Password Restrictions That Lie

Miscellaneous and Personal Stuff I Must Share
1

This is too trivial to elicit a pitting, but I am angry!

Monster.com’s password restrictions are as follow: “Remember, passwords have to be between 8 and 20 characters, contain at least 1 letter, and 1 number or symbol.”

Lets go down this list: “between 8 and 20 characters” - CHECK, mine is 9 characters.

“contain at least 1 letter” - CHECK, it contains quite a few letters, even different ones!

“and 1 number or symbol” - CHECK, it contains multiple numbers.
BUT YET, it won’t let me go any farther and says “password is not strong enough”

WHAT?!! You just gave me the restrictions and I met them! What is your problem? This is the second website that has done this to me? If you are going to make restrictions, then accept passwords that meet them!

What am I suposed to change to make it acceptable? I have no clue!

2

Sorry, that was not meant to be a question.

3

This drives me crazy. Not that they have the restrictions, but that they don’t tell me about them before I enter a password. Even a little popup next to the field, or mouseover text, describing the desired format, would do.

I have similar ire for sites that enforce restrictions on things like phone-number and postal-code formatting and don’t tell me beforehand. (Really? You’re a Canadian site and you can’t deal with the space in a standard Canadian postal code? Shame…)

4

Did you capitalize at least 1 letter? I’m finding more and more sites have that as a requirement as well.

I don’t remember what site I signed up for, but it required 8 to 20 characters, including at least one capital letter, one lower case letter, one symbol, and one number. It really irked me since it was a site I where I didn’t care if someone hacked my account, so I had tried to just use my throwaway password. (It’s a simple 8 letter word.)

5

There is a fine line between requiring secure passwords and just being a nuisance.
If you require people to use passwords that they can’t remember, guess what they will do?
They will either have to get a new password issued to them the next time they want to access the data, or else they will write down the supposedly secure password on a sticky note and put it on the side of the monitor or in a drawer. These defeat the purposes of a strong password.

To point out how silly this can become, I present to you (straight from Aha! Jokes > Computer Jokes > Password selection rules) Password selection rules CORPORATE DIRECTIVE NUMBER 88-570471

6

OK, so it’s a joke - but does anyone know what the password might be? Of course, the restrictions on using a name or word from any language is insanely broad (and undefinable).

7

Sounds like classic BOFH material. :slight_smile:

Besides, it would be very difficult to screen against all languages. What if my chosen password was a vile insult in Ancient Lower Babylonian? And if it isn’t, will they check Classic Babylonian, Middle Babylonian, Ancient Upper Babylonian, or Proto-Babylonian?

8

Ah, but you see, they are not trying to protect the accounts from Marge in accounting or from Ned the contracted night watchman , who have a grudge with the company or with you personally, actually sitting in front of your workstation oh, no, they are trying to protect the accounts from the Evil Hackers who will reach in remotely through the network just to do evil to whoever they can randomly hack because they’re evil.

9

At least they’re not requiring squirrel noises yet! :wink:

10

Wow! I never thought to analyze this.
It may well be unsolvable, but determining that might well be entertaining.
I suppose the restriction against contiguous letters (assuming a qwerty keyboard) would be fairly easily mapped. The restriction against non-zero numerals is easy.

Assume a six character password.
Also assume this is the initial password (which removes the restrictions in rule 2).

Rule 1 gives the 6 character minimum and states that repeated letters or contiguous letters (in either order) are not allowed.
Given that, it appears that ACEGIK would be acceptable.

Rule 2 is moribund because this is the initial password.

Rule 3 restricts the use of the name of a month or the abbreviation of a month. It appears our candidate password is acceptable.

Rule 4 disallows the numeric representation of a month. We avoid this by only using the numeral zero. The use of this is reserved to handle later rules.

Rule 5 is messy. It states that the password can’t contain any words from any language. While this may seem insurmountable, I posit that the insertion of the character ‘0’ (zero/zed) between each previously present character would remove the possibility of the password intersecting the lexicon of any language.
Therefore the candidate password is now A0C0E0G0I0K.

Rule 6 states that a password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Luckily enough, our candidate password only has one character that violates this rule, that being the terminal character ‘K’ (which is adjacent to the character ‘I’ on the qwerty keyboard.) So we replace K with M and we get A0C0E0G0I0M for our new candidate password.

Rule 7 states that the password can’t be the name of a person, place or thing, which is redundant since rule 5 disallows ANY words. Whether the word is a proper noun is unimportant.

So, after extensive research, we have determined that the master supervisor password is A0C0E0G0I0M.

Obviously, there are quite a number of other possible passwords.
Thanks for suggesting this time-consuming little task.

11

No, that contains two common English words, which were specifically mentioned at Rule 5.

12

Well, I’ll be! You are correct, Giles. Thank you for the kind method of pointing that out to me.

So, given that the characters ‘A’ and ‘I’ are not allowed (since they are both words in English) I must assume that the character ‘O’ is also forbidden since it is the shortened version of the exclamation ‘Oh’. In fact, we can remove the possibility of any single character overlap with a single character word in any language by removing all vowels from the set of available characters.

Our candidate password now becomes: B0C0W0G0Z0M.

Giles, what do you think?
Therefore

13

What makes it all so pathetically laughable is that many of the sites where security might actually be relevant send passwords in cleartext, have hackable forms interfaces, 3rd-party mailing, etc.

Same as mine, hunh? I switch to password1 when the throwaway site demands a digit.

14

Three words in English (four if BO is considered a “noun US informal used as a friendly form of address” — and one in Sanskrit. And one of the English words is rather nasty.

Edit because you said O is 0 = zero. Sorry.

15

The thing is, regardless of the character requirements, all that matters is more or less that your password can’t be cracked by a moron with a dictionary. An 8 character non-case sensitive password with only lower case letters opts for 208 827 064 576 possible options. Obviously many of those are hackable, so I think the most secure site would basically say:

  1. You can use any unicode character you want
  2. You need at least 8+ characters
  3. We have a dictionary (along with k00l misp3ll1ng and “obvious password” like 12345678) lookup table running against your password, if it’s in there, try again.

(Obviously the server will also have proper hashing, salting, secure encryption etc going on).

This is probably computationally infeasible for a server that handles millions of password change requests a day, and it will obviously always miss SOME passwords like birthdates or really obscure song titles, but I still think it would still be more secure than the requirements most sites give.

16

There may be undisclosed restrictions that exclude passwords that are too obvious. ***Pa55word1 *** and 123456789o meet the above criteria, but are obviously bad choices.

17

And I still remember “correct horse battery staple”.

18

I agree that site should spell out what an acceptable password it. Some don’t allow anything other but alphanumerics. Good passwords can use non-alphanumerics. It’s a pain not to be told the restrictions for creating the password when you create an account.

A bitter annoyance is the security questions used to reset a password. Are they case sensitive? Are spaces allowed? I’ve yet to see any site that spells these things out.

19

All of my work systems have different password requirements (in fact, one has a password requirement but won’t tell you what it is, you just have to keep adding characters until one works). All the older staff members just write them on a post-it note under their keyboard.

20

That sounds about right.