Overzealous password checkers

evilneko · Aug 18, 2013

Da Orky Man said:
evilneko said:

be nothing like a real word in any language

Click to expand...

Hah, nice try. While it sounds all well and good to try and thwart dictionary attacks, this is just completely unreasonable. Even random generators will sometimes hit an actual word in some language, somewhere.

Click to expand...

About that. I tried using an old router password, 'f1e8ff31'. I can still remember it clearly, and it seems to fulfil all the requirements. Turns out it contains a letter from the Welsh dictionary. Now then, since I happened to have be born and brought up in Wales, and that Aberystwyth is in Wales, I happen to know a fair bit about Welsh, and there are no Welsh words in there.

Not even in l33t?

Also, that gives me an idea: passwords in hex-style l33t.

0x34C8aB35

Uniques: 0 x 4 C 8 Check!
Length: 10 characters. Check!
Letter/Number mix: Check!
Not a dictionary word: Well, okay, sort of. Maybe add some padding in the middle to fool the l33t dictionary.

Hehe. Padding.

unindexedsearchengine · Aug 18, 2013

Da Orky Man said:
PS: Just in case anyone else is going there, the university is Aberystwyth. Just thought I'd mention it.

My older brother graduated from there, quite some time ago. He really liked it there, so good luck!
Also, he met the love of his life there. They have been married 5 years now!

OT:I... I got nothing...

Queen Michael · Aug 18, 2013

I've never had this problem myself, but those of you that have can rest assured that you've got my deepest sympathies.

DoPo · Aug 18, 2013

evilneko said:
Not even in l33t?

Nope, they have the dictionary check also do common letter/number substitution. Also, it happens to catch some words you decided to break with a symbol (some, not all, say, it might catch "passwo1rd" as being "password").

Oh, which reminds me - you know what other password protection is going on? You might not guess but you shouldn't use your university password anywhere else. And that's enforced - if you do try to use your password to login into any outside service or website (from inside the Uni network, that is), your password is automatically expired and you need to go and change it. Fun.

In Search of Username said:
I never understood this. Surely these kind of rules just narrow down the possible passwords that there could be for hackers, and make it difficult for users to remember their passwords because they're never what they want them to be.

Yep, that's the funny thing - it just means that anybody trying to guess a password now has a really reduced search space to go through. Though, with that said, the search space would be skewed to unorthodox passwords but it's still not really more secure than having a lighter security (making sure it's not your pet name or something) and making sure to stop bruteforce attacks.

In Search of Username said:
Also even if it did help security, who's gonna hack your university account and do your homework for you? ugh

OK, here we'll disagree - an university account is a really high profile thing to get a hold of. It does give access to a lot of resources and information that should be constrained to one person, also it gives access to that person's details. Not to mention emails - that alone is worth the protection.

Scars Unseen · Aug 19, 2013

Yeah, I always found it hilarious that the US Air Force requires passwords to obey such strict rules that you nearly inevitably run into one of two situations:

1) the password is extremely easy to guess, consisting of a simple pattern of symbols, letters and numbers moving laterally or vertically across the keyboard from the "1" and "A" keys

2) the password is so impossible to remember that the Airman has the password recorded on his phone, a piece of paper in his wallet and/or an unencrypted text or spreadsheet file on his home computer

GG on that infosec thing guys.

Childe · Aug 19, 2013

Da Orky Man said:
I'm sure we've all encountered them. You turn up at a new job, or go to university, or even just sign up to a random forum, and when you get to the password part of the 'create account form' they have a list longer than War and Peace of requirements that your password must oblige by.

Currently, I'm trying to create my email account at the university I shall be attending in a month or so. The password requirements must:

- be between 8 and 14 characters long
- contain at least 5 unique characters
- contain at least one letter
- contain at least one number
- be nothing like a real word in any language

Note that it will also turn down any password that contains and word in any real language, so if you chose 'itbtwtw2' as a password, it turns it down as it contains the word 'it' at the beginning.

