Why block Beatles songs as passwords? is it because we can work it out.
Either my name, my password or my soul is invalid – but which?
Try as I might, it won't go in. I have entered pretty much everything else so far but this time I'm getting a definitive "no". I respect that, of course, but it leaves me jolly frustrated. Despite all my powers of persuasion, I'm left standing in the cold with one hand on my lock. Yes, lock. The site keeps rejecting my …
COMMENTS
-
-
-
-
This post has been deleted by its author
-
-
-
Friday 20th July 2018 13:24 GMT Prst. V.Jeltz
minimum password reset time
...casually sabotage his own monthly New Password prompts by changing his password 11 times immediately.
Which is why you should set a minimum time between changes - just dont be monumentally stupid about it.
I worked at a place (I.T. provider) where they had set the minimum time to longer than the maximum time on one of the customers systems.
Result - Impossible to change password. Do the server team give a shit? no! they arnt the ones dealing with outraged and frustrated customers and setting everyones password for them manually - no small task on top of my extremely overworked day. This went on for months. I attempted ease the situation by asking questions like "Hey guys, what are the actual password rules as people seem to be struggling". I was met with vague shit like "oh , its gotta be 8 and have a number in it, i think"
It took for me to dig out the gpo editor , dig into the AD and find the policy - and the problem and wavi it in their faces.
I said that like they then did something about it didnt I ? no such luck , no shits were given , they couldnt see the issue?!? It took more weeks of cajoling and bitching upstream.
First job I ever resigned from without having a new job ready.
My girlfriend worked there a few months longer , doing the accounts , and suddenly had a load of extra work when their accounts server died with no known backups , all data lost and they had to re-enter what data they could find from whatever paperwork they had filed!
This is an I.T company! That sells backup solutions!
-
Friday 20th July 2018 16:55 GMT tfewster
Re: minimum password reset time
> Which is why you should set a minimum time between changes - just don't be monumentally stupid about it.
Ugh, even that brings its own problems. Being told you can't change a password that's been compromised because the minimum time hasn't elapsed. On one of our systems, a privileged generic* account password is retrieved several times a day by different people, but can only be changed once a day. So a bunch of people can re-use the password all day, with no accountability for who did what.
A long password history usually means you don't need a minimum time. Until you meet That Guy who ruins it for everyone:
>>...casually sabotage his own monthly New Password prompts by changing his password 11 times immediately.
* Yes, they should have individual logins. But the ancient application doesn't support that, OR auditing,
-
Saturday 21st July 2018 06:34 GMT Wensleydale Cheese
Re: minimum password reset time
"accounts server died with no known backups , all data lost and they had to re-enter what data they could find from whatever paperwork they had filed!
This is an I.T company! That sells backup solutions!"
Reminds me of the company that sold a lot of word processing solutions in the early 80s.
Their invoices were done on a typewriter.
-
-
-
Friday 20th July 2018 10:04 GMT Pen-y-gors
University
A certain university somewhere in mid-Wales has password rules that forbid anything like a dictionary word in just about any known language, and checks it. They must have a Cray handling the password validation.
Contain both upper and lower case characters (e.g., a-z, A-Z)
Have digits and punctuation characters as well as letters, e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
Are at least six alphanumeric characters long.
Are not a word in any language, slang, dialect, jargon, etc.
Are not based on personal information, names of family, etc.
If I remember rightly, you can't reuse the last 30. But at least it only forces a change every year.
-
-
Friday 20th July 2018 13:15 GMT David 18
Re: University
What a monumentally stupid university! They are just absolutely ensuring that their users will write it down, almost certainly somewhere stupid.
Whenever the subject of password strength arises here, I refer them to this:
https://xkcd.com/936/
Don't get me started on bloody stupid biometrics - they should never be used for anything but identification, never authentication. I haven't made any friends pissing on the parade of breathless tech junkies extolling the virtue of their super-secure fingerprint enabled phones. "But it HAS to be super secure, it's NEW and BIOMETRIC!"
-
Friday 20th July 2018 14:29 GMT Anonymous Coward
Re: University
What a monumentally stupid university! They are just absolutely ensuring that their users will write it down, almost certainly somewhere stupid.
Which is why the "interview" social engineering attack works well.
Go for an interview, wear video recording glasses, and take a GOOD look around the cubbicles when you're show around. Match up name plates to the sticky notes on the monitors, and using the Email address the interviewer gave you as the guide, you now have lots of usernames and passwords.
-
-
-
Friday 20th July 2018 13:09 GMT Prst. V.Jeltz
2 factor
if the second factor is merely a detoured PIN sent to your smartphone: all a thief has to do is nick your phone and he sits and waits for the second password to light up in front of him.
but , but , 99.% of people hacking your password have no idea who or where you are and probably arnt in the same country! so its not that easy for them to whack you over the head in the study with the metal pipe and nick your phone!
