I've never had this problem myself, but those of you that have can rest assured that you've got my deepest sympathies.
Overzealous password checkers
- Thread starter Da Orky Man
- Start date
Recommended Videos
Nope, they have the dictionary check also do common letter/number substitution. Also, it happens to catch some words you decided to break with a symbol (some, not all, say, it might catch "passwo1rd" as being "password").evilneko said:
Oh, which reminds me - you know what other password protection is going on? You might not guess but you shouldn't use your university password anywhere else. And that's enforced - if you do try to use your password to login into any outside service or website (from inside the Uni network, that is), your password is automatically expired and you need to go and change it. Fun.
Yep, that's the funny thing - it just means that anybody trying to guess a password now has a really reduced search space to go through. Though, with that said, the search space would be skewed to unorthodox passwords but it's still not really more secure than having a lighter security (making sure it's not your pet name or something) and making sure to stop bruteforce attacks.In Search of Username said:
OK, here we'll disagree - an university account is a really high profile thing to get a hold of. It does give access to a lot of resources and information that should be constrained to one person, also it gives access to that person's details. Not to mention emails - that alone is worth the protection.In Search of Username said:
Yeah, I always found it hilarious that the US Air Force requires passwords to obey such strict rules that you nearly inevitably run into one of two situations:
1) the password is extremely easy to guess, consisting of a simple pattern of symbols, letters and numbers moving laterally or vertically across the keyboard from the "1" and "A" keys
2) the password is so impossible to remember that the Airman has the password recorded on his phone, a piece of paper in his wallet and/or an unencrypted text or spreadsheet file on his home computer
GG on that infosec thing guys.
1) the password is extremely easy to guess, consisting of a simple pattern of symbols, letters and numbers moving laterally or vertically across the keyboard from the "1" and "A" keys
2) the password is so impossible to remember that the Airman has the password recorded on his phone, a piece of paper in his wallet and/or an unencrypted text or spreadsheet file on his home computer
GG on that infosec thing guys.
I'm reading a book with a character who came from there. Just an odd little bit of happenstance to see the same Welsh name come up twice in close proximity, especially since the book and I are both American.Da Orky Man said:
I had this issue just the other day.
Fun story: I keep a webmail account specifically as a Spam Account. That is, I only give it out to companies who I think will sell my info. Thus, if I don't want to give out my e-mail, but have to, I give them my fake account. Except it is a real account that I created and can sign in to.
One problem: I forgot the password to this account, and eventually it was declared abandoned. This didn't matter until recently when I needed it again. So I had to make a new one.
I went to Yahoo, my go to for cheap webmail accounts, and tried to remake my account with the same name.
DENIED. Even though I tried to log in before and it said the account was deleted so I should make a new one.
So I added a 1 to it and tried again.
It worked - but now I needed a new password. And every damn thing I put in pissed it off. I tried adding numbers, it wanted capital letters. I added thoses and it didn't like something else. Finally I ended up with FUCKOFF1234 as my password.
... and then Yahoo crashed during the account creation. So I went back in and it said that the name was taken.
So I went and made one at G-mail instead. G-mail took my password on the first try.
Fun story: I keep a webmail account specifically as a Spam Account. That is, I only give it out to companies who I think will sell my info. Thus, if I don't want to give out my e-mail, but have to, I give them my fake account. Except it is a real account that I created and can sign in to.
One problem: I forgot the password to this account, and eventually it was declared abandoned. This didn't matter until recently when I needed it again. So I had to make a new one.
I went to Yahoo, my go to for cheap webmail accounts, and tried to remake my account with the same name.
DENIED. Even though I tried to log in before and it said the account was deleted so I should make a new one.
So I added a 1 to it and tried again.
It worked - but now I needed a new password. And every damn thing I put in pissed it off. I tried adding numbers, it wanted capital letters. I added thoses and it didn't like something else. Finally I ended up with FUCKOFF1234 as my password.
... and then Yahoo crashed during the account creation. So I went back in and it said that the name was taken.
So I went and made one at G-mail instead. G-mail took my password on the first try.
My current password for MSN and the like is completely and utterly insane because they won't let me use past passwords and have required me to do a password resent just about 9 million times.Kalezian said:
I worked for a university for a while that used the password system laid out in the xkcd comic. They called it a "Passphrase". You needed at least 4 words separated by spaces (and words like 'a' were still considered words). It was great because it was more secure than a normal password, but easier to remember.
