You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Trying to set up a login on some client's stupid system. It's insisting that my password is...
1. At least 8 characters
2. At least 2 lowercase characters
3. At least 1 lowercase and 2 uppercase characters
4. Can't use an old password
5. Max allowed consecutive characters are 2
6. At least 1 digit (0-9)
7. At least two out of: !, @, #, $, %, ^, &, *, ?, _, ~, (, )
For a start, surely first part of rule 3 is redundant given rule 2?
Anyway more bloody rules than my internet banking! I'm just going to end up setting it to something that I'll never be able to remember 😕
@ABcdefg123#
I'm just going to end up setting it to something that I'll never be able to remember
That's what postit notes are for. All my client's passwords are stuck on my monitor....
#P@ssW0rd?
Use a password manager.
That's just it, you end up having to write it down or pop it in whatever app you use for notes or passwords, which immediately makes it a lot less secure than having maybe less ridiculous rules and something you might be able to remember.
Oh and there seems to be another rule that isn't even listed that doesn't allow more than one set of 2 consecutive characters.
Last Pass (or similar) FTW.
Just use a car you've owned.
Eg Mini1275!
I used to work somewhere with similar password rules.
On three separate systems.
Plus they changed once a month.
Unsurprisingly lots of people had their passwords written down.
Mad isn't it?
It's a lazy / cheap way to enforce cyber security, real world an 6 character password is pretty secure, add a number of upper case letter into the mix to stop someone getting in by guessing it.
So you move onto brute force attacks and the like - you could use a system that locks out users for ever increasing amounts of time if you get the password wrong 3 times - we have systems like that, they reckon to break into our disc encryption system would take 600 years at least, or use 2FA but that's all too much of a faf and costs money so we'll make the password hugely complex instead - which is invariably insecure - because when faced with a set of password rules above users think about it for a second, realise it's another one of a few dozen they need to remember and write it down somewhere, usually in a little book in their drawer or even better, on a post-it on their desk... insecure, but as long as you say in the HR book they're not allowed to do it, you comply with ICO rules.
Mini1275!
FAIL!!! You need two symbol characters, two upper case, and at the rate the passwords expire I'd quickly run out of cars! 😉
a system that locks out users for ever increasing amounts of time if you get the password wrong 3 times
They have something similar, which again is comedy, because most users have things like email on their smartphones that poll using the password. So the password expires and within a few minutes the account is locked so you can't even log in to change your password. Still it keeps the helpdesk busy!
Use a phrase such as 'My fist pet was a dog called spot who died when he was 14'. Create a password 'Mfpwadcswdwhw14!#'. Then stick a postit note on your screen with 'first pet' written on it. Simples 😉
I had to set up a minimum of 10 chars with similar rules to the OP. Luckily the randomly generated password I had originally for STW is easy to remember and lends itself to extending with a few "!!"s. Sorted. Gawd knows what I'll do when it expires. Usually I base them on a recent cycling purchase.
Like -
P3arlIzum! (thats not a real one)
It's stupid rules like that that make insecure passwords. Just need a phrase, best one which is not grammatically correct or makes no sense so it's not used elsewhere.
LastPass has just been shown to be insecure...again
I sense the frustration ... I have to change my work password every month and have a similar set of rules.My simple tip is to have a bit of a system. For example:
Always start the password with a special character that you can remember (eg #)
Second character a capital letter
Substitute letters with easily remembered characters (eg $ for S, £ for L, @ for A etc)
Replace an easily remembered date with the special characters on the keyboard eg, 1966 becomes !(^^
It is also extremely important not to reuse passwords - there's a lot of leaked password databases out there to trawl....
Funny thing is I only need to access this system to download some files from a client's client, I'll probably never use it again, or at least not for months. But then I'll still need to remember my password so I can log in to have to change it to something else I'll not remember 😉
Relevant courtesy of XKCD...
[img] 
[/img]
*logs out*
*logs in to dan's account*
😉
Do this for a living and password enforcement around NHS PCI DSS drives people nuts and password sharing is common place. Trouble is the password is still the most common line of first defence - the reality is 7 digit alpha numeric upper and lower case with a maximum of 3 to 5 attempts before lock out provides robust protection - provided of course when the individual calls the help desk for a password reset and they just pass them out? How many people's organisations have challenge response for password resets?
How many people's organisations have challenge response for password resets?
I'd be curious to know how many helpdesk calls concern password resets and locked accounts. I'd assume at least half. That's pretty much all I use the helpdesk for.
@mrblobby, a service desk I used to work on back in the day introduced a self-service password reset procedure, you could request one yourself or get your manager to do it if you'd locked out your network password.
Following it's introduction c20% of the demand into the service desk went away, followed by another large chunk when we automated the request process for shared network storage. Obviously other service desk's MMV but it sure made monday mornings a bit more less hectic.
