back to article 'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows

Jeff Atwood, founder of the popular coding site Stack Overflow, has published an extended and entertaining rant about the lamentable state of password policy among developers. The post, subtly titled "Password rules are bullshit," points out that the current format for password rules, such as including a certain mix of …

  1. alain williams Silver badge

    Sometimes I can't use a long password

    There are some systems that: impose a maximum length on passwords, fold upper to lower case, complain if I use anything other than alpha numerics, ...

    Let's start complaining about the systems that prevent the use of good passwords.

    1. Christoph

      Re: Sometimes I can't use a long password

      And there are systems that disallow Paste on the password field, so I have to carefully type in the long complex password that my password manager generated, and then again for the confirmation. Which of course means that if it's not a critical security risk site, I'll shorten that generated password to make it less of a bother.

      1. Ben Tasker

        Re: Sometimes I can't use a long password

        For those fields, I tend to just hit F12 to open developer tools and edit the form element to include value="[long password here]" and then do the same on the confirmation box.

        I've not found many sites that prevent paste on the password box you use to login, but for the few I do know about, I've written a little greasemonkey script that gives me paste back.

        That's all assuming a site is worth the effort of actually doing any of the above, sometimes I'll just go elsewhere

        1. This post has been deleted by its author

        2. Mage Silver badge

          Re: Sometimes I can't use a long password

          Not all passwords are for websites!

        3. e^iπ+1=0

          Re: Sometimes I can't use a long password

          Disabling JavaScript sometimes does the trick for me, e.g. with NoScript.

      2. joed

        Re: Sometimes I can't use a long password

        Funny enough, while right-click>Paste is blocked on one of such sites, the good ole Ctrl-C just works. Give it a try.

        1. death&taxes

          Re: Sometimes I can't use a long password

          Perhaps you mean Ctrl-V?

        2. Anonymous Coward
          Anonymous Coward

          Re: Sometimes I can't use a long password

          Sometimes it does, sometimes devs go to great lengths to keep your keyboard from working right. For example Google (groups? forget) likes to catch "/" with JavaScrape and move your cursor to a search text box, so you can't use it there to trigger FF's quick plaintext search like you've been doing forever, so you have to hit Ctrl+F, which was ...insulting. Anyway, ITYM Ctrl+V? On the side, drag-select = copy and middle click = paste, in the other clipboard. Give *nix a try.

          "Drunk piano player... you can't hit nothin. In fact, you're probly seein double."

          "I have two guns, one for each of ya."

          1. Anonymous Coward
            FAIL

            probably nobody cares but

            put H&R Block on your 'naughty' list.

            They do list all the varied symbolic crap you must include

            They do NOT allow Ctrl+V pasting

            They do NOT allow middle-click pasting

            They do allow drag&drop from another program where I pasted the thing HAH TAKE THAT

            They do have a glorious 15-character limit which pisses in my chili because

            alias mkpass='pwgen -cnysB 16 1'

        3. Anonymous Coward
          Anonymous Coward

          Re: Sometimes I can't use a long password

          "Funny enough, while right-click>Paste is blocked on one of such sites, the good ole Ctrl-C just works."

          On the Mac it seems to be the reverse; Cmd+v is often blocked but right click>paste has always worked for me.

        4. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Sometimes I can't use a long password

      UBS have this on their iPhone app - you can't use punctuation etc. On the upside, their website requires a dongle to use.

      AC cos I don't want people linking my bank to my username - probably paranoid!

    3. NonSSL-Login
      Holmes

      Re: Sometimes I can't use a long password

      This is my biggest annoyance. Restricted password length and not dealing with certain characters such as speech marks, semi-colons etc. It is hit and miss if the system will allow spaces in the password too.

      While far from the perfect solution, allowing people to write sentences or phrases with spaces gives a lot more protection. We will still see "this is my password1" as the most common password there but you can't cure stupid.

      There is still the issue that most people once they remembered a suitably long complex password will re-use that password everywhere, so it only takes one site to be compromised that has poor storing of passwords...

      1. Wensleydale Cheese
        Unhappy

        Re: Sometimes I can't use a long password

        "Restricted password length and not dealing with certain characters such as speech marks, semi-colons etc. It is hit and miss if the system will allow spaces in the password too."

        This. I recently came across a suggestion that colons crept onto lists of disallowed characters because it's used as a separator in the *nix passwd file, but that smacks of lazy programming.

        Cargo cult programming

        Cargo cult programming is a style of computer programming characterized by the ritual inclusion of code or program structures that serve no real purpose. Cargo cult programming is typically symptomatic of a programmer not understanding either a bug they were attempting to solve or the apparent solution (compare shotgun debugging, deep magic).

        The term cargo cult programmer may apply when an unskilled or novice computer programmer (or one inexperienced with the problem at hand) copies some program code from one place to another with little or no understanding of how it works or whether it is required in its new position.

        1. Frumious Bandersnatch

          Re: Sometimes I can't use a long password

          Unix password files have never stored passwords in the plain, so saying that : is disallowed because it might appear there is rubbish.

        2. Yet Another Anonymous coward Silver badge

          Re: Sometimes I can't use a long password

          >used as a separator in the *nix passwd file

          If they are storing your password unhashed in /etc/passwd you have bigger problems

      2. Anonymous Coward
        Anonymous Coward

        Re: Sometimes I can't use a long password

        This is my biggest annoyance. Restricted password length and not dealing with certain characters such as speech marks, semi-colons etc. It is hit and miss if the system will allow spaces in the password too.

        However, knowing which characters are not allowed can help you decide if the site is vunerable to SQL injection attacks.

    4. Eddy Ito

      Re: Sometimes I can't use a long password

      Come now, you're exaggerating. The only institutions using simple rules capped at 8 characters are the unimportant and trivial ones where security isn't really a concern, like banks. Oh, hang on.

      1. creepy gecko

        Re: Sometimes I can't use a long password

        "Come now, you're exaggerating. The only institutions using simple rules capped at 8 characters are the unimportant and trivial ones where security isn't really a concern, like banks. Oh, hang on."

        The UK Gov's National Savings & Investment (NS&I) website did until fairly recently have a maximum password length of 8 characters. They did change it last summer to a longer limit of (IIRC) twenty characters. Much better.

        Another annoying trick that many websites use is not to reveal the password composition rules until AFTER you've typed in your new proposed password. Then they tell you it's a maximum of 10 characters, limited special characters, and only lower case letters or something equally silly.

      2. Anonymous Coward
        Anonymous Coward

        Re: Sometimes I can't use a long password

        Oh, now you did it - you got me started on banks...

        Like the ones that talk big about "security", then ask you to download and run an app about which you know absolutely nothing - supposedly to "enhance your security".

        Like the ones that are wide open to MITM attacks, as Firefox warns me...

        1. arctic_haze

          Re: Sometimes I can't use a long password

          Oh yes, banks. My bank (a local chapter of a big international financial institution) had a period when they called their clients with offers, starting the conversation with asking them for... the password.

          The first time it happened I was very close to actually calling the police. I could not believe it wasn't a scam. Later they changed the policy to ask about my personal data (like month of birthday). My answer was still the same: "You are calling me so it is me who verifies you". At least they never tell get to give me the offer, which is a bonus.

          1. Solarflare

            Re: Sometimes I can't use a long password

            My bank is actually reasonable on that regard, I set it up with them that when they ring me, I verify that they are legit using the same challenge response question format that they use. Works pretty effectively.

          2. Atilla_the_bun

            Re: Sometimes I can't use a long password

            Yup. I still cannot fathom my bank when there is a security question about the use of my card calls me and asks me to verify my account _before_ they will even talk about the problem. They have my email, and even my cell # and could quite simply text or email me that I need to call them about an issue and call the number they provide on a part of their web site, heck even part of my account page after I have logged in. You simply can't fix that level of stupid an yet we TRUST banks?

    5. JLV

      Re: Sometimes I can't use a long password

      >some systems that: impose a maximum length on passwords,

      Thank you for not mentioning our flagship product, Windows 10, by name. We've been thinking about allowing more than 16 character passwords, but you know how it is.

      Would you like a new WinPhone? Going cheap.

      Yours,

      Sinovskella

      1. tiggertaebo

        Re: Sometimes I can't use a long password

        For accuracy Win10 actually allows 127 characters, Microsoft accounts are where the 16 character limit comes in. That's just as bad of course but let's at least have a go at them about the right product.

        1. JLV

          Re: Sometimes I can't use a long password

          Hmmmm, all I know is that my cloud-backed Win 10 account (it's not my primary machine, I have very little confidentials on it so I couldn't be bothered to fish out what might/might not work wo MS Live or whatever) chokes on >16 chars outta the box.

          Presumably for the reason you mentioned.

          The exact cause is less important than the fact that the default, strongly encouraged by MS, set up has that limitation.

  2. Anonymous Coward
    Facepalm

    It only makes it easier to crack...

    When a website asks for a password with at least 1 capital letter, most people tend to make it the first letter in their pasword...

    And if people are forced to also use at least one or two numbers, you can be allmost sure they put those at the end...

    Maybe it's time to educate people about password strength again...

    1. Anonymous Coward
      Anonymous Coward

      Re: It only makes it easier to crack...

      Password1

      1. Flocke Kroes Silver badge

        Re: It only makes it easier to crack...

        I thought all L337 |-|4><0r$ used p455\^/0Rd-0|\|3

        My favourate: '; DROP TABLE users /*

        1. Doctor Syntax Silver badge

          Re: It only makes it easier to crack...