-
Friday 20th July 2018 16:42 GMT Anonymous Coward
Re: University
Don't get me started. I've seen password policies by committee where the various factions couldn't be appeased, and now it's a four-branch combination of alphabet size and minimum length. I'll try to push for "min length 12, must contain 16 distinct letters" next time just to see if they twitch.
-
Friday 20th July 2018 20:00 GMT Anonymous Coward
Re: University
*koff* That's almost certainly where I work. In the, *ahem* same department that makes these policies. It is a royal PITA changing passwords. Although, last time having rejected every complex definitely-not-a-word-in-any-language password I tried, the system suggested a much simpler, less complex alternative that was more acceptable to it.
*shrug* Go figure.
And yes, words in Welsh are also banned ;-)
-
-
-
-
Friday 20th July 2018 13:02 GMT NonSSL-Login
Re: "Wrong" email addresses
I know someone with an apostrophe in their email address, due to their irish O'whatever name. Despite the fact it's 50/50 whether the receiving email server will accept it or not, the admin has never enforced a policy that removes it when creating accounts.
What annoys me is when you have to login somewhere else and it's not obvious they have a different country keyboard layout. Those special characters are not where they are supposed to be. So do I devise new passwords which only uses the characters that don't move say between US and UK layouts, thus weakening the password due to less entropy, or use them and struggle to login some places?
Decisions!
-
Monday 23rd July 2018 11:39 GMT Robert Carnegie
"By pressing down a special key - It plays a little melody"
In principle, whatever you type as password can be represented as character bytes in hexadecimal notation, or even just decimal (numbers). So, restricting the character set just means that each symbol has fewer random options, but you can make the whole thing more random again by making it longer. No special keys required.
In practice, when I assigned random hexadecimal codes as passwords for a fleet of servers, some were rejected. Not apparent why, but I got around it by changing the format from 1a2b3c to 0qz1a2b3c - the start always being 0qz, the rest being random.
When I had to change them all again, I used 1a2b3cqz0 - new random numbers, and qz0 at the end, so that the new password wasn't "detected" as "too similar" to the old one.
Also if there is a fixed length - such as Wi-Fi key - then don't skimp on the randomness. I think that random alphanumerics are good enough in practice, though - although each character has about 5 or 6 bits of individual self-expression instead of 8. But a sentence in English has about 1 bit per character of variety, I think.
-
-
Friday 20th July 2018 14:20 GMT WallMeerkat
Re: "Wrong" email addresses
Once had a friend with an email address that was similar to (but not) a.b.c@d-e-f.co.uk
It was a useful one for testing email validation, the amount of times some web app would refuse to accept it showed that the devs were using some useless regex from the first search result that was stack overflow.
-
Saturday 16th February 2019 05:33 GMT J.G.Harston
Re: "Wrong" email addresses
Why on earth is anybody using any sort of regex on email addresses? The only entity that knows - that is *capable* of knowing - if a particular email address is valid or not is the receiving email mailbox. This is as moronic as those sites that scream at me that my telephone number is wrong - the telephone number that is printed on my telephone right in front of me.
The ***ONLY*** testable thing you can apply to an email address is that is has a '@' in it. (I used to say exactly one '@' and at least one '.', but I have a nagging feeling something like admin@net is fully legal.)
-
-
-
Friday 20th July 2018 10:19 GMT Roland6
Re: "Wrong" email addresses
I still encounter sites that don't accept email addresses with 3 character domain names, fortunately all, so far, have accepted gmail.com instead...
But as Alistair alludes to, unless you have kept good notes (ie. little black book or used a password manager), it can be a bit of a nightmare when you revisit such a site and simply automatically enter your normal username...
-
-
Friday 20th July 2018 13:37 GMT Anonymous Coward
Re: "Wrong" email addresses
a + in an email address is valid, and a very useful way to track who is leaking your email address as you can use unique gmail addresses when you sign up for crap stuff which all go into your single mailbox but I've found plenty of places will not accept it as a valid email even though it complies with rfc2822
-
Friday 20th July 2018 14:23 GMT WallMeerkat
Re: "Wrong" email addresses
Though there was that one time I actually *won* a competition.
Found out by phone though.
"Congratulations you won!
... we usually notify by email but we think something went wrong with our system as your email address is coming up as wall.meerkat+ourcompany@gmail.com"...
-
Sunday 22nd July 2018 08:51 GMT Stoneshop
Re: "Wrong" email addresses
... we usually notify by email but we think something went wrong with our system as your email address is coming up as wall.meerkat+ourcompany@gmail.com"...