SO then, what insanely overzealous password systems have you dealt with?

PS: Just in case anyone else is going there, the university is Aberystwyth. Just thought I'd mention it.

EDIT: Fucking hell, now it's turning down passwords because they are 'Based on an already used password'. This is not easy.

What irritates me more then ridiculous requirements is when they have you change your password every 6 months or so and then don't let you use any of your old passwords so you have to keep thinking up new ones that youll remember T_T

Something Amyss · Aug 19, 2013

Da Orky Man said:
PS: Just in case anyone else is going there, the university is Aberystwyth. Just thought I'd mention it.

I'm reading a book with a character who came from there. Just an odd little bit of happenstance to see the same Welsh name come up twice in close proximity, especially since the book and I are both American.

Bara_no_Hime · Aug 19, 2013

I had this issue just the other day.

Fun story: I keep a webmail account specifically as a Spam Account. That is, I only give it out to companies who I think will sell my info. Thus, if I don't want to give out my e-mail, but have to, I give them my fake account. Except it is a real account that I created and can sign in to.

One problem: I forgot the password to this account, and eventually it was declared abandoned. This didn't matter until recently when I needed it again. So I had to make a new one.

I went to Yahoo, my go to for cheap webmail accounts, and tried to remake my account with the same name.

DENIED. Even though I tried to log in before and it said the account was deleted so I should make a new one.

So I added a 1 to it and tried again.

It worked - but now I needed a new password. And every damn thing I put in pissed it off. I tried adding numbers, it wanted capital letters. I added thoses and it didn't like something else. Finally I ended up with FUCKOFF1234 as my password.

... and then Yahoo crashed during the account creation. So I went back in and it said that the name was taken.

So I went and made one at G-mail instead. G-mail took my password on the first try.

Something Amyss · Aug 19, 2013

Kalezian said:
While it isn't a password per say, the Xbox Live Security Proof's are beyond annoying as hell.

Essentially, about once a week, you are asked to put in a password that Microsoft will send you through the email.

Now, this is all fine and everything, except for the few of us that used an Email back in 2007 or so and forgot the password in the six years of never using it.

Of course, you can just hit back if you dont want to put in the proof, but skip it too many times and you lose your account.

Including everything you have ever bought and downloaded.

One of my friends went through that and it annoys him still that he lost his account because of overzealous account protection.

Oh, but you can change what email address that password gets sent to, but you have to wait 30 days for it to activate.

really annoying when all you want to do is jump online and play a few maps of Battlefield 3, and then have to do a loop between your 360 and pc.

My current password for MSN and the like is completely and utterly insane because they won't let me use past passwords and have required me to do a password resent just about 9 million times.

ScorpSt · Aug 19, 2013

I worked for a university for a while that used the password system laid out in the xkcd comic. They called it a "Passphrase". You needed at least 4 words separated by spaces (and words like 'a' were still considered words). It was great because it was more secure than a normal password, but easier to remember.

Plasticaprinae · Aug 19, 2013

I freaking know that feel. My college does the exact same thing and now I have to call in shame to the tech guys to let me into my locked email. I know they're trying to protect me, and its very welcomed, but why don't you just run the password through a "weak to strong" checking system.

Sir Pootis · Aug 19, 2013

EB Games' reward points system has one of these for no reason. It requires a capital letter and at least 1 number or symbol, but it's pointless considering that there's not much you can do, even if you hack it. I mean seriously, what are you going to do? Buy something and get me more reward points?

Username Redacted · Aug 19, 2013

evilneko said:
Sadly, that xkcd comic... is wrong.

Wrong as in just flat out wrong/misinformed? Or wrong as in their numbers are slightly off?

Also regarding computer security I was especially proud that my health insurers website, which uses (apparently) a public domain database to ask you questions related to your life in order to verify your identity, could only produce two questions (it was shooting for five) about me before giving up and saying that they'd mail me the information to reset my account.