          "My favourate: '; DROP TABLE users /*"

          Problem solved. Our GP's online booking service requires reasonable strength passwords including non-alphanumerics but baulks at semicolons. Maybe that's why.

          1. creepy gecko
            Happy

            Re: It only makes it easier to crack...

            Obligatory XKCD reference....

            https://www.xkcd.com/327/

            1. Anonymous Coward
              Anonymous Coward

              Re: It only makes it easier to crack...

              So what happens when sanitizing the inputs MAKES it malicious? IOW, the malcontents make it so they EXPECT you to sanitize it?

        2. Stumpy

          Re: It only makes it easier to crack...

          Flocke Kroes wrote:

          "My favourate: '; DROP TABLE users /*"

          And the best part of that is that my password strength checker says that it's a fantastically strong password

          1. MrT
            Angel

            Re: It only makes it easier to crack...

            Apart from the double-letters, 'Password rules are bullsh*t!' would appear to be acceptable... password.kaspersky.com reports "Your password will be bruteforced with an average home computer in approximately 10000+centuries".

            1. Cameron Colley

              Re: My favourate: '; DROP TABLE users /*

              Using:

              X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

              Could cause issues for those sites storing passwords in cleartext, perhaps?

              1. Ken Hagan Gold badge

                Re: My favourate: '; DROP TABLE users /*

                There probably aren't many systems that store passwords in cleartext, but there may be some that would let you choose it as a user name.

                1. veti Silver badge

                  Re: My favourate: '; DROP TABLE users /*

                  If the database has a table that's just called "users", and that table can be dropped in isolation (implying that it has no dependencies), then... well, let's just say password strength is the least of your problems.

      2. Your alien overlord - fear me

        Re: It only makes it easier to crack...

        Duh,for security it should be at least 10 characters so you'll have to use Password123 :-)

        1. AMBxx Silver badge

          Re: It only makes it easier to crack...

          Why not just have an increasing delay between logon attempts?

          Car radio I had years ago started with a 5 second delay after the first attempt. Then just kept doubling. Doesn't matter how much CPU you throw at a problem if there's a 24 hour delay between attempts.

          Password124 wouldn't be so bad then!

          1. Anonymous Coward
            Anonymous Coward

            Re: It only makes it easier to crack...

            Pretty much everything already has protection in terms of repeated logon attemps, typically the account will get locked out after a certain number of failed logins or whatever. This password strength concern is about what happens when someone gets hold of the encrypted password DB and starts trying to decrypt it.

          2. picturethis
            Facepalm

            Re: It only makes it easier to crack...

            ^^this^^

            Putting a delay in after submitting each requst essentially moves the problem into a different space. Even is one can create a number of passwords at a prodigious rate, if the reponse to accept the submitted password is delayed, then the entire cycle is extended - by a lot.

            It doesn't matter how fast you can create the passwords, it is how fast each one can be tested. This squarely puts the onis on the websites/devices to implement this.

            I have a 10 year old Dell laptop and if one mistypes the BIOS boot password, it delays additional time (like 5 seconds more) for the next try and then on the 3rd time even more time. Try automating the cracking of that. This method has been used for at least 10 years, where the fuck are the website designers/operators?

            It wouldn't even impact 99.99% of users, as they will enter their password correctly the first time, only retries (during a hack attempt). HELLO (Website Designers)...

            This is one of "those" cases where faster (website response) isn't always better.

            Of course this only applies to brute-force/dictionary attacks, cookies, sql injection etc, maybe not so much.

            1. Truckle The Uncivil

              Re: It only makes it easier to crack...

              It does require the site to store failed login attempts though or at least flag accounts. Could not that be used in a site attack?

              1. picturethis
                Meh

                Re: It only makes it easier to crack...

                I don't think it necessarily implies the storing of failed logins.

                One possible compromise would be that if the login is not successful, just delay the rejection response for a period of time, for example, 10 seconds. There's nothing stored, the entity attempting to login wouldn't attempt another. For this to work though a successful login response time may have to be randomized so that the bot doesn't immediately know after 2 seconds that its guess wasn't correct. On the plus side, radomized response times might help load balancing.

                I have to admit, I'm not sure how websites handle simultaneous attempts at logging in with the same username - if it's allowed as multiple sessions or if there's a check to see if the user is already logged in. I suspect that this is implementation dependent as I've seen different behaviours from different sites.

                Well, I'm sure nothing will come of the suggestion anyways, as with most security, it requires additional work (and money) which we all know businesses don't deem necessary. Not to mention the endless bitching from endusers that will result when it takes an additional second or two to login..

                1. Tom 38

                  Re: It only makes it easier to crack...

                  I don't think it necessarily implies the storing of failed logins.

                  One possible compromise would be that if the login is not successful, just delay the rejection response for a period of time, for example, 10 seconds.

                  So now you are open to DoS via resource depletion. What's your next plan?

                  1. Kiwi

                    Re: It only makes it easier to crack...

                    One possible compromise would be that if the login is not successful, just delay the rejection response for a period of time, for example, 10 seconds.

                    So now you are open to DoS via resource depletion. What's your next plan?

                    How so? So user Tom38 has a 10 second or so wait before his next login attempt shows up (some pages take longer than that to load!), or ip 118.234.567.8910 takes 10 seconds before the page comes through. How's that a DoS? Only those who have typed a wrong password get the delay. I fail to see how that is a DoS?

              2. Kiwi

                Re: It only makes it easier to crack...

                It does require the site to store failed login attempts though or at least flag accounts. Could not that be used in a site attack?

                Only to get people's accounts locked out. My bank gives you a limit of 3 failed logins after which IIRC you have to visit a branch to reset the account. You may be able to do it via phone banking, but I believe it requires a branch visit. No, not going to test it!

                Aside from getting people locked out, I can't see any attack vector from storing failed attempts?

            2. Leathery Hawkeye

              Re: It only makes it easier to crack...

              Tell me what happens when there's been an infiltration attempt and Joe Bloggs user then attempts to logon - only to be told that next allowed logon attempt is in 24 hours? Or are you going to restrict by host/ip - which then restricts a whole system from logging on?

              1. Kiwi

                Re: It only makes it easier to crack...

                Tell me what happens when there's been an infiltration attempt and Joe Bloggs user then attempts to logon - only to be told that next allowed logon attempt is in 24 hours?

                What's wrong with that? Many banks do that or make it so you have to visit a branch to get your account reset. If someone is trying to crack my account I'd much rather the account be locked out then they get another go in a few hours (that said, a few hours lockout is enough to make my account not worth touching)

                Or are you going to restrict by host/ip - which then restricts a whole system from logging on?

                3 failed attempts at IMAP/SMTP and a couple of other services on my system gets your IP blacklisted for 5 hours. 3 failed attempts at SSH gets your IP blacklisted indefinitely. To many failed attempts from your IP range gets your IP range blacklisted indefinitely, maybe with some notes to your ISP. Course, there's only a small few people who currently use my system so it's not an issue.

          3. Frumious Bandersnatch

            Re: It only makes it easier to crack...

            True, there should be protections against brute-force dictionary attacks, say, by increasing the delay between attempts. On the other hand, you need "defence in depth": if the password file is lifted through some sort of vulnerability, you need (at a minimum) to have those passwords salted and hashed. Not reusing passwords across sites is another sensible level of defence. Hope for the best, but plan for the worst.

            1. Hawkeye Pierce

              Re: It only makes it easier to crack...

              Increasing the delay between attempts can be done in one of two ways. The first is to only track by IP address (i.e. if the username + IP address is the same then delay on each failed attempt) in which case a bot farm can be used easily enough to circumvent that. If you don't factor in the IP address and delay on EACH failed attempt then you're opening yourself up for DoS attacks, preventing people from being able to log in.

          4. Adam 1

            Re: It only makes it easier to crack...

            > Why not just have an increasing delay between logon attempts?

            That defence only works against online attacks. And it is probably easier to detect enumeration attempts from the same IP and blacklist it. More likely though, someone forgot to password protect their Mongodb which gets lifted and then they throw hashcat at it.

      3. katrinab Silver badge

        Re: It only makes it easier to crack...

        Password1! if it requires a symbol.

      4. Michael Duke

        Re: It only makes it easier to crack...

        Nah I use the much more secure P@ssw0rd!

    2. Anonymous Coward
      Anonymous Coward

      Re: It only makes it easier to crack...

      Education is irrelevant, techies trying to explain password complexity to ordinary people are like gearheads trying to explain final drive ratios to ordinary people.

      We need to give up trying to make people to care about password strength for stupid stuff like online forums. They don't. They shouldn't. Stress that it only matters for really important stuff like online banking, and to stop caring if your Twitter account password is insecure unless you have hundreds of thousands of followers.

      Most people let their browsers remember their passwords which obviates even the best passwords as I'm sure that's the first thing malware looks for when it infects a new system.

      1. Charles 9

        Re: It only makes it easier to crack...

        "We need to give up trying to make people to care about password strength for stupid stuff like online forums. They don't. They shouldn't. Stress that it only matters for really important stuff like online banking, and to stop caring if your Twitter account password is insecure unless you have hundreds of thousands of followers."

        You forget that hackers can break into the weak stuff to glean information to use in social engineering attacks to get at the stronger sites. IOW, weak passwords of any sort become gateways. So you must treat the most innocuous site just as much as your most secure one since one can open the way to the other, making the strongest site only as strong as the weakest one.