Couple of years ago I ordered some stuff from a webshop, using my standard pattern of "myname.webshop@surname.net". This resulted in them calling me to acknowledge the order, as their confirmation mail kept not getting sent (apparently they did pay attention to such things, good on them) and with it them expressing surprise at me having an account on their mailserver.
Their software apparently had some hitherto unknown knicker-twisting properties
-
-
-
-
Friday 20th July 2018 15:02 GMT Anonymous Coward
Robert O'Tables
"Robert O'Tables", love it!
One of the people at my workplace not only has an Irish family name, but whose personal name is from another European language and contains an accented letter. I perhaps use this person's record on my dev server rather more than some others, as it's a really great name to test many corner cases or potential input/output data validation/security risks.
-
Friday 20th July 2018 22:29 GMT Doctor Syntax
Re: Robert O'Tables
"an Irish family name ...I perhaps use this person's record on my dev server rather more than some others"
A certain large systems house on whom we all like to pour scorn were repeat offenders in sending badly formed XML with Irish names. After we'd explained it all to the developer doing the work they got it right. A few months later the developer we'd trained had had his visa run out and been replaced by another import, all ready to screw it up again.
-
-
-
-
-
Friday 20th July 2018 10:36 GMT Wensleydale Cheese
Re: "Wrong" email addresses
"I do remember some years ago, that some sites where a bit "snobby" and not excepting users that had email accounts from the likes of Hotmail and Yahoo."
That used to be a good way of avoiding spammers signing up for the sole purpose of posting a load of links.
-
-
Friday 20th July 2018 22:24 GMT Doctor Syntax
Re: "Wrong" email addresses
"some don't accept email addresses from free email services - probably they believe you've just created one to give 'em to hinder them harassing you for the next several years."
No problem. I use a paid email service and create addresses to stop them harassing me for several years. What's more, if I think I might need to use the service in the future I can keep the address in place but just set it to bounce until the occasion arises.
-
Friday 20th July 2018 14:23 GMT Hans Neeson-Bumpsadese
Re: "Wrong" email addresses
"I do remember some years ago, that some sites where a bit "snobby" and not excepting users that had email accounts from the likes of Hotmail and Yahoo."
In my recent experience I found the exact opposite. I tried signing up to The Times website so I could read news articles and it utterly refused to accept my email address (I have my own domain). Seeing as it wasn't for anything particularly important I used a throwaway Gmail address and sign-up worked first time.
-
-
Friday 20th July 2018 10:11 GMT Anonymous Coward
Idiot password checkers
I use random (and I mean random: generated from proper randomness) strings of dictionary (/usr/share/dict/words / /usr/dict/words) words as passwords (well, passphrases). It's easy to show that these, if they are long enough, are harder to guess than normal line-noise passwords (the alphabet the symbols are chosen from is much bigger, the symbols are randomly chosen). But I still have to add a little bit of line-noise to the end of them to keep the stupid 'must be line noise' checker happy.
-
Friday 20th July 2018 12:04 GMT Robert Carnegie
Re: Idiot password checkers
For a password to remember, and easy to type: 6 random distinct consonants, then 2 numerals. I usually grab 20 letters https://www.random.org/strings/?num=1&len=20&upperalpha=on&unique=off&format=html&rnd=new - shuffle at random and pick out letters that fit e.g. Robert Carnegie -> Rbtcng95 (I don't actually use my name for this). That's the password, but to remember it, pick words that represent 5 or 6 of the letters. I find that after a few days, remembering the words e.g."Robot carnage" (possibly my name spell checked) brings up the letters and the numbers as well.
An online password checker spotted that "Fiqbly45" contains a given name (Bly) and a dictionary word (Fiq with a Q, evidently), it must be a fiend at Scrabble.
-
-
Friday 20th July 2018 14:51 GMT Anonymous Coward
Re: Idiot password checkers
Based on my experience (so, OK, sample of one, self-selected), passphrases made from random words are much easier to remember, yes. I think this is because we have specialised machinery in our heads for dealing with natural language, and while we don't have specialised machinery in our heads for dealing with written language (too recent, evolutionarily) the more general-purpose machinery we've trained to deal with it turns out to work really well. So if you see a string of words in a natural language you speak then you're remarkably good at remembering them even if they are randomly chosen.
This works, surprisingly, even if you have never seen the words before: I just ran my generator for a three-word passphrase and it came up with 'cinephotomicrography franchisal lineation': I don't think I've ever used any of those words, or probably even seen them before, but I typed all but the first without looking back at the window I'd covered.
-
Saturday 21st July 2018 07:26 GMT Spamfast
Re: Idiot password checkers
XKCD again as mentioned earlier.
