Password Strength

[Agent_Foxtrot]

I had made this a separate thread before I realized this one was here, so I had it closed. My question was:

Agent Foxtrot:

We hear all the time that passwords are supposed to be long, hard to guess, and filled with a variety of characters. However, some websites and applications are very restrictive, e.g., alphanumerics only, no special characters, no passwords longer than 25 characters?

A password is a string, right? Any modern computer language can easily parse any keyboard characters in a string, right?

So why does a program I use at work only allow alphanumeric passwords between 8 and 15 characters? Programmer laziness?

[Chronos]

It’s possible that the passwords are being stored in some sort of database that was never intended to be used for such things, and the restrictions are to prevent Bobby Tables exploits. Which does, in the end, amount to programmer laziness, since even if you’re using the wrong tool for the job like that, there are still usually ways to pull it off.

[Inner_Stickler]

Apropos of nothing but I remember noticing a few years ago that when I used my ‘weak’ password that was simply a double digit english word, sites with a password strength monitor consistently rated it higher in strength than my ‘strong’ password that was shorter but was a random string composed of numbers and mixed case letters. Obviously I could have extended the shorter password and thus made it stronger but I felt that it worked well enough that I didn’t want to make something I couldn’t remember easily.

[tellyworth]

Agent_Foxtrot:

So why does a program I use at work only allow alphanumeric passwords between 8 and 15 characters? Programmer laziness?

I’d guess it’s for backwards compatibility with an antique password hashing mechanism.

[Triskadecamus]

When I had a computer password at work, I had to change it every month, “because of security issues” according to the IT department.

Since none of the people who use computers in my workplace are even remotely interested in computers, hard science, mathematics, or even security, the sticky note method was by far the most frequent method used. I have a lousey memory for such things, but can’t just use the sticky note method since my access was only a minor part of my job, and I had no office, and no personally assigned computer.

My method was to use the Computer Security Guidelines memo which by rule had to be posted in the room with every computer. Even months I used @2 as the last two letters, and odd months I used !1 The rest of the password had to be 10 letters since 12 was the limit, and had to have at least 1 capital letter. So, I would use the sentence that matched the months number. No bureaurocrat ever sent out a memo of less than 12 sentences, so I was safe on that score. Count down the number of letters in the month, and type in the first ten letters of the sentence, exluding spaces, which are not allowed.

My password hint was “Follow Security Guidlines.”

Tris

[John_Mace]

I was asked the other day to enter a password consisting of 8 characters, so I used: Snow White and the Seven Dwarfs.

[constanze]

Agent_Foxtrot:

So why does a program I use at work only allow alphanumeric passwords between 8 and 15 characters? Programmer laziness?

That would be my first guess. How many companies have a special CIO - Chief Information Officer - on the same level of power and finance as the CEO, who’s in charge of everything IT, with enough knowledge to see the big picture, enough manpower to not personally admin. each PC, but set guidelines, optimally, before any major decisions are made?

And in comparision, how many muddle through with not enough people in the IT dept.? How many programmers who know how to write a webpage know about proper security protocol, and how many just use the standard tools?