        1. Anonymous Coward
          Anonymous Coward

          @Charles 9

          The only thing hackers can glean by breaking into the weak stuff is possibly a few answers to those "security questions" that really need to die. Those are often the weakest link, for those dumb enough to answer them correctly. If they give you a selection of answers, google can tell you some of the answers if you are determined.

          "What street did you live on in third grade" - if you can figure out who their parents are and where they live, which google often can, there's probably a 1 in 3 chance it is the same address. "In what city did you meet your spouse?" - if you know where they graduated college, probably almost 50/50 shot that it is in that city. "What was the name of your first pet?" - since most of these automated systems for password reset don't care if you try multiple times, you can probably try 20 common pet names and have a decent shot at guessing right.

          Getting into someone's Facebook or Twitter might help, but if they don't have it locked down Google has it all conveniently indexed so as long as they don't have a terribly common name for where they live (and are male, since many single women use their middle name instead of last, and most married and many divorced women have dropped their maiden name) you can find them. And if they are a member of a group like "Hilldale Elementary School students from the 70s and 80s" you might find them posting about Miss Pankey from first grade, and be able to answer that "What was the name of your first grade teacher?" question!

          If you haven't already guessed, I use those questions as another layer of password, don't answer them correctly, and keep them in a file like I do the passwords themselves and other data like the account name or whatever.

          1. Charles 9

            Re: @Charles 9

            "If you haven't already guessed, I use those questions as another layer of password, don't answer them correctly, and keep them in a file like I do the passwords themselves and other data like the account name or whatever."

            So what happens WHEN (not if) they pwn your local machine with a drive-by and steal your special file?

            1. Kiwi
              Trollface

              Re: @Charles 9

              So what happens WHEN (not if) they pwn your local machine with a drive-by and steal your special file?

              So what happens WHEN (not if) the government beams it from your brain using black helicopters powered by green neutrinos?

              (Come on, admit it, you've always wanted to say something like that with one of your "what happens when.." posts... :) )

            2. Anonymous Coward
              Anonymous Coward

              Re: @Charles 9

              I'm not Charles 9 of 7, but my special file is encrypted with pgp and stored on a LUKS partition, along with the pgp binary I use. When encrypting, the plaintext exists in /tmp (a RAM disk) long enough to update, after which it's wiped. Despite some weaknesses in the cipher, I've not read of any instances of small files encrypted with pgp/IDEA being cracked.

          2. Smody

            Re: @Charles 9

            "to those "security questions" that really need to die." HALLEFREAKINLLUYAH. I hate those questions, and I NEVER specify a meaningful answer. Although sometimes they do indicate that i have psychological problems:

            Favorite pet: Godzilla.

            Favorite restaurant: Roach Motel Moe's.

            etc.

            and pass phrase acronyms: IHTGDSSQs.

          3. Roland6 Silver badge

            Re: @Charles 9

            @DougS - I know there is an invisible line in the sand, but we shouldn't confuse hackers who want the best return for the least outlay, hence grab password file and run a dictionary against it, and those who have intent upon you as an individual.

            I accept with large public databases such as Facebook more personal information is available to the hackers, but I do think we need firstly to worry about the hackers. If someone is prepared to undertake the level of research you're intimating then you have bigger problems that super secure passwords won't make go away.

            However, I totally agree with you and Smody's comment, we shouldn't treat these questions as requiring honest answers, they simply need answers that we know and that can be used to demonstrate we are the rightful user of the account associated with them. Because of this, these details also need to be securely stored and not easily retrieved - even if I have the correct username and password.

        2. Kiwi

          Re: It only makes it easier to crack...

          So you must treat the most innocuous site just as much as your most secure one since one can open the way to the other, making the strongest site only as strong as the weakest one.

          What you say is true for some sites, but for others, not so. Let's take a couple of dozen of my facebook accounts for example. You'll be doing pretty bloody well to link [random realistic-sounding firstname] [random relistic-sounding surname] to me. Hell, I can't remember even one of the names I used on there any more, let alone passwords etc. When I want to use facebook (rare) I just create throwaway accounts as I'm sure you've seen me mention.

          There are lots of other sites I've done that on. Sites where content I am desperate enough to view is hidden behind a login screen, I'll visit 10minutemail.com, sign up to the site using whatever random characters I type for username (or just the 10min email) and whatever I type for the password, !QAZxsw2 gets through most password strength meters and if not move one column right and try again.

          I can see your point - for regular sites that you use a lot you should consider if there is a risk to your account being hit (here I'm only 12 or so votes from joining you with that silver badge, I'd hate that to be stuffed up!).

          So while true some sites need thought, a lot don't. Most of the sites I've logged into/created accounts on etc are low-value and have little or no real information about me. If they get hacked, I won't even know about it, nor would I ever care. I would be unlikely to even recognise the username and have no chance of recognising the email address.

          HTH, rather than shows I probably should've gone to bed an hour ago...

      2. tony72

        Re: It only makes it easier to crack...

        Well said. But I have to say, I'm a techie, and I don't care (that much). As far as I'm concerned, my password strength is selected to stop someone easily guessing my password, or working it out from readily available information. If someone is going to get hold of the encrypted password DB and make a concerted effort to crack it, assume they're going to succeed, and look to other layers of security for protection. Otherwise it's just stupid; with the continually advancing power of CPUs and GPUs, do we just keep recommending longer and longer passwords? Reductio ad absurdum, people.

  3. Destroy All Monsters Silver badge
    Windows

    2nd factor strong!

    Google's director of information security and privacy this morning. It's 2017. Passwords are irrelevant. Anything you care about should be protected by a strong 2nd factor.

    Typical juvenile Google. One just wants to cross the road on foot and they complain that there is no teleporter with integrated robobutler right next to the kerb to do that.

    Most people and most applications on Earth are not ready for "strong 2nd factor". Or a likey to be so before civilization collapses again. Nor do they need it.

    1. Anonymous Coward
      Anonymous Coward

      Re: 2nd factor strong!

      "Google's director of information security and privacy this morning. It's 2017. Passwords are irrelevant. Anything you care about should be protected by a strong 2nd factor."

      Cynical translation: Google wants your phone number, all the better to track you with.

      1. Anonymous Coward
        Anonymous Coward

        Re: 2nd factor strong!

        Yes, 2FA is secure as long as nor Google, nor Facebook, nor other companies hoarding data are involved. Otherwise it's just another way to track what you do.

        1. K.o.R

          Re: 2nd factor strong!

          Twitter and Facebook's so-called 2FA is pointless as even if you set up an authenticator app, they still send the (interceptable) SMS code with no way to turn it off.

          1. Tom 7

            Re: 2nd factor strong!

            I put in a random number for phone - largely because I dont trust them with my number but more realistically I hardly ever have my phone with me as there is no coverage here - despite EE telling me I can have 4G wifi modem.

            Most of my passwords are so strong I can never get them right anyway.

            1. Adrian 4

              Re: 2nd factor strong!

              2FA is something you forgot and something that's in your other coat.

      2. joed

        Re: 2nd factor strong!

        Yep, everyone wants your phone number now. It's for your good. Even MS is no longer desperate to give away outlook.com accounts (now that they forced Windows 10 on masses). BTW, while outlook.com insists on getting to know you-r phone number, the signup for visual studio account seemed to more lenient (as of last week), go get your spam accounts;)

      3. Anonymous Coward
        Anonymous Coward

        Re: 2nd factor strong!

        "Cynical translation: Google wants your phone number, all the better to track you with."

        For 2FA I have a handy burner phone with a long battery life, replaceable battery, no GPS using a 3 PAYG SIM. My normal phone is on a different carrier. (My hat is also made from the finest mu-metal, but that's coincidental.)

      4. DropBear

        Re: 2nd factor strong!

        "Cynical translation: Google wants your phone number"

        Not that I necessarily disagree, but assuming you happen to have an Android phone that you actually use as a smartphone (ie. associated with your Google account) they probably already know your phone number even if they pretend to not know it for your ease of mind. To be honest, I'm willing to jump through some pretty outlandish hoops to preserve _some_ semblance of privacy - but not checking my mail on my smartphone is NOT one of them.

        1. Kiwi
          Boffin

          Re: 2nd factor strong!

          Not that I necessarily disagree, but assuming you happen to have an Android phone that you actually use as a smartphone (ie. associated with your Google account) they probably already know your phone number even if they pretend to not know it for your ease of mind. To be honest, I'm willing to jump through some pretty outlandish hoops to preserve _some_ semblance of privacy - but not checking my mail on my smartphone is NOT one of them.

          And there's one of the big issues with 2FA right there. Er, am I allowed to say this? Seems obvious but no one seems to be saying it... Well, I'll go ahead anyway..

          Seems half the world's population today does much of their day-to-day computing on their smartphone. While it's a device they have with them always that can do smart things like 2FA, it's also the device most likely to be stolen.

          So you have a banking app, and theif tries to log in only they don't know your pin. That's OK, they go to the reset and your bank helpfully does a couple of extra things - sends a "reset link" to your email and a special code via sms to your phone. Both of which the thief can check because they have your phone. While the more security-concious of us may have the phone locked, lots of people don't or they use obvious unlock things (like a pattern unlock on their screen that has a very clear Z shape from their greasy fish'n'chips lunchtime fingers). I think with my Alcatel drawerphone the locking is undone always by checking notifications, and a friend of mine who uses iphones recently told me that Siri unlocks his phone when someone tries to trigger Siri (whatever the Apple version of "Ok Google" is).