But the problem is that many systems won't let you use passphrases. Either they won't accept passwords that long or they insist on 'at least one upper, lower, digit, rune' etc as in Dabbsie's original article.
Every place I go I email the IT admins the link to the XKCD cartoon but unfortunately your average Microsoft-only IT bod doesn't understand what 'entropy' means - or anything else about real, effective security.
Also, Windows only supports the 'enforce password compexity' (runes!) option so that's what the IT twonks enforce.
-
Saturday 21st July 2018 09:14 GMT John Miles
Re: Idiot password checkers
Different cases are easy to deal with - You naturally put a capital for a name or first word of phrase or sentence and rest lower case. You can include a number in the phrase or a word that sounds like a number and there are some symbols that can be substituted for words - so you could take the correct horse battery staple" and turn it into "correct horse and battery free staple" which becomes "Correcthorse&battery3staple" which I find easy to remember and type and still meets the stupid password rules (unless they limit length too short)
-
Sunday 22nd July 2018 21:30 GMT veti
Re: Idiot password checkers
(unless they limit length too short)
Which they normally do. Honestly, what percentage of sites even allow you to have a password of more than 16 characters?
Worst of all, those that allow you to enter such a password, but silently truncate it without telling you. Then reject the full password when you enter it later.
I've learned to limit myself to 10 characters. Most places accept that. OK, it's not as secure as it could be, but like the old joke says: "I don't have to run faster than the bear, I just have to run faster than you". There are plenty of people way easier to hack than me, and that's what matters.
-
-
-
-
-
-
Friday 20th July 2018 17:00 GMT Anonymous Coward
Re: Idiot password checkers
Well, yes, of course. I didn't specify what
/usr/share/dict/words
on my machine contains, or exactly whatLANG
is set to, and perhaps I should not do that.I have found an interesting thing regarding this: encryption is not enough. Even looking too closely at the encrypted contents of the disk is enough to cause quite nasty things to happen to potential eavesdroppers. The results are usually fatal, and I imagine the eavesdroppers are glad of that, at least until their minds go.
-
-
-
Friday 20th July 2018 10:27 GMT krivine
Plus sign in email addresses is often fun
When registering with some sites I add '+${siteName}' between my username and @. This makes for easier classification using Gmail labels. Many sites reject the plus sign, although it's a valid character in email addresses. Morrisons supermarket took it one step further, by letting me register username+morrison@gmail.com, but then refusing to let me log in with it. I gave up on them.
-
-
Saturday 21st July 2018 11:19 GMT Doctor Syntax
Re: Plus sign in email addresses is often fun
"Forward everything to another a/c"
Why? Just use that domain as your email domain. All the aliases come into a single mailbox (you can check the alias name in the To: field if you need to see who spammed) and set up, tear down or set to bounce as you please.
-
-
Friday 20th July 2018 13:00 GMT 's water music
Re: bait and switch sign up
Morrisons supermarket took it one step further, by letting me register username+morrison@gmail.com, but then refusing to let me log in with it. I gave up on them.
A rarer favourite of web coders who have grown bored of "you failed my validation but if I tell you hwo I'll have to klill you" is to accept an overlong password value and simply truncate it to the length they were anticipating before creating your account. Similar fun can be had with the username. Those super secure password/unique email wonks don't like it up 'em.
-
Friday 20th July 2018 14:55 GMT Anonymous Coward
Re: Plus sign in email addresses is often fun
I had an account on photo.net which (a) changed at some point so it would not let me use my account-with-+-in-it and (b) kept on sending me junk mail to that address and ignored my requests to delete it or make it work again. If I had more than one suitcase nuke I think I would have used one of them to deal with this cretinism.
There are, I believe, RFC-822 parsers out there (as in: there are hundreds): why can't these fuckwits just use one to tell if email addresses are valid rather than use some half-baked regexp of their own devising which doesn't actually work.
-
Friday 20th July 2018 22:46 GMT Richard 12
Re: Plus sign in email addresses is often fun
No. Just no.
You should never, ever attempt to "validate" an email address.
Ok, it's worthing checking that it's got at least one "@" followed by at least one printable character, but beyond that?
Not worth the cycles.
Just send an email to it - after all, you don't actually care whether it's RFC compliant, you care whether there's a mailbox at the end of it.
-
-
Friday 20th July 2018 10:32 GMT Vagnerr
Got to watch those password lengths
I have had at many experiences where there was an upper limit on the password length ( usually a red flag that they may just be saving passwords in plaintext). No big problem usually as I generate random passwords anyway but its a bit of a shame if it has to be a shorter one.
However...
