Fuck Login.gov and their goddamn alphanumeric 2-factor security codes.
You give me a fucking code full of Bs and Vs and zeros and Os and then you lock me out for putting in the wrong code too many times?!?!?!
FUCK YOU.
What the fuck is wrong with just numbers? It expires in 10 minutes anyways, the letters aren’t making it any more secure, it’s just making it more confusing. Fuck whoever the moron is who decided that alphanumeric codes were a good idea for temporary 2-factor security codes. Nobody else does this, everyone else just uses numbers and IT’S FINE.
At my previous job I had to enter VINs a lot. Seemed they found a sadistic glee in overusing 5s and Ss, which are even more fun when printed out on dot matrix printers.
Agreed to 2FA. Especially since it’s nonsensical. My bank doesn’t make me do it, but Workday makes you redo for every device weekly, and the worst damage someone can do is look at my paycheck. Also annoying is GMail that is starting to force people to 1) have smart phones, 2) make it hard for people to share an account as you need to have one person ready to confirm in a 15 minute window.
For passwords, the LastPass app very conveniently color codes letters black, numbers red, and symbols blue. More people should do this.
For security codes, many are CAPTCHA tests designed to check if you’re human. It’s really designed to a) be possible for humans to read, but more difficult for machine learning or other machine methods. There’s also Google’s reCAPTCHA version, which changed scope with “generations” but usually designed to both provide security and decipher old text across many human observers.
I play a game called Lost Ark. (It’s a trashy Korean MMO game heavy on pay to win, but it’s pretty and has fun combat so I play it, dammit.) Anyway, they love to troll their players big time with intentional frustration. One of the achievements in the game (not an actual quest or anything, just something optional that gives you points that can earn you a reward) is to make this chemical formula. You have to go to one person, buy these crystals, then go to a different person and trade those crystals in for certain quantities of chemicals. The chemicals are given names that are INTENTIONALLY a pain in the ass, like “IX-IlIl121lIIlI1”. Keep in mind, that is a mix of lower-case Ls, upper-case Is. and 1s. It looks even worse in the game screen menus, where there is only the tiniest difference between the characters. And the chemicals will only have one or two characters different from each other.
I wasted a lot of in-game money accidentally trading for the wrong chemical, which you can’t sell back or otherwise use, and trying again.
When I figured out what they were doing I had to laugh. Those assholes. They were pranking the players on purpose. In retrospect it’s pretty damn funny. But my point is, these game developers know this pain and decided to use it for their game.
When I generate passwords for users, I had it to them on a card that has something like
Your password is: 1BclI09O
1
1
One
l
lowercase l
lima
I
uppercase I
India
O
uppercase O
Oscar
0
0
Zero
So not only in a font where they look different in the first place, but then with a decoder ring just in case people don’t know the dot (or slash) means the circle thing is a zero.
I mean, I’m just one guy, who started doing that because it’s how I want to be treated, and yet these big companies and governments can’t do it. I guess it didn’t have to go to a committee, and get approval from the CIO, I just did it.
One big thing that bugs me about the government is NIST saying scheduled password changes are bad, and then NIH forcing ERA commons passwords to change a few times per year. (I guess ERA commons now uses login.gov, so maybe it’s finally changed).
My employer’s password requirements got so tedious that my current password refers to the rules as “nuts” plus a string of numbers, the last of which increases by one when it’s time to change again.
When I worked in a similar field (short URLs, which granted are less likely to mislead, because they are themselves a URL) we purposely avoided misleading characters, but more so, the chances that our short URL would contain bad words that would inevitably lead to bad publicity.
A faked example (broken link, too): http: //my.co/suck5
Joke’s on them, because I’m pretty sure the DMV treats 0 and O as the same character for look-up and uniqueness purposes, and likewise 1 and I. Maybe it’s different in more populous states, but around here, you never see O (as in Oscar) or I (as in India) as letters, aside from on vanity plates.
This is California. ISTM I’ve seen this mentioned too, somewhere.
30-some years ago, I used to generate “temporary” passwords for new users. (“Temporary” only in the sense that I gave them a document with the password and instructions for changing it, and advising them to do so.) I wrote a trivial program that generated a whole page of random 8-character passwords, using only lower-case letters and digits chosen from an alphabet in which I had excluded all ambiguous characters.
I’m surprised when I see that ambiguity on license plates. In Texas, partly due to my failing vision on the plate and partly because of the font, sometimes K looks like X. ISTM that the important thing is that a policeman be able to write it down as the suspect flees.
At my work, I have an employee account and an administrator account (for when I need admin privileges doing IT work). Our admin passwords need to be at least 16 characters long.
I just type a brief song lyric, with spaces between words. It is so easy to remember yet pretty hard to brute force.