TechNoFear · Aug 19, 2013

Try working in a covert police department, then you can complain about security / passwords!
I have to use patterns on the keyboard to remember my passwords.

Then again I have worked at a company where every password was '4444'....

ThingWhatSqueaks said:
evilneko said:

Sadly, that xkcd comic... is wrong.

Click to expand...

Wrong as in just flat out wrong/misinformed? Or wrong as in their numbers are slightly off?

Wrong/misinformed.

It assumes a particular attack method; brute force using all possible characters (valid ASCII values).

In practice most attacks use a number of methods, first trying to find 'simple' passwords, before resorting to brute force.

These methods (for simple passwords) include 'dictionary' attacks, which is to try a list of words and common passwords (12345 is the most common).

This means that the password in the second example would be found with methods used much earlier in the attack (than the method required to find the password in the first example).

Greg White · Aug 19, 2013

Da Orky Man said:
- be between 8 and 14 characters long
- contain at least 5 unique characters
- contain at least one letter
- contain at least one number

Never run into one that says it can't be a real word, but there are obvious reasons why they tell you to make them complex. brute force hacking is very easy if you don't make things complicated.

Also, try this one: 1qaz2wsx!QAZ@WSX

Uncle Nick · Aug 19, 2013

TechNoFear said:
Wrong/misinformed.

It assumes a particular attack method; brute force using all possible characters (valid ASCII values).

In practice most attacks use a number of methods, first trying to find 'simple' passwords, before resorting to brute force.

These methods (for simple passwords) include 'dictionary' attacks, which is to try a list of words and common passwords (12345 is the most common).

This means that the password in the second example would be found with methods used much earlier in the attack (than the method required to find the password in the first example).

Dictionary attacks use word lists, correct. They do not, however, use multiple words and here's why:

As the OED is cited as containing 171,476 words, a dictionary attack using this list would take a maximum of 171,476 guesses. A two word phrase, using words taken from this list would take a maximum of 171,476^2 guesses. Hmm, that's a lot more.

The CHBS password (indeed, any four word passphrase) would take a maximum of 171,476^4 guesses. 8.645963084×10²⁰, my calculator tells me. Which at the same 1,000 guesses per second rate would take 27,416,169,089 years to exhaust the search space. So the brute force attack would actually by faster than the dictionary attack.

ThreeName · Aug 19, 2013

Da Orky Man said:
Currently, I'm trying to create my email account at the university I shall be attending in a month or so. The password requirements must:

- be between 8 and 14 characters long
- contain at least 5 unique characters
- contain at least one letter
- contain at least one number
- be nothing like a real word in any language

Mine has all of these, PLUS

- Must contain a capital
- Cannot be a word spelled backwards

In high school, we had to change our password every month. Fucking frustrating.

dvd_72 · Aug 19, 2013

Aberyswith? My brother goes there! I never had that problem myself, my uni gives you your password for your account on their system. I've always been given the passwords I needed for my systems, so I have three memorized from middle school, high school and uni that I combine to make stupidly long gibberish passwords. I have yet to use all three toghether in one super password though. Hmm...

iseko · Aug 19, 2013

yea i had one of those at my uni. not as hard as yours but still annoying. I made it: G0Fyrs3lf.

Overzealous password checkers

evilneko

Fall in line!

unindexedsearchengine

New member

Queen Michael

has read 4,010 manga books

DoPo

"You're not cleared for that."

Scars Unseen

^ ^ v v < > < > B A

Childe

New member

Something Amyss

Aswyng and Amyss

Bara_no_Hime

New member

Something Amyss

Aswyng and Amyss

ScorpSt

New member

Plasticaprinae

New member

Sir Pootis

New member

Username Redacted

New member

TechNoFear

New member

Greg White

New member

Uncle Nick

New member

ThreeName

New member

dvd_72

New member

iseko

New member