          So because so many people use their phones for email etc, and don't have security, any 2FA that relies on the phone is insecure by default. Though hopefully most El Reg readers have the nous to see the issue and find a way to deal with it, or turn their smartphone into a nice drawer-accessory..

  4. Ben Tasker

    > It's 2017. Passwords are irrelevant. Anything you care about should be protected by a strong 2nd factor.

    I disagree.

    Yes, anything you care about should be protected by a strong 2nd factor - but it's supposed to be precisely that a second factor. Something you know, and something you have. So the password is still very relevant.

    It's your protection against someone swiping that 2nd factor (by taking your U2F dongle of your keys or whatever), just as 2FA is a protection against someone finding out your password. The two complement and help protect each other against different threats.

    Hell, you've only got to look at the history of debit/credit cards to see that. When all you needed was the card (something you have) to swipe, nicking/cloning and using a card was easy. They introduced the PIN (something you know) and it became much harder (whilst not perfect). In fact, the criminal focus largely moved onto other weaker areas of the chain instead. Course with pay-by-bonk we're moving away from that again, but meh.

    1. Charles 9

      "Yes, anything you care about should be protected by a strong 2nd factor - but it's supposed to be precisely that a second factor. Something you know, and something you have. So the password is still very relevant."

      But what if you don't HAVE a second factor: not even a cell phone, because you keep LOSING things? Or you don't trust cell phones? And as for those fobs, what was that RSA hack about again?

      1. smartipants
        Go

        It's 2017 - use FIDO U2F

        The Googler did say STRONG second factor. SMS is not strong, and has also been completely dissed by NIST, not only because it can be intercepted but also because it is often received on the same device as you are logging in from, and can often be viewed without unlocking.

        Use FIDO U2F. Unlike the older hardware tokens (RSA etc.) a U2F security key doesn't have a shared secret, as it uses asymmetric encryption (ie public/private keys). Thus enrolling a key can be done just by the user and doesn't need an IT admin to set you up first, and/or it doesn't need the service provider to send a pre-registered one to you - you can just buy one. More importantly, one token can be safely used on multiple web sites/services, without any sharing or privacy issues (each service generates a unique handle and derived key pair).

        Google, Facebook, Dropbox and Github already support U2F, so that's a good enough reason to get one, and they cost less than a tenner on Amazon. That's for a USB version, while Bluetooth and NFC is coming soon for mobiles..

        Look up the specs at the FIDO Alliance. It's well peer reviewed, widely supported by big industry players and there is a good white paper looking into the security/privacy issues too.

        1. Charles 9

          Re: It's 2017 - use FIDO U2F

          And what if you lose THAT?

          1. Hero Protagonist

            Re: It's 2017 - use FIDO U2F

            Some people just can't be helped.

            1. DropBear

              Re: It's 2017 - use FIDO U2F

              "Some people just can't be helped."

              Any security scheme that completely hinges on keeping any one single component absolutely secure (ie. must never be lost or stolen) is not worth bothering with.

  5. Richard 12 Silver badge

    Why does anybody treat passwords as ASCII FFS

    Just accept almost any bytes above a certain length into your hash function.

    This only needs to be entered by the user, nobody ever needs to see it. Who cares if the current font can't actually display it? You're only showing * anyway.

    There should be nothing wrong with using an emoji sequence.

    Oh dear El Reg. I can't post emoji? That's terrible!

    1. Anonymous Coward
      Anonymous Coward

      Re: Why does anybody treat passwords as ASCII FFS

      According to my emojianalysis of your post, you're too old to be using emoji.

      1. Richard 12 Silver badge

        Re: Why does anybody treat passwords as ASCII FFS

        *cat* *sticking-out-tongue* *taco*

        1. VinceH

          Re: Why does anybody treat passwords as ASCII FFS

          *banana* *house* *covering-ears* *apple-pie* *rocket*

      2. Roland6 Silver badge
        Pint

        Re: Why does anybody treat passwords as ASCII FFS

        and according to my emojianalysis of your post, you're too young to remember the ASCII emoji.

    2. Tom 7

      Re: Why does anybody treat passwords as ASCII FFS

      You've obviously never got involved in internationalisation! You could set a password that could only be typed in by that keyboard you used in Outer-Mongolia while on business!

      1. katrinab Silver badge

        Re: Why does anybody treat passwords as ASCII FFS

        Or by typing Alt + 3 or 4 digit number.

    3. Anonymous Coward
      Anonymous Coward

      Re: Why does anybody treat passwords as ASCII FFS

      Ah yes, the wonderful days I spent trying to let Javascript ("All strings are UTF-8.") do HTTP basic auth (Encoding not specified in the RFC, depending on what RFCs you read, that means ASCII or Latin-1 or possibly mis-implemented as Win-1252).

      Sorry, beyond the printable 95, chances are you're on your own.

    4. Anonymous Coward
      Anonymous Coward

      Re: Why does anybody treat passwords as ASCII FFS

      Because ASCII FFS is the current standard. I believe Version FFS is the current standard for everything.

    5. Anonymous Coward
      Anonymous Coward

      Re: Why does anybody treat passwords as ASCII FFS

      Some may scoff at your post but I've been doing this very thing for years. My password involves the Alt Codes for letters, numbers, & special characters (including spaces which some password fields would otherwise reject) & that tends to drop a spanner in the works of anyone trying to brute force mine. It probably won't matter much if my password is only 8 characters long if half of those are actually the Alt Codes for those characters & you don't know which ones to use. It may LOOK like "password" but is actually pAlt+0220Alt+256...

      (Whispers conspiratorially: Actually my password is "AnonymousCoward", don't tell anyone!)

      *Cough*

      1. Charles 9

        Re: Why does anybody treat passwords as ASCII FFS

        If they set up a keylogger, they can just record the strokes no matter how obscure they are.

  6. Swiss Anton

    99 ice cream loving honeybadgers ate my hamster!

    This might look like a random title for a comment on this story, but it is an example of a memorable password that I made up for a comment on the story Human memory, or the lack of it, is the biggest security bug on the 'net. Even though I only wrote it once, and that was over a month ago, I can still remember it (though admittedly it is probably too long to be a sensible password)

    1. Roland6 Silver badge

      Re: 99 ice cream loving honeybadgers ate my hamster!

      >(though admittedly it is probably too long to be a sensible password)

      Agree this is a real problem, on my MS account, I have a password that is sensible and easy to enter on a normal keyboard. Entering it on an Xbox in the absence of a physical keyboard is another matter.

      Likewise having a 16+ character key for the WiFi, can be fun to enter on some devices as it can overflow the display text box (which the developer forgot to enable horizontal scrolling on) and so you are entering characters without any screen feedback...

    2. Charles 9

      Re: 99 ice cream loving honeybadgers ate my hamster!

      "This might look like a random title for a comment on this story, but it is an example of a memorable password that I made up for a comment on the story Human memory, or the lack of it, is the biggest security bug on the 'net. Even though I only wrote it once, and that was over a month ago, I can still remember it (though admittedly it is probably too long to be a sensible password)"

      Good for you. What about those with POOR memories, or who have to go through hundreds of them in a given month?

      1. Anonymous Coward
        Anonymous Coward

        Re: 99 ice cream loving honeybadgers ate my hamster!

        > What about those with POOR memories

        You probably don't have poor memory: you're just poor at remembering (forming memories).

        There are all sorts of tricks and mnemonic techniques for remembering (and being able to recall) arbitrary information. It's even easier when you get to choose the password. For example, a fictitious site rainbow.com could be be remembered with "Rainbow wankers" -> "Rainbow Wang Cares About Hoovering Up My Password" -> "RWCAHUMP"

        1. Charles 9

          Re: 99 ice cream loving honeybadgers ate my hamster!

          No, poor memory. As in "CorrectHorseBatteryStaple" turns into "DonkeyEnginePaperclipWrong" one day and "CrankMaybePinMule" the next. Some people's memories are THAT bad (or worse, you have to keep telling them THE SAME THING every single day).

          1. Aladdin Sane

            Re: 99 ice cream loving honeybadgers ate my hamster!

            Just write it on a post-it stuck to your monitor.

          2. Dan McIntyre

            Re: 99 ice cream loving honeybadgers ate my hamster!

            Some people's memories are THAT bad (or worse, you have to keep telling them THE SAME THING every single day).

            Indeed. I have young-onset Alzheimers. I am one of those people.

            BUT - I have never yet forgotten any of my passwords. And I use different ones for every service I use, both personal and work related.

  7. Uplink

    NoPassword

    I saw something that, while slightly inconvenient, could work well if the SMTP infrastructure is fixed to always use encryption between servers:

    Single use limited validity login link sent to your email address

    There's no password for the service itself, there's no FacegleIn OAUTH exchange, you can use any email provider you like without being locked in. All you have to do is protect your email account with a strong password and 2FA.

    1. Roland6 Silver badge

      Re: NoPassword

      >All you have to do is protect your email account with a strong password and 2FA.

      Shame that the most useful email account and one most likely to be used by the majority, is the one on the phone, which as we know is typically set to auto login and as 2FA gets in the way of inbox update scanning - 2FA disabled. Thus the 'secure' email account is protected by the relatively weak phone lock. Thus we are back to access being largely defined by possessing the physical device and knowing the passcode.

      The key which everyone, including Stackoverflow's Jeff, is missing, isn't so much password security in itself but the security around the 'lock' and credential storage. Note, Jeff's only real complaint about passwords of 8 or fewer characters is that someone with access to the hash can undertake a dictionary attack. What he omits is any measure of how secure say a 4-digit password is, where the rules are; you have three attempts before access is blocked (ie. bank card) and you have to use alternative means to regain access.