On one occasion the max password length was 20 characters. Not bad. ... Except that was the limit for creating the password. The limit for entering your password to login was only 18 characters! </slowhandclap>
-
Friday 20th July 2018 11:35 GMT Justicesays
Re: Got to watch those password lengths
Similar very recently.
Set a password (randomly generated).
Copy and paste same password into login box - doesn't work?
Read login FAQ :
Passwords cannot contain quotes(")
Then WTF did you
a) let me set one with a "
b) put "must contain a special character such as a symbol" in the listed rules , but not point out that excludes "
Not to mention it implies your back-end is vulnerable to injection, and your covering it up with sticking plasters.
In anther case, putting "#!/bin/bash" as part of a long password worked for the game login, not so good on the website as it was eventually blocked by the websites IPS as a potential injection attack... The password change tool was on the website...
-
Friday 20th July 2018 14:57 GMT Spamfast
Re: Got to watch those password lengths
SQL injection is ridiculous. They take some random HTTP POST value and concatenate it onto a SQL statement and run it? Duh!
Even if they run it through a sanitiser it's a risk and moreover it's ridiculously inefficient.
Every program (web service or otherwise) I've ever written that takes user input (or input from a comms channel) for an SQL (or "a Sequel" if you prefer) query binds the input variables to placeholders in the query string. Usually the statements are pre-prepared since that avoids a layer of parsing for frequently executed statements.
This is trivially easy to do in PHP, Python, Perl, Ruby etc. and not much more complicated in C/C++ with most client libraries.
To paraphrase Holly, "The highest form of life in the universe is Man and the lowest is a man who works as a web developer."
-
Saturday 21st July 2018 14:09 GMT Loud Speaker
Re: Got to watch those password lengths
SQL (or "a Sequel" if you prefer)
No
Sequel was something entirely different - an IBM product predating SQL. MS don't want you to know this. Sequel was NOT GOOD.
Emojis of sexually explicit vegetables should only be used for passwords on porn sites. Think of the children!
-
Saturday 21st July 2018 23:04 GMT Dave559
Re: Got to watch those password lengths
> To paraphrase Holly, "The highest form of life in the universe is Man and the lowest is a man who works as a web developer."
I agree very emphatically with everything else in your comment, apart from that sentence. Yes, there are a lot of numpty so-called web developers out there, but not all of us!
-
-
-
-
Friday 20th July 2018 10:33 GMT Wensleydale Cheese
"It's not a lack of awareness, it's a clear admission from within the security industry itself what a pain in the arse it is to sign in again and again dozens of times a day with different credentials."
BTDT. Back when I was managing a fleet of servers I had to login to over 20 different system after a network outage. These were systems which would lock you out after too many password failures. A single password per group of logically related systems was the sanest choice.
Fortunately there was a smartcard system for the PC, so at least I didn't need to remember all the separate passwords for mail, timesheets, project management systems et al that ran on that.
-
Friday 20th July 2018 10:42 GMT imanidiot
Nothing wrong wirh reusing passwords
I reuse the same password or a variation thereof on multiple sites. None of them critical ofcourse. Thing like my spam email, fora like El Reg, etc, that don't contain payment info and the like all use the same password. Banking and work accounts ofcouse get their own passwords
-
Friday 20th July 2018 12:19 GMT paulf
Re: Nothing wrong wirh reusing passwords
About 8 years ago a system I use regularly started enforcing password changing via AD. There was much grumbling as the change timer is about 3 months and the old password cannot be a prefix of the new password which immediately rules out changing totalBollocks to totalBollocks1. Then someone pointed out to me that adding numbers into the password means it's treated as a completely different password. Thus:
totalBollocks
total1Bollocks
total2Bollocks
are all unique passwords.
This has served me well for the last 20 odd password changes.
-
Friday 20th July 2018 17:05 GMT Anonymous Coward
Re: Nothing wrong wirh reusing passwords
Well, the system is (you hope) storing only hashes of the passwords, so when changing password it can know, at most, the current and new plain texts and the hashes of the previous n passwords. So the very best it can do is ensure that the new password is sufficiently different to the current one and that it is different in some way (but now how different) from the previous n.
-
-
-
Friday 20th July 2018 10:58 GMT bondyboy
Barclays for security?
I always smile at the irony of all the Barclays "we care about security" messages after having to deal with one of their bank accounts that was being used to funnel scam money through having its address changed to mine.
Nine separate contacts to Barclays informing them of this error and scam yet the account was still open 3 months after I first reported to them, on average each month saw around £40,000 coming in and being transferred out, who says crime doesn't pay?
-
-
Friday 20th July 2018 11:26 GMT Justicesays
Re: Barclays for security?