[quote=gofasterstripes ]It's stupid rules like that that make insecure passwords. Just need a phrase, best one which is not grammatically correct or makes no sense so it's not used elsewhere.
LastPass has just been shown to be insecure...again
> https://it.slashdot.org/story/16/07/27/1342205/lastpass-accounts-can-be-completely-compromised-when-users-visit-sites
br />
I'm actually quite impressed with LastPass having read the [url= https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/ ]full story[/url]. Fixed and patch rolled out in under a day.
01(then 02 etc)MrBlobby(postcode of the place you're in, typed with shift key down)
died after intestinal rupture? 🙁My fist pet was a dog called spot who died when he was 1
Yes a quick turnaround but it's not the first time so it gives me pause.
I'm actually quite impressed
I'm not! That's pretty sloppy coding. If that's indicative of the quality of the rest of their implementation then I'd be quite worried.
Yes a quick turnaround but it's not the first time so it gives me pause.
You'll struggle to type any password with those...
[img] 
[/img]
wat
OKOK- Bad grammerizms abound.
*goes outside*
"GAAAH SO BRITE"
I'm not! That's pretty sloppy coding.
And that's just the known issues, how many zero day exploits are still being used?
Its an oldie.. but goodie:
Please set a password to register.
cabbage
Sorry, the password must be more than 8 characters.
boiled cabbage
Sorry, the password must contain 1 numerical character.
1 boiled cabbage
Sorry, the password cannot have blank spaces.
50soddingboiledcabbages
Sorry, the password must contain at least one upper case character.
50SODDINGboiledcabbages
Sorry, the password cannot use more than one upper case character
consecutively.
50SoddingBoiledCabbagesShovedUpYours, IfYouDon’tGiveMeAccessImmediately
Sorry, the password cannot contain punctuation.
NowIAmGettingReallyPissedOff50SoddingBoiledCabbagesShovedUpYoursIfYou
DontGiveMeAccessImmediately
Sorry, that password is already in use !
dabaldie... 🙂
It's a lazy / cheap way to enforce cyber security, real world an 6 character password is pretty secure, add a number of upper case letter into the mix to stop someone getting in by guessing it.So you move onto brute force attacks and the like - you could use a system that locks out users for ever increasing amounts of time if you get the password wrong 3 times
It's not, really. You can set whatever clever tricks you like, but if the password database is compromised then a hacker can potentially attack that in isolation without worrying about timeouts. And (most) six-character passwords will fall in minutes.
This is one of the fatal flaws with NTLM authentication; it stores long passwords by splitting them into chunks (6 or 7 characters, I forget exactly) so you can't have long passwords by design, just a series of short ones concatenated together. If you can get access to the SAM database, you can crack all the passwords in a few minutes (many in seconds).
For all the various complexity requirements, the best thing you can do with passwords (aside from 2FA and not reusing them on multiple systems) is increase the length.
Had one with so many rules, that in the end it worked out that the only password format was *exactly* 8 characters, with 6 of them letters, 1 digit and one symbol (from a small set).
Think it was a bank. But not the bank where the password is a 5 digit PIN.
And with so many rules like that, there was no way I could make it a variation of something I'd use as a base password, so it had to be written down.
Check the computerphile youtube channel - 2 of the most recent videos posted are on this topic, with some live demos of cracking actual passwords on a PC with 4 GPUs. Covers all the usual "rules" that people use for stuff like swapping letters for numbers.
There's a depressing irony in that some of the worst password policies are banks and credit card providers. "Select from this restrictive list of characters" - no, learn to sanitise your bloody data input properly.
Keychain takes care of mine,
That cartoon always makes me laugh as the last part isn't the password.
The only reason I can think of to restrict the character list is to be really sure that there's no odd international features going on, and to be sure that wherever you are in the world and from any keyboard or phone you can be 100% positive that what you type is what your password character is.
But I've only ever see that go wrong once with something like ~n in a password that on a UK k/b you type ~n but a german one you'd type ~~ then delete a ~ then n, else you get ñ.
That cartoon always makes me laugh as the last part isn't the password.
It is?
His password is "correct horse battery staple".
The last pane just shows his visual mnemonic for remembering it: him saying [i]correct[/i] to a [i]horse[/i] identifying a [i]battery staple[/i]
[i]That cartoon always makes me laugh as the last part isn't the password[/i]
I've seen funnier to be honest.
Turn your mouse or keyboard over.
Use a suitable serial or part number.
Totally random string of numbers and letters, likely with a few special characters in it. Written down so you know where to find it tomorrow.
eg. HSTNN-pn12 (is not one that I use)
HP desktop mouse.
Turn your mouse or keyboard over.
Use a suitable serial or part number.
Ok if you are always working at the same computer I suppose.
Jeez, thanks for blowing that one ja ghent
*changes passwords back to pa55w0rd*
and don't have to keep changing it every 2 months
(another thing that cheeses me off)
@blobby - You can also use the serial on your mobile phone.....