      Thus the big issues are firstly getting over the misconception that complex to human's passwords are more secure than long simple to human's passwords. The second is getting dev's and system builders to understand the need to build security in depth by implementing a few basic and very simple principles.

      1. eldakka

        Re: NoPassword

        The key which everyone, including Stackoverflow's Jeff, is missing, isn't so much password security in itself but the security around the 'lock' and credential storage. Note, Jeff's only real complaint about passwords of 8 or fewer characters is that someone with access to the hash can undertake a dictionary attack.

        Completely agree.

        A dictionary attack can only occur if the sites (or organisations) security is already fatally compromised to the point where an attacker can get their hands on the entire hashed password database AND they don't salt, preferably stored in a separate location.

    2. Adrian 4

      Re: NoPassword

      Is that the site I couldn't log on to because the email address I'd signed up to was unavailable ?

  8. W Donelson

    I believe...

    ... the real reasons for these password rules is to force you to generate a new and unique password for that site. Not necessarily a bad idea, but worthless in the long run.

    1. John Miles

      Re: I believe...

      I think you are over thinking it - people come up with something they think makes things more secure, but because they don't understand security you end up with some stupid and arbitrary rules

      1. Anonymous Coward
        Anonymous Coward

        Re: I believe...

        But even arbitrary rules can help to keep the same password being used in multiple sites: a gateway risk.

        1. Dave 126 Silver badge

          Re: I believe...

          Hehe, I think I must be missing something here, possibly a joke.

          How can blogs.com make you use a different password to that which you use on Jones.com, unless blogs.com knows your jones.com password? :)

          1. Tannin

            Re: I believe...

            Well, the obvious answer is that bloggs.com requires a length of 6-10 characters, no dictionary words, no punctuation marks, and at least one number, while jones.com requires 12 or more characters, .mix of upper and lower case, no repeated letters, and at least one non-alpha-numeric character.

            But possibly I'm missing the same something here.

            1. Adrian 4

              Re: I believe...

              Easy. When you create the account on bloggs.com, it attempts to use your newly-entered account details at jones.com. If it succeeds, you used the same details.

              But most of these sites just need to get over themselves. We don't need a password for a random forum. Just a username that's not the same as the display name.

              1. Charles 9

                Re: I believe...

                Oh, so hackers figure it out, start posing as you, and either slander your image or engage in social engineering attacks?

                1. Kiwi
                  FAIL

                  Re: I believe...

                  Oh, so hackers figure it out, start posing as you, and either slander your image or engage in social engineering attacks?

                  And that comes under the title of "so fucking what?".

                  There are literally dozens of forums I've logged into, posted on briefly, then gone on to other places - either because the quality of content is rediculously low (eg several of the MS tech forums where you can expect and exchange like "Help my computer is a pile of smouldering slag" "Oh just use system restore and you'll be fine" or in the case of one Vista problem I and several others got "MSVP here, that problem cannot possible occur, you obviously aren't as good with computers as I am coz I am the MSVP" (or whatever they call them).

                  I cannot remember most of the forums I've visited, let alone username or password. It's not like (knowledgeable) people visit random sites and immediately start welcoming strangers into their home with posts about where the spare key is kept and what the alarm code is. So people have hacked a couple of dozen of my accounts and are posting as me, so what? I'm never going to know about it, there's no way they could link the account back to me. If they had the level of tools and information required to link even one of those accounts to me, then I've got a few more worries than someone posting as me.

  9. Anonymous Coward
    Anonymous Coward

    Even the big companies fail at this

    I was creating an Office 365 account for myself yesterday. I was having some trouble getting the page to accept the password I had configured my password manager to issue. I'm in permanent skim-read mode on these websites, so took me a little while to realise that it wasn't complaining about my password being too short; but that it was too long.

    "The password should be a maximum of 16 characters long" was the error. I had to read it several times to make sure I hadn't gone crazy.

    A maximum password length on a Microsoft product in 2017. I mean, they're definitely salting and storing a hash, right? They definitely won't be requiring a password maximum length because they store the plaintext in a text(16), right?

    Oh, and let's not forget the Apple GUI dialogs for unlocking encrypted hard disks images, which you can't paste into.

    Seriously, why is everybody so rubbish at this.

    1. Peter X

      Re: Even the big companies fail at this

      Oh, and let's not forget the Apple GUI dialogs for unlocking encrypted hard disks images, which you can't paste into.

      Also, when you paste into a password field (where you can, e.g. in a browser), why doesn't it clear the clipboard for you? I hate when I know I've got a password on my clipboard... it's like... this OCD thing where I feel like I need to wash my hands immediately.

      Paste password... immediately find something innocuous to copy onto clipboard to clear it!

      1. Anonymous Coward
        Anonymous Coward

        Re: Even the big companies fail at this

        KeePass actually does this automatically, giving you only 12 seconds (by default) to paste. The worry, though, is malware with active clipboard sniffers who can get the password the moment it hits the clipboard.

    2. Stumpy

      Re: Even the big companies fail at this

      My guess on this is that server-side the password is read into a statically allocated 16 character array buffer before being dealt with rather than being read into some dynamically allocated string buffer. And it's much easier to stick a little bit of validation on the front-end rather than recode the server-side code that actually does the password encryption.

      Still no excuse for those sorts of half-measures though

      1. Anonymous Coward
        Anonymous Coward

        Re: Even the big companies fail at this

        Just a feeling, but I'm sure the number of sites that restrict length is actually on the rise.

        The worst are the ones that don't actually bother telling you the max length during setup,

        so you use a long one which they promptly truncate and store, but they then don't bother truncating the password on login, so it fails. You're then left with either guessing what they truncated it at, or forcing a password reset and guessing length for the new one.

        One especially cunning bunch of morons recently first stripped the punctuation characters, then truncated the remainder. WTF??? Sadly I actually needed access.

        A bit of the mythical 'best practice' wouldn't go amiss.

        1. Kiwi

          Re: Even the big companies fail at this

          Just a feeling, but I'm sure the number of sites that restrict length is actually on the rise.

          Maybe a lot of sites have always had the restriction but have not publicised it, and dealing with established user databases - I guess it could cause some issues trying to lengthen the field on a 15yr old database. (Disclaimer: I've only done really small scale DB stuff with at most a few hundred users, and never had to worry about anything like this, the largest established database I had to add fields to consisted of just a dozen staff members, way back when cellphones were becoming common and we decided to add a couple of extra phone # fields, which was easy to do)

          But ok, newer sites want to restrict length because of people trying to type in whole novels or something. Fine, but set the length high. Most systems these days will happily take a limit of 100 characters, and it won't make a huge hit on storage or bandwidth. Either your site remain small enough not to care about it, or becomes the next FB and you have a ton of money to upgrade hardware as needed.

          Set a max length if you feel you must, but make it a good length. Maybe even double what you think is a good length, I did.

  10. Schultz

    Human versus machine input

    Let's face it, most current systems are very friendly to hackers and very unfriendly for the users. If the computer can brute-force test a dictionary against human passwords at it's own ever-growing speed, then the computer will win. If not this year, then the next ....

    Humans will only enter passwords at a very slow rate and (mostly) with a high rate of typos. To give the hackers a similar handicap, you need a system that is artificially slow to bring computerized cracking attempts down to the human level. Maybe this could be done with very bad hashing methods that take time even if the password file is public.Trying to get humans to memorize high-entropy passwords will fail even if we all try to memorize Shakespeare backwards and in base 2.

    1. Charles 9

      Re: Human versus machine input

      I don't think that will work, either, as the hackers will simply find faster ways to do the hashes. It's basically an intractable siege problem: the besiegers always have the edge against the besieged because the former isn't locked down.

    2. Roland6 Silver badge

      Re: Human versus machine input

      If the computer can brute-force test a dictionary against human passwords at it's own ever-growing speed, then the computer will win.

      This exploit is facilitated through the blindness of 'security' people!

      Two pieces of information:

      iAPX432

      Intel432@me.com

      Which is the 'password' and which is the username?

      When you think about it, both are really interchangeable, only convention dictates we encrypt one and not the other...

      The point is with a dictionary attack, the first may be readily discovered, the second, at 15 characters will take a little time.... A little thought into the way we store credentials and the linkage between them can make attacks much more expensive.

    3. Anonymous Coward
      Anonymous Coward

      Re: Human versus machine input

      I think both LastPass and 1Password use PBKDF2 for exactly that with a specified number of iterations. Slows offline cracking down considerably so I've read.

  11. Anonymous Coward
    Pint

    He has a point, but also contradicts himself

    For starters: security doesn't begin with a long and secure password, the real security comes from a sane mindset. For example: how secure will your 10 character, alpha-numerical password become when the user applies this everywhere? And wake up call for Mr. Atwood: most users do not think beyond the annoyance of having to fill out a password. As such there's nothing bullshit about trying to steer them in the right direction.

    Then there's a huge difference between passwords on a public network (such as the Internet) or those on a local LAN/WAN. Risk assessment at its finest: when the password becomes too difficult for an end user you can bet he'll write it down somewhere. Most probably on a sticky note attached to the monitor. At work you can't use the comforts of a password manager.

    At least these "bullshit rules" still prevent John Doe from using "password01", "password02" and the infamous "password03" as his 10 length password.