From
https://www.gov.uk/government/organisations/hm-revenue-customs/contact/money-laundering
Report suspicious activity
Call HMRC if you’re an individual who needs to report suspicious activity in relation to money laundering.
Telephone:
0800 595 000
Opening times:
24 hours a day, 7 days a week
-
-
Friday 20th July 2018 13:28 GMT Roland6
Re: Barclays for security?
Barclays used to be good about security, they initially provided Prevx (now integrated into Webroot) to their customers and then swapped this for Kaspersky. But since the US campaign against Kaspersky they haven't offered a free securtiy tool to their customers...
But hats off to them for their scamming awareness campaign.
-
Saturday 21st July 2018 10:11 GMT Tromos
Re: Barclays for security?
Their current TV campaign is actually badly flawed as far as security is concerned. The message it puts over is to never reveal your full PIN. What it should be saying is to never reveal ANY part of your PIN as no genuine bank will ever ask for it. Your bank might ask for a couple of characters from a security code, but this is completely different from a PIN.
-
-
-
Friday 20th July 2018 12:26 GMT paulf
Re: Customer Delight Providers
If some jumped up MBA type PHB (or shyster HR skank, for that matter) changed my job title from something meaningful to "Customer Delight Providers" the dying embers of their lifeless corpse would be in the bottom of a skip by the end of the day; their only company being the charred remains of the piss stained mattress, which every skip seems to contain, that was cremated with them.
Sorry, It's been a long week and I think we ran out of Coffee by Wednesday afternoon.
-
-
Friday 20th July 2018 11:27 GMT Nila
Gave up on stupidity a while ago
It would not be too bad if all sites password complexity rules would be the same letting me use the same password for all irrelevant sites. Anyway - the only reason you need to register and log on to most of them is so they can send you spam.
Now I just use "forgot my password" link and enter a new password of required giberrishness every time I need to log on. Even with extra hops it is much easier and even quicker than to come up with and remember unique passwords for each site. I do have a proper password for my email...
I wish login prompts for all sites would contain their password policy upfront - so I can enter required additional symbols in required quantity after my normal password. As it is now I have to go over password reset procedure every time to find that out...
So that's security for you.
-
Friday 20th July 2018 12:25 GMT Nick Ryan
Re: Gave up on stupidity a while ago
I'm speccing a new website service and am semi-seriously contemplating not bothering with passwords at all and just emailing the user a one-shot login code. It's not the kind of website service that a user is going to use very often, I suspect once ever or maybe once every year or so and forcing a user to deploy yet another password just for this seems a but silly when I suspect that the most commonly used function on the site will be "reset password".
-
-
This post has been deleted by its author
-
-
Friday 20th July 2018 13:54 GMT Teiwaz
DNA to replace passwords? Has no one seen Gattaca?
I was also going to say that replicating DNA is "easy" for those that know how. But even easier would be to say "bleed on this will you?"
Gattaca? I thought it was a dreary Corporate training film....
There's DNA in piss* isn't there? That's always an option
* there is in faeces, hey, if they want a sample, might as well have something I'll be dumping at some point during the day anyway. I prefer to get lightheaded and trippy in my own time.
-
-
Friday 20th July 2018 11:58 GMT PerlyKing
Really special characters
I recently had to do a factory reset on my Android phone. When it came to signing in to my Google account afterwards, I discovered that my randomly-generated password contained a character which is not available in the stock Android keyboard. Now that's secure! ;-)
-
Friday 20th July 2018 12:10 GMT Doctor Syntax
Let's call out the bollox of using email addresses as login IDs. A user ID and a password taken together are a long string. Doesn't it make it easier to guess the string if you're given half of it? And an email address is one thing that you do tend to give out. It's a mitigation, but no more, if you're able to set up individual addresses for individual sites but the basic rule should be to have email address as a separate field.
Example 1. PayPal. The ID is the email address. OK, I can set up a unique address for this but I then find that hands out that address to merchants. Evidence? I had to change the PayPal ID (a pain in itself) because a merchant to whom I purposely hadn't given an email address decided it was a good idea to spam me using my PayPal ID. So PayPal, acting as a banker in that it's able to handle my money, is happy to hand out half my login credentials to a 3rd party. I'd like to think that they've stopped that crap under GDPR but I don't expect they have.
Then there's the assumption that an email address is a guaranteed to be unique and permanent ID personal. It's neither.
It doesn't necessarily have to be a unique individual address. Companies who adopt this tactic are quite happy to tell you to contact them on something like sales@numptiesrus.crap.
And it certainly doesn't have to be permanent, especially if it's an ISP provided address.