It's probably not a good idea though, in all honestly.
Working on a website, the rules are:
Minimum:8
At least:
1 uppercase
1 lowercase
1 number
1 special character
Cannot contain 3 or more repeating characters
Cannot contain dictionary words
I foresee many written down passwords!
Common sense thinking seems to be to ramp up the minimum length to 15 or so.
1st char, 1st 2 chars, etc from words or phrase, e.g.
=WO1BeeH00k?
Whale
Oil
Beef
Hooked
[Irish accent helps]
Our local admin and ILO admin passwords are minimum 24 chars with various complexity required (so we use randomly generated ones), it gives me a headache trying to log in to systems (every server has to have a unique password to)
Cannot contain dictionary words
Had that rule for one of my passwords, but it quite happily accepted "a", "i", "if", "act",...
daft rule really, even if it has good intentions
Our local admin and ILO admin passwords are minimum 24 chars
My wifi password is > 24 characters, but I can remember it.
Use a line from a song or nursery rhyme.
e.g. "ThereWasAn0ldWomanWhoLivedInAShoe"
A very long time ago we were allowed to speak to a human for password resets. They often used to reset it to 'pleasechange1' or 'over2you'. To give you an idea of how long, we have to update the password every three months and he is currently on something like 19!
Another system needs a certain combination of characters/numbers and a monthly reset, surprisingly, most people have a 3 letter password and the current month.
We have about 11 passwords and pins just for a basic employee, got one guy with his passwords photocopied out in triplicate with manager and colleagues holding a copy, every few months it all hits the fan and he locks all his accounts!
I must grab one of those password lists some time.
I'd certainly like to see how often MaryHadALittleLamb appears on there with and without the usual letter/number substitutions.
And batterystaple, ... and rude words.
and rude words.
I once did a "password audit" at the company I worked for at the time, I think mostly just to see how hard it would be to crack our network passwords. Some were eye-opening; one lass in the office memorably had a password of "bondage69" for instance.
You're not going to forget "bondage69" though are you? Humorous passphrases are very memorable, hence that and the hose/staple one 🙂
*makes note to change all my password to something really crude*
maybe it was a reference to James, 007, just before his 70th birthday 😉
or brooke bond tea being their favourite drink, and their father's age 😉
people and their filthy minds 😉
I once did a "password audit" at the company I worked for at the time, I think mostly just to see how hard it would be to crack our network passwords. Some were eye-opening; one lass in the office memorably had a password of "bondage69" for instance.
It's pretty appalling that the company was storing passwords in a readable format. AFAIK even Adobe hashed them!
MD5 probably. Also not fit for purpose now (at least for security). I'd guess probably a straightforward brute force dictionary attack on the file?
It's pretty appalling that the company was storing passwords in a readable format.
Just because you can decrypt the actual passwords doesn't mean they were stored in plain text to start with.
https://en.wikipedia.org/wiki/Rainbow_table
Bollock$2th!s
Not sure if I've changed it, but I got so pissed off when trying to set up a Microsoft online account when my kid had an XBox, that the password became:
[i]pieceofshit! [/i] (with various number and capital replacements). I was so easy to remember!
It's pretty appalling that the company was storing passwords in a readable format.
It wasn't "readable," it was crackable. It was on an NT4 domain, security / encryption has improved somewhat since the late 90s.
Try working in the modern healthcare environment...
At last count I needed something like 17 different passcodes and passwords plus 12 different actual physical keys to do my job. The IT department constantly remind us that writing them down is a potential security risk...
We all, without exception, write them all down.
Try working in the modern healthcare environment...At last count I needed something like 17 different passcodes and passwords plus 12 different actual physical keys to do my job.
I was involved briefly and in a minor way with an SSO (single sign on) project in a large hospital a few years ago. The project was supposed to do away with a lot of that.
It was going very, very badly indeed when I left, a poster child for how not to do things. Sell something fundamentally not fit for purpose that the installation techs had never seen before to an organisation institutionally resistant to change and stand back.
mrblobby - MemberI'm not! That's pretty sloppy coding. If that's indicative of the quality of the rest of their implementation then I'd be quite worried.
Well Microsoft, Google, Apple, and Samsung can't release bug free software, hell, even OpenBSD can't claim zero exploits any more. So what makes you think a small startup will be able to?
And how long would it take those companies to get a fix out?
That's what postit notes are for. All my client's passwords are stuck on my monitor....
My gf had to do research for tv programme about online dating. That meant trying to find people who used online dating sites and asking them if they'd want to take part.
Problem with this was if you set up a profile you only 'see' people looking for that age/gender/orientation. So she had to set up dozens and dozens of profiles - male, female, gay, straight, young, old, north, south. Each with a unique login and password. Then numerous burner hotmail accounts for the creeps that kept asking her for blow jobs. Then repeat all those for each dating site, then keep repeating them because sites