    His rant is based on interesting theories, but there's still a difference between those and the real world.

    1. Charles 9

      Re: He has a point, but also contradicts himself

      Then we're at an impasse because he's saying that anything LESS is crackable within reasonable time. Basically, combining your statement and his, the MINIMUM reasonable standard for security is BEYOND the capability of the average human. Meaning we're basically screwed. And as the saying goes, the hackers only have to be lucky ONCE. That one entry lets them gain enough information to hack other accounts and go from there.

    2. DropBear

      Re: He has a point, but also contradicts himself

      " At work you can't use the comforts of a password manager."

      Huh? Why not?!?*

      *Humour me and let's assume you're not a f###ing defence contractor who can't even plug in a keyboard

      1. Kiwi

        Re: He has a point, but also contradicts himself

        *Humour me and let's assume you're not a f###ing defence contractor who can't even plug in a keyboard

        Looks like a great device. My concern would be around the security of the phone and how the credentials are stored and used. If the user only stores their password on the phone, doesn't associate it with the company readily (ie stores it as "work password" rather than "RBS Server Admin") etc that could mitigate some risk, but I'd be a bit concerned if a person stored credentials in a way that someone nabbing the phone could break. From a brief look at the page if I buy one of those sticks and plug it into my computer, then it'd be trivial to get the phone to spit out the stored data.

        But where people are sensible with it (eg storing all but the first or last character of their password, so even if I did get it I still have a high chance of not being able to get in) then it could make a useful portable password manager. Though I think software on the computer/company network (associated with that person's account) would be good.

  12. Mage Silver badge
    Big Brother

    2nd Factor Auth

    There are LOADS of things it's not suitable for. Perhaps Google just likes to collect phone numbers and other personal information?

    1. Dave 126 Silver badge

      Re: 2nd Factor Auth

      Though Google's 2FA page promotes the use of a phone, standalone USB / NFC dongles are available that work with Google's services. Example:

      https://www.yubico.com/why-yubico/for-individuals/

  13. Saul Dobney

    Files as passwords

    We're going in this direction, but basically make the password equivalent to uploading a file. It could be a proper security certificate, but for ease of use it could also be an image file which would be easier to recall for the user, and easier than continually setting up certs. That would make cracking hashes from a stolen database file practically impossible.

    Users could then store the key files/images in an encrypted folder locally which means attackers would have to have the folder plus the encryption password for each user.

    For additional security a small bit of client-side code could hash the URL (offer unique URLs for login) with the key file and only send the hash - that way the receiving server never sees the actual key-file after the account set up, so spoof sites phishing can't sit and harvest password attempts to use later to compromise accounts.

    1. Charles 9

      Re: Files as passwords

      The hackers ALREADY have the solution for that: they hack your LIVE session, meaning they get the envelope while it's open. That's the current most-intractable problem with encrypted content: it must be DEcrypted to be useful; hackers just wait until then. The only way around that is to have crypto-chips in our brains a la Ghost in the Shell, and I think Shirow Masamune's timetable for that world was all too optimistic.

  14. Anonymous Coward
    Anonymous Coward

    The password is irrelevant if the system is insecure and using crap encryption.

    1. Charles 9

      Even the best encryption in the world is useless if you just wait until it's DEcrypted as a matter of course.

  15. Anonymous Coward
    Anonymous Coward

    2FA? I still can't stop people from using their kids birthdays...

    1. Tom 7

      RE:2FA? I still can't stop people from using their kids birthdays...

      I've got a bank account that offers you one of a series of questions as your 2nd factor and all are easy to find the answers to. I can never remember what bollocks I made up instead.

      1. david 12 Silver badge

        Re: RE:2FA? I still can't stop people from using their kids birthdays...

        "Questions as your 2nd factor"

        As Alex Papadimoulis of the Daily WTF memorably called it in 2007 "Wish-It-Was Two-Factor" Authentication: http://thedailywtf.com/articles/WishItWas-TwoFactor-

  16. inmypjs Silver badge

    Personally I find it really annoying when..

    I have to use Password1 instead of password.

    The password rule makers often mistakenly think I give a rats arse about the security of the usually fake information I am providing to their dumb web site or service.

    1. Charles 9

      Re: Personally I find it really annoying when..

      Most people don't provide fake information. Some even verify it or record your IP which can be enough of a clue to get more information.

  17. Anonymous Coward
    Anonymous Coward

    Users confuse complexity with entropy, no?

    Isn't going for length a better tradeoff than these little rules?

    In the absence of 2FA, asking the user to pick five English words of four or more letters, and then concatenating them together to create a 20+ char password would seem to give much better entropy than just asking for 8 chars and a number?

    On the other hand, I wonder how many people would enter passwordpasswordpasswordpasswordpassword...

    1. Charles 9

      Re: Users confuse complexity with entropy, no?

      Except people will just keep using the same one because trying to remember a bunch of them will have people trying to remember correcthorsebatterystaple and instead recall donkeyenginepaperclipwrong. Our memories get muddled and we mess up.

    2. Adrian 4

      Re: Users confuse complexity with entropy, no?

      How long is it going to take to type that on a squitty little phone ?

      1. Charles 9

        Re: Users confuse complexity with entropy, no?

        With a little practice, I'd say less than ten seconds. Longer if there are caps and punctuation.

      2. DropBear

        Re: Users confuse complexity with entropy, no?

        Correctly? I guarantee you, no less than 64 tries. By which time you're either locked out or given up and the phone is at the bottom of the nearest lake or river, in several pieces. Or possibly both.

  18. NBNnigel

    Legacy of LanMan?

    My long-held theory is that the typical 8 character 'as-complicated-as-you-can-make-it' password policy is a holdover from the days of Lan Manager support in Windows. The problem (there were many) was that LM hashed passwords were split into two 7 byte halves (maximum 14 char password). Meaning a 13 character password could actually be cracked as two separate passwords (of 7 + 6 char length respectively).

    And the input string was null padded out to the 14 char max, meaning an attacker could instantly tell if a password was less than 8 characters (because the second half would be entirely null padding). Hence, 8 character passwords. Considering how old LM is, the standard complexity requirements no longer make sense (and never made sense in any remotely 'greenfield' case).

    Either there are lots of ultra-legacy windows shops still running, or (more likely) there are lots of cargo-cult sys admins out there. Neither prospect sounds appealing from a security standpoint.

    1. really_adf

      Re: Legacy of LanMan?

      I think everything you wrote is correct, except the source of legacy is not LanMan but Unix, where the following algorithm for password "hashing" was in use for a significant time (https://en.wikipedia.org/wiki/Crypt_(C)#Traditional_DES-based_scheme):

      "In detail, the user's password is truncated to eight characters, and those are coerced down to only 7-bits each; this forms the 56-bit DES key. That key is then used to encrypt an all-bits-zero block, and then the ciphertext is encrypted again with the same key, and so on for a total of 25 DES encryptions."

      My employer had this until after some ancient Solaris boxes were finally killed somewhere in the early 2010s...

    2. Allan George Dyer

      Re: Legacy of LanMan?

      But cracking a 1 character password is VERY fast, then you just sort your dictionary of 8 character words by last letter to get the first part. So, an 8 character LanMan password is far weaker than a 7 character one.

  19. Tannin

    Better security questions needed

    Never mind the password problem, how about fixing those security questions. The world needs better securtity questions. For example:

    What is your favourite recreational drug?

    Why were you bullied at school?

    What did your granny die of?

    What was your most embarrassing disease?

    Describe the flavour of your favourite bodily secretion.

    Who did you have your first extra-marital affair with?

    Not counting masturbation, what was your most memorable sexual experience?

    1. Richard 12 Silver badge

      Re: Better security questions needed

      But those are all public knowledge!

    2. Anonymous Coward
      Anonymous Coward

      Re: Better security questions needed

      Oh, sure, as is people are going to remember THAT stuff. Besides, what of single teetotalers whose grans are still alive?

      And while you're at it, why not go whole hog and include:

      Did you enjoy your time in the Hitler Youth?

      When did you stop beating on your wife?

      What is your preferred solution to the overpopulation problem?

      1. arctic_haze

        Re: Better security questions needed

        "Did you enjoy your time in the Hitler Youth?"

        Doesn't this one come from one of the US visa forms?

  20. Trey Pattillo

    War Games is fake...

    A story from mid 1980's.

    I worked a major manufacture and we had a "mini-frame" for the whole place.

    The mini talked to the main-frame over 500 miles away on dedicated lines.

    Blow you user name and/or password 3 times this was a daily limit and BAM....you were deleted from the system.

    I was on nights so we had to wait until 9am the next day for upper management to call the system people at the main frame to put us back.

    You were not the only unhappy person, there was a chain of them.

    Big Blue and good software design and security always overs come youth and vigor.

    I tell people get something like a verse from your favorite song, favorite bible verse, something a comedian said like "why do you have a hot water heater, you need a cold water heater". Get the point. You can remember that and maybe do it for types of usage categories, like bank/finance/money something about the money changers being in the temple from the Sunday book of fables.

    Example using password that is hashed with a key then run through base64 conversion [don't lose you key if you your want to reverse - yes you can]

    pass phrase: why do you have a hot water heater, you need a cold water heater

    becomes: 5a9dxv#Gxw=G5$q@*)+=xvt82vh_xw595v'Jxv9=*)#=4:H86(h`xvd=+("8*$q;3aI<xw595v'Jxv9=*)#=48ll

    length: 88 > 30 low 6 up 20 numb 26 top symbol 6 other symbol

    combinations: 4.32 E+173

    Entropy: 576 Very Strong

    PC/Web: 136.8 E+161 years

    Tianhe-2/Botnet: 162.6 E+71 years

    But the account is locked on the 3rd maybe 10th fail until the next day......hacker loses.

    Remember the hacker unlike War Games does not know anything about the password, including the key and that it was base64 encoded.

    1. Charles 9

      Re: War Games is fake...

      "I tell people get something like a verse from your favorite song, favorite bible verse, something a comedian said like "why do you have a hot water heater, you need a cold water heater". Get the point."

      Now try repeating that about 100 times or so because you need a different one for EACH site, or when ONE site gets hacked, ALL the ones that used the same password are fair game. And you also have to deal with people with poor memories.

      "Remember the hacker unlike War Games does not know anything about the password, including the key and that it was base64 encoded."

      But he may know enough about you to find ways to get at that password, perhaps by hacking your home machine or other stuff.

  21. Anonymous Coward
    Anonymous Coward

    Old solutions the best

    Bridgekeeper: STOP! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.

  22. Anonymous Coward
    Anonymous Coward

    scott/

    tiger

  23. Anonymous Coward
    Anonymous Coward

    Say no more ...

    https://www.youtube.com/watch?v=_JNGI1dI-e8

  24. cmcdev

    Passwords are not the issue

    Password complexity is not the issue (to a certain point), the systems controlling them are. Rate limiting attempts, max tries per minute, hour day, pattern detection (such as logging the failures IP/MAC to multiple UIDs) and 2FA massively reduce brute force. Don't get my wrong blocking most used passwords is also required.

  25. EveryTime

    I do have to echo a few other posters.

    "First, assume that the hackers have the encrypted password database"

    WHAT?!

    That means they have completely powned the site. They likely have my address, credit card numbers, history and preference in sexual aid size, texture and color.

    And they have probably left keyloggers and transaction loggers to make their future data collection painless.

    And you are worried about my password? Why?

    Instead, why don't you focus on securing the site. Separate out the information display from financial transactions. Isolate the potentially-compromising details from the "who cares" data.

    My power company website is a prime example of stupidity. The only thing I usually want to do is check my usage data. But they require a complex password, and prevent using a password manager. They they load a whole complex active page, referencing external sites and immediately showing me a bunch of static account details. Details that I don't care about, except in the rare case that I want to modify my account, but that could be useful for causing problems with the account. Clearly real security isn't the priority, rather 'security theater' implemented with password pain.

    1. david 12 Silver badge

      >That means they have completely powned the site. They likely have my<

      It means they have an /encrypted copy/ of your "address, credit card numbers, history and preference in sexual aid size, texture and color.". Of course, if they can guess your password, because you've used a line from your favourite song, /then/ they can decrypt your data.

      1. DropBear

        Are you alleging with a straight face those records are likely to be actually encrypted while it's unfortunately still common* to see sites that can mail you your password back...?

        * Yes it is - it last happened to me yesterday on an e-commerce site no less, not much I could do beyond immediately changing it to an old one I no longer use anywhere...

  26. PaulWizard
    FAIL

    Can someone please point this out to tucows/openSRS

    ...who have just introduced a policy of forcing users to change their password on a regular basis, because someone there still thinks this improves security.

    1. Charles 9

      Re: Can someone please point this out to tucows/openSRS

      Um, how else can they deal with unknown hacked accounts, then? Forced password changes either close those doors (the hacked details aren't valid anymore) or draw them into the open (because the hacker is forced to changed the particulars and the real user gets locked out).

  27. Grease Monkey Silver badge

    We keep hearing from security "experts" that passwords can be cracked in no time thanks to fast processors. This is, however, total bullshit for any reasonably secure system because such a system will lock an account at least temporarily should the incorrect password be used more than a certain number of times. So I care not that you have a brute forcing system that can generate five bazillion passwords a second. Even a fairly loose system will lock your account for a few minutes after half a dozen attempts. This being the case your amazing password generating breast will take years to crack even a fairly simple password.

    1. Charles 9

      Unless, of course, they downloaded the password database and are cracking it in their own machines, much like a robber managing to take the whole safe with them.

      1. Grease Monkey Silver badge

        And what reasonable system would allow you to download the password database? In your example the complexity if the password is irrelevant to the security of the system.

        1. hammarbtyp

          Its not the users fault...

          The whole problem of measuring security through password entropy is that you are putting the emphasis on the security on the weakest link and the area you have least control. The only reason that this seems to happen is that it reduces the provider liability.

          As has already been stated, far better than longer and longer passwords is to introduce 2FA and login delays on incorrect logins. But this takes effort on the providers part, so we blame the users for choosing relatively easy to remember passwords.

          The argument that if users choose short passwords means that passwords files are easy to decrypt again misses the point. It is not the users fault if a password file is stolen, nor is it there fault is the password is not stored in a salted method which should be at laest as good protection against dictionary attack as other password methods

        2. Anonymous Coward
          Anonymous Coward

          Yahoo

          oh, wait-- you said reasonable

  28. Bill Gray

    We need a browser extension...

    So you get to a site with a password field required. You type in an arbitrary password, containing commas, spaces, emoji, and swear words in Russian, of arbitrary length.

    Browser extension catches the password, cryptographically hashes it, and creates the password that is actually sent. For this, it does have to know about password rules specific to the site ("can send a maximum of 15 characters from the following set; must contain something from this other set"). Rules for widely known sites are provided with the extension, along with tools for adding the rules for new sites.

    The site (which, if it's like most sites, would promptly lose your password to hackers) only sees and gives hackers the hashed result.

    Drawback: if the extension exists only for browser X, you're screwed on browser Y. There are probably other drawbacks.

    1. Charles 9

      Re: We need a browser extension...

      Like hackers simply attack the extension. Hackers already attack the browsers directly.

      1. Bill Gray

        Re: We need a browser extension...

        @Charles9 : If hackers can attack the browser, they can log keystrokes. The solution I propose is not a panacea; the only things it really addresses are removing site-specific limits on passwords and ensuring that sites never see an unhashed password. As a result, they cannot lose an unhashed password, something they currently do routinely. If the hash is salted -- you'd hope this would be a no-brainer -- then anything you lose can only be used on that one site, so it provides some security against password re-use.

        Another solution to this, less browser-specific, is for sites to provide pages with a bit of Javascript to hash the password before it's sent. (This has actually been implemented; examples are available on Stack Overflow.) It provides almost exactly the same protection, and it doesn't lash you to a single browser, but does require the site in question to implement it.

        This scheme does _not_ protect against other hazards; hackers can, for example, intercept the hashed password and send it to log into that particular site (i.e., you still need HTTPS) and can keylog, shoulder-surf, etc. I don't see any panaceas. You need complex passwords, salted and hashed so they can't be easily deciphered, limits on how many password attempts are allowed in a particular time interval, 2FA, and HTTPS... even though no one or two of these alone are sufficient.

        1. Charles 9

          Re: We need a browser extension...

          If you're forced to allow JavaScript to log onto a site, the malware writers will pwn you with a JavaScript injection attack. Increasing numbers of people want future HTML to be LESS rather than MORE complicated: more passive, with media tasks shunted back to dedicated apps.

          "This scheme does _not_ protect against other hazards; hackers can, for example, intercept the hashed password and send it to log into that particular site (i.e., you still need HTTPS) and can keylog, shoulder-surf, etc. I don't see any panaceas. You need complex passwords, salted and hashed so they can't be easily deciphered, limits on how many password attempts are allowed in a particular time interval, 2FA, and HTTPS... even though no one or two of these alone are sufficient."

          Except if you make things TOO complicated, you force people to create shortcuts that malcontents can exploit. You need a solution that's strong enough to block anything short of an insider or state yet simple enough that even the dullest drone can and will do it nigh-automatically.

  29. Anonymous Coward
    Anonymous Coward

    many comments are good but

    in an environment where not everything is under a nice web front end using common platforms...

    mainframes choke on currency symbols in passwords

    some mid range systems use completely different character sets

    multi language character sets don't translate nicely - never mind the platform

    lazy UI code doesn't help matters either where chars that may be considered delimiters can end your strong password after the first few characters while letting you type in the rest

    strong passwords are not always easy for poor humans to remember either, particularly if you are changing them regularly.

    just delivering single sign on/single identity in a single organisation is a tough ask, never mind a standard that will work across the board.

  30. Anonymous Coward
    Anonymous Coward

    Have I missed something?

    Surely someone somewhere has spent the time to create standards, perhaps for their own purposes and not published. Not just "whats a secure password" but the whole end to end login process taking into account everything in this discussion and more - i.e. that a secure password is useless if the site in question is sloppy with their logon procedures, that people can't memorize dozens of 16 random character passwords, that we don't always have our 2fa token etc.

    On gripe not yet mentioned here I think is what about when you travel to a place with a different keyboard layout so the local currency symbol in your password isn't represented on the keyboard of hotel guests 'net terminal. (And while we're at it, the situation of access from a possibly compromised terminal like that should be catered for). And when I travel to Moscow the keyboard is in Cyrillic... HELP!

  31. Dodgy Dave

    Beware Unicode passwords!

    Before you rush in and change everything to be made up of U+1F4A9 'PILE OF POO', here's a cautionary tale:

    I worked on a 'secure email' client for a large US company and discovered, following some work on the UI, that the code which takes 'what you type' and turns it into 'what gets hashed' when setting a password had managed to pass on only the first byte of the UTF-8 encoding of each character. So, for instance, an 8-character word in Arabic might have been squashed to 0xD8 0xD8 0xD8 0xD8 0xD8 0xD8 0xD8 0xD8, and would match countless other words.

    We were only saved from disaster when it emerged that there was a separate copy of the code used when verifying your password, and this was broken in a different way. The effect was that any password containing a non-ASCII character could never be verified after you'd set it.

    So: Unicode - great. Programmers' general ability to write correct internationalized code - needs improvement.

    1. Bill Gray

      Re: Beware Unicode passwords!

      U+1F4A9 'PILE OF POO'

      (Groan) You _didn't_ make that up. Unicode has well and truly jumped the shark.

      I'd describe that situation as a "stupid programmer mistake" rather than a Unicode mistake. (In fairness, I've made my share of SPMs... if one hasn't, one probably hasn't written much code to begin with.)

  32. Anonymous Coward
    Anonymous Coward

    we could do it the microsoft cloud way. give a great big fuck you and lock you out of your own account, all the time.

  33. FrankeeD

    Idiot rules

    I use a password manager, so length and complexity are no problem. However, once I did get the following message about my new password - "Password strength: Outstanding!" and then below it a password failure message saying: "Password must contain one number or symbol."

    A perfect example of what he's on about.

  34. Anonymous Coward
    Anonymous Coward

    2FA and a PIN...

    much better solution all around, but getting the systems we use to change to use a common 2FA device (eg TOTP with Authy app) is an uphill battle because everyone seems to think their system is better (until it's cracked).

    my bank for instance requires a 2FA app which can only be activated on a single phone (sucks to be me as I have a personal phone I can't even carry on some work locations, and a work phone which is locked down to 'approved' apps, and while they approve Authy they've not yet (after 9 months) approved the bank app because it uses a non-appstore updating process

    Ironically my work 2FA solution is probably the easiest ... a simple 6 digit PIN that I only have to change if I think it's compromised, a 2FA app that I can install on both my phones and an intelligent (Active Directory based) threat level determination that does profiling and if I go off-script requires some additional verification before allowing corp access

  35. adam 40 Silver badge

    Rules and Password Timeouts

    Somewhere I worked implemented a 6-month timeout on passwords AND bullshit rules AND non-reuse.

    So after 6 months of using your nice strong password you were forced to give it up and try and remember another one.

    Of course being a programmer, it took me a few minutes to discover I could change it 5 times and back to the original.

    So every 6 months I have to spend a half hour or so resetting my password back to where it was in the first place. I book the time to "computer outages". Ho hum.

    1. Charles 9

      Re: Rules and Password Timeouts

      ONLY five. Many have enough memory to go back at least ten, by which time you've probably lost track of your original password. And some go even further by not allowing any PARTS of an original password (blocking Password0 -> Password1 as "Password" is in both).

      Like I said, there's at least a valid reason to have a change policy: to close or expose undetected breaches.

      1. adam 40 Silver badge

        Re: Rules and Password Timeouts

        Ha ha - ten passwords where you can't reuse parts of the password?

        Let me see - i recon I could go round the loop and use up 9 passwords in such a way that a tenth password would be impossible.

        Then make the IT guys reset the whole thing - social engineering, job done.

        In the case above an undetected access would go undetected for 6 whole months - so why not age the password once a week? Or once a day? Surely, 6 months is an intolerable amount of time to let your attacker in unfettered?

        One other thing that I haven't seen mentioned above - apologies if I missed it - every login system should tell you when you last logged in as a matter of course. That helps the end user spot intrusions and then they can help the process by changing their password. Most do not do this, notable exceptions being HMRC (wow - they do one thing right!) although they too use the easily hackable SMS method of 2FA.

  36. Anonymous Coward
    Anonymous Coward

    so who trusts a password manager

    compromised by poor code or by the nameless TLA?

  37. Kiwi

    Rate limiting surely must help?

    I see he suggests blocking stuff even in the top 1mill most common passwords.

    Assuming my server's current SSH password fits that, you'll have a fairly poor chance. Even if you "get lucky" and would've hit on it in your first 1,000 tries... Fail2ban kicks you out for at least 5 hours after 3 failed tries on any service (not sure if it combines all services ie fail HTTPS login, fail SMTP, fail IMAP = ban). Denyhosts(more focused on SSH IIRC) kicks you out by blacklisting your IP, and said IP is blacklisted until I remove it if I remove it. When I used to care if I was seeing lots of IP's from a similar range or host (including things like AWS) or Comcast I'd contact the ISP but also block them till I heard back except NZ ISP's (didn't want to risk blocking a significant chunk of potential customers!). I must say Comcast were actually the best at dealing with complaints in my experience, while NZ ISPs were collectively the worst, usually didn't even respond (Actrix were pretty good though).

    I digress. I use tools to rate limit and ban IP's either for several hours or indefinitely for failed login attempts. The vast majority of script kiddies/bots etc are going to go elsewhere. If I were a juicier target then perhaps a more determined attacker would be willing to try again after 5 hours, but it's unlikely what I have running today warrants that level of attention/effort.

    Oh, my bank doesn't do 2fa, but it does have a pretty decent login system and only 3 failures before you have to visit a branch to get your access restored.

    TL;DR Good rate limiting can means you can only make a couple of attempts every few hours, or even have to get your account manually reset.

    1. Anonymous Coward
      Anonymous Coward

      Re: Rate limiting surely must help?

      But the problem becomes when they STEAL an account, get in first try, and use that to troll your system, perhaps smurf your password database, crack it at their leisure, and find ways to get into admin accounts in so doing?

      1. Kiwi

        Re: Rate limiting surely must help?

        But the problem becomes when they STEAL an account, get in first try, and use that to troll your system, perhaps smurf your password database, crack it at their leisure, and find ways to get into admin accounts in so doing?

        Seriously, are you for real? What web sites allow their users to get the password database? What websites let normal users get into admin accounts? If anyone finds such a site, who (other than spammers and low-skill hackers) is going to want to stay there since it'll be spammed beyond belief and have no worthwhile content?

        Come on Ch, er, AC.. Instead of your rather formulaic (and often extremely unrealistic) negative posts ("oh but what happens WHEN they put a GUN to your HEAD and DEMAND you GIVE THEM you 2FA TOKEN that you LOST because PEOPLE can't REMEMBER things?") how's about coming up with some solutions eh? If you can think of a problem (and I mean an actualy realistic one likely to affect real people, not your unrealistic 'any user can "smurf" your password database' crud) then mention it, sure, but also suggest possible solutions. I've seen you post some great stuff and I do look forward to seeing more of that from you, but sometimes this negative formula you apply to so many posts (especially security ones) gets a bit old.

        (Oh, and if the AC I'm replying to isn't the person I'm pretty sure they are, then that person has more to worry about than someone using his unused throwaway accounts to mimic him, he also has to worry about other's using his posting style, which can be a bigger issue than using real accounts!)

        1. Anonymous Coward
          Anonymous Coward

          Re: Rate limiting surely must help?

          "Seriously, are you for real? What web sites allow their users to get the password database? What websites let normal users get into admin accounts? If anyone finds such a site, who (other than spammers and low-skill hackers) is going to want to stay there since it'll be spammed beyond belief and have no worthwhile content?"

          So tell me, Einstein, how are they getting out in the first place given we're now to the point of a megahack about once a month?

          And losing things? I regularly encounter people with memories THAT DAMN bad but they still have jobs. Some have since given up carrying cell phones because they keep losing them (they even keep their credit cards at home). Plenty other keep calling me for their passwords which they can't remember yesterday. ONE password they need everyday, and they can't remember. Try that with ten and they'll be contemplating suicide. And no, I can't abandon them; some are FAMILY. So I'm speaking from FIRSTHAND experience on just how BAD people can be re: security.

          1. Kiwi
            WTF?

            Re: Rate limiting surely must help?

            So tell me, Einstein, how are they getting out in the first place given we're now to the point of a megahack about once a month?

            Really? Well come on then, where can I find proof that even one of my sites got a "megahack about once a month"? Well? All websites are getting a "megahack about once a month"?

            No? So only just a few sites get hacked? And then usually from significantly bad errors in the configuration or unpatched bugs (which usually is administrator error as well). Given the millions of servers out there, maybe those that get hacked are only a tiny %age, and those that leak their password files are only a really tiny %age of the tiny %age that get hacked?

            How about some citations for your claims for a change? No? Course not, no surprises there.

            Some have since given up carrying cell phones because they keep losing them (they even keep their credit cards at home).

            So JUST because YOUR family ARE a bit LACKING in MENTAL CAPACITY, the REST of US should LOWER our STANDARDS? Several BILLION people AROUND the WORLD don't HAVE the PROBLEMS of YOUR family MEMBERS. Why SHOULD the REST of US limit OURSELVES just BECAUSE they're NOT CAPABLE of FUNCTIONING NORMALLY?

            If you cannot figure out a way to give them a single password that they can remember, perhaps it is you who is the problem? Maybe write it down for them and stick it to the side of their screen? If they're not in a place where others can see it, there's no issue and it'd certainly be safer than the daily passing of the password over the phone. Obviously you don't care for their password security or are simply incapable of devising a better system for them, otherwise you wouldn't be needing to read several other people's passwords to them over the phone each day. For that matter, what do you use to remember them? Obviously you're either further compromising their security by using the same password for all of these people or you're using some tool to keep track of them all? Huh? Well, come on Einstein, do tell.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like