Example 2. I have a login at IBM which includes the name of my second (or last but one) ISP who, before I left them, had been taken over at least 3 times and hasn't been a valid, or at least a used, email address for at least 10 years. They won't allow it to be changed but do at least allow a separate, working, address to be provided.
-
Saturday 16th February 2019 05:50 GMT J.G.Harston
But an email address is the only thing that is close to 100% going to be unique to you and nobody else. JohnSmith? Millions of them. InitSurname? Millions of them. XYZyyymmdd? Thousands of them. youremail@yourdomaim? ONE. By definition.
I had to set up a user list for just 30ish people. I hadn't got past 'A' before getting a clash with almost all naming methodologies.
-
Friday 20th July 2018 12:20 GMT Anonymous Coward
retarded rules on password
"I should have known he'd come up with a daft suggestion like that. This is the bloke who would casually sabotage his own monthly New Password prompts by changing his password 11 times immediately and, for the twelfth, reset it to his old one again so he could carry on as before. He even kept his 11 non-passwords on a sticky note attached to his display bezel so that he could run through the same routine in the same order every month."
I have no idea how "pro" security IT don't see incoherent/retarded AND different across multiple systems password rules in the SAME company, with different expiration dates of course, would do anything in favor of security !
Every single staff I know in mine is doing as follows:
- get the magic prefix that works on all systems
- increment the number every change
End of the day, there is virtually NO change in passwords ! It's not possible nor manageable !
-
Friday 20th July 2018 12:32 GMT Katy_B
I've noticed that many government sites which deal with things like your tax and NI record, and also most banks, will not accept special characters in passwords. Some don't even call for a capital letter as long as you have a numeral in there.
It may be just me but I would have thought that banks and the government might think safer passwords were a good idea?
-
Friday 20th July 2018 15:52 GMT Robert Carnegie
p!a!s!s!w!o!r!d!
It's not really safer. And some systems choke on non-alphanumeric symbols in a password - I suspect one of our systems can't take a !
A password of 8 genuinely random letters is safe. I standardise on Abcdef78 - as format, not as actual password - as concession to stupid system rules (and with all consonants, like I think I said above), and I put ! at the end if I really have to. But a password of a word with $ for S isn't safe because hackers have already got all those combinations in their dictionary.
-
-
Sunday 22nd July 2018 07:01 GMT AndyFl
I share your pain
Yes, you cant even put a <CR> into the box where you add more information which makes it close to impossible to write anything even remotely readable when it is more than a few word in length.
And as for prohibiting the percent sign! Words fail me - it is a fscking finance site!
I have several times put a complaint into the feedback link - never got a response either.
I had a huge problem signing up on the HMRC site in the first place as I was in Qatar. The password mail took 3-4 weeks to arrive but was only valid for 2 weeks. When I called them up to ask what I was supposed to do they suggested I got it sent to someone in the UK who could phone it to me. I think they have completely lost the plot. After all, what is the point of insisting they send out a super secret code then because they fscked up the expiry telling people to send it to someone else!
-
-
-
Friday 20th July 2018 12:42 GMT AndrueC
I had a similar issue when I tried to sign up with Samsung several years ago (I had a good reason, I wanted a firmware update for my TV so I could get into the engineering console). Anyway it refused to let me create an account so eventually I had to resort to a less legitimate source. I've since found out that it was my DEA system that caused the problem. Samsung will not let you register an email address with 'samsung' anywhere in it. Of course it never actually tells you that :-/
-
Friday 20th July 2018 13:17 GMT Terry 6
Teachers' passwords
I used to see a lot of schools. In September everyone's password had either expired because it ran out at the end of the previous month, or been forgotten. If the former there'd be a queue to call IT support for the first day or two. If the latter it'd be post-it search time or a call to IT......
Except for the teachers that had a memorable password and stuck a number on the end. They'd be the ones logged in and getting lesson plans and stuff printed before the kids came in. The others would be huddled in a panic waiting for their turn to talk to IT and trying to remember what it was they'd spent hours planning a couple or three weeks earlier.
-
Friday 20th July 2018 13:36 GMT Anonymous Coward
Stupid email address checks are the worst.... Most annoying* is FaceBook, which prevents you from using email addresses whose name is "mail", ... tough luck if your address is "mail@<mydomain>.com".
* Though in hindsight, maybe it's a good idea to have a "fb@<mydomain>.com" that FaceBook cannot link to any of my online activity...
-
Friday 20th July 2018 13:49 GMT Anonymous Coward
Idiotic Clients
One of my clients has insisted that users can have the same username, this client also insists that username and password can be the same. They want to make it as simple as possible for the users to login, I might as well throw my security certifications in the bin.
I still work for them, mostly because they pay lots of cash.
Anonymous obvs.