I freaking know that feel. My college does the exact same thing and now I have to call in shame to the tech guys to let me into my locked email. I know they're trying to protect me, and its very welcomed, but why don't you just run the password through a "weak to strong" checking system.
EB Games' reward points system has one of these for no reason. It requires a capital letter and at least 1 number or symbol, but it's pointless considering that there's not much you can do, even if you hack it. I mean seriously, what are you going to do? Buy something and get me more reward points?
Wrong as in just flat out wrong/misinformed? Or wrong as in their numbers are slightly off?evilneko said:Sadly, that xkcd comic... is wrong.
Also regarding computer security I was especially proud that my health insurers website, which uses (apparently) a public domain database to ask you questions related to your life in order to verify your identity, could only produce two questions (it was shooting for five) about me before giving up and saying that they'd mail me the information to reset my account.
Try working in a covert police department, then you can complain about security / passwords!
I have to use patterns on the keyboard to remember my passwords.
Then again I have worked at a company where every password was '4444'....
It assumes a particular attack method; brute force using all possible characters (valid ASCII values).
In practice most attacks use a number of methods, first trying to find 'simple' passwords, before resorting to brute force.
These methods (for simple passwords) include 'dictionary' attacks, which is to try a list of words and common passwords (12345 is the most common).
This means that the password in the second example would be found with methods used much earlier in the attack (than the method required to find the password in the first example).
I have to use patterns on the keyboard to remember my passwords.
Then again I have worked at a company where every password was '4444'....
Wrong/misinformed.ThingWhatSqueaks said:Wrong as in just flat out wrong/misinformed? Or wrong as in their numbers are slightly off?evilneko said:Sadly, that xkcd comic... is wrong.
It assumes a particular attack method; brute force using all possible characters (valid ASCII values).
In practice most attacks use a number of methods, first trying to find 'simple' passwords, before resorting to brute force.
These methods (for simple passwords) include 'dictionary' attacks, which is to try a list of words and common passwords (12345 is the most common).
This means that the password in the second example would be found with methods used much earlier in the attack (than the method required to find the password in the first example).
Never run into one that says it can't be a real word, but there are obvious reasons why they tell you to make them complex. brute force hacking is very easy if you don't make things complicated.Da Orky Man said:
Also, try this one: 1qaz2wsx!QAZ@WSX
Dictionary attacks use word lists, correct. They do not, however, use multiple words and here's why:TechNoFear said:
As the OED is cited as containing 171,476 words, a dictionary attack using this list would take a maximum of 171,476 guesses. A two word phrase, using words taken from this list would take a maximum of 171,476^2 guesses. Hmm, that's a lot more.
The CHBS password (indeed, any four word passphrase) would take a maximum of 171,476^4 guesses. 8.645963084×10²⁰, my calculator tells me. Which at the same 1,000 guesses per second rate would take 27,416,169,089 years to exhaust the search space. So the brute force attack would actually by faster than the dictionary attack.
Aberyswith? My brother goes there! I never had that problem myself, my uni gives you your password for your account on their system. I've always been given the passwords I needed for my systems, so I have three memorized from middle school, high school and uni that I combine to make stupidly long gibberish passwords. I have yet to use all three toghether in one super password though. Hmm...
Okay, this always scares me when I see it. Why would they limit a password to X characters? If they're properly hashing and securing the password before storing it then limiting length doesn't serve any purpose, right? The only reason I can see why they would put a size limit on passwords is if they're storing them in plain text, and have a size limit on the 'password' column in their database. Unless there's some other reason why some sites limit their password lengths to ridiculously short ones like 12 or 16 characters?Da Orky Man said:
You're assuming an extremely low guess rate and a very basic style of attack. In reality the guess rate would be at least 6-7 orders of magnitude higher, the wordlist would be optimized and the attack more intelligent.Uncle Nick said:
Length limits have multiple causes, from poor application design to stupid decisions on the part of management. It's also pretty common for passwords to be stored as plain, unsalted MD5 hashes, which might as well be plain text with today's cracking capabilities. Your password's essentially only as good as the method used to store it.ArcaneSaint said:
