. Now I have to change it to something more offensive. Thanks.
Well, that’s like trying to defeat a keylogger by using an on-screen keyboard. If the keylogger is restricted to literally logging keystrokes, yeah, it’ll work. But the counter-measure is easy - screen cap on mouse clicks, or record choices taken from dropdowns or buttons clicked, etc.
This, on the other hand, starts to enter the world of multi-factor authentication, which is much, much safer, and almost no one in the US bothers with…
My employer forces us to change our passwords every 60 days. Changed mine a couple days ago and found that new requirements have been enacted, asinine ones not much different from those in the OP.
My new password is basically “The-new-requirements-are-nuts!” in not so many words. Plus a string of numbers.