-
-
Friday 20th July 2018 17:00 GMT Flakk
One that hasn't been hit with security vulnerability disclosures? Oh wait, they all have. Nevermind. ;)
It's not especially easy to use, and password data replication is a largely manual affair, but I like VeraCrypt (which, of course, also had vulnerability problems a few years ago). For me, it hits the sweet spot between the strong encryption that I like and the PITA factor that I believe is actually called for in some circumstances (the more sensitive the asset, the more difficult it should be to access it).
-
Friday 20th July 2018 22:56 GMT Doctor Syntax
"Anyone got advice on password managers?"
Run it locally. KeepassX is what I use but then I use a single laptop most of the time so it's not too much trouble to occasionally copy the file if I need to but I'm planning on using a Nextcloud server at home so that will make synchronisation even easier. I believe Android & iThing versions are also available.
-
-
Friday 20th July 2018 16:39 GMT Andy A
Re: Gmail addresses with dots
Could be worse.
One place I worked at used
<firstname>.<lastname>@<country>.<division>.<companyname>.com
Luckily, in my case <country> was just uk, but any number of services couldn't cope with the total length of the string, and many more borked at the dots. It's annoying to find there isn't room in the box to type the whole email address.
Kept the spam down though.
-
-
Thursday 26th July 2018 08:20 GMT Anonymous Coward
Re: Gmail addresses with dots
I regularly get spam emails to my <myemail>@gmail.com - which were actually addressed to <my.email>@gmail.com
There also appears to be 3 other people somehow with the same <myemail> , 1 in the UK and a couple in the USA, which is deeply disturbing.
The drawback of having a relatively simple email address.
-
-
-
Friday 20th July 2018 18:15 GMT Anonymous Coward
Dvorak typing
I'm not sure the Dvorak layout increased my speed (it did decrease my RSI) but if you switch back to Qwerty and type "Thisismypassword" you'll actually enter "Kjg;g;mtra;;,soh" or something similar and I've never met a password checker that doesn't think that a "strong" password.
-
Friday 20th July 2018 19:24 GMT J.G.Harston
I once worked at an organisation that rolled out logon ids that were First Initial, Last Initial, Payroll Number (eg lh891234). Except for our small department who had started before this roll-out. Whenever we contacted the HelpDesk we had to go through the rigmarol of "your ID is your payroll number..." No it isn't! "Yes it is, your ID is your payroll number..." No! Listen to me!
It was a struggle, but we eventually forced them to migrate us to the "standard" logon ID scheme.
-
Saturday 21st July 2018 11:30 GMT Wensleydale Cheese
" your ID is your payroll number..." No! Listen to me!"
The company running a course I was taking couldn't make up their minds what my real name was. Their correspondence had me down as firstname lastname middle name and lastname middlename firstname.
Start the course and the lecturer says he's set accounts up in the form of firstname.lastname.
No combination of the above variations worked. I had to ask the lecturer what the system thought my login was, and he couldn't understand the question, simply repeating "Firstname dot lastname".
We set up a completely new id in the end.
-
-
Saturday 21st July 2018 07:31 GMT Terje
I just don't understand why so many sites try to force you to weaken your passwords by specifying you must have at least one upper case character one number and one non alphanumeric character. there are ten numbers, there are in reality something like 16 special characters that is ever likely to get used...
Just enforce a decent length password. and for the love of god don't ...ing limit the password length at say 32 characters, if the function you use to hash the password can't handle arbitrary long input (within reason) then fix your hash function don't force the user to limit the password.
-
-
Monday 23rd July 2018 11:01 GMT EnviableOne
Doesnt even have to knick your phone, can re-route using SS7, NIST, NCSC et al. have recommended against SMS second factor for an age.
IMHO, the best second factor available at the minute is the OAuth2.0 TOTP.
However why people are still dreaming up passwords i dont know, just plug the rules into your pwd manager hit generate, et voila ... PLus it evades the 5$ wrench method. I dont even know what most of my passwords are!
password size limit is redundant, a hash comes out the same length no matter the input.
forcing types is useless, length trumps complexity. even if its all lower case a 14 char pwd takes longer to brute force than an 8 char alpha num with specials and uppers.
force a minimum of 12 chars, tie this to the pwnedpassword database, and dissalow anything that was breached, or in a sector/site specific common words list, and roberts your parents male sibling
-
Monday 23rd July 2018 16:03 GMT Robert Carnegie
@EnviableOne
I'm not quite sure I like this. Is it saying that I can't have password = 5000358745115 because someone else on planet Earth once had that password?
It's not actually my password, it is the bar code of Tesco Omega 3 linseed oil tablets - which may not do you any good, it turns out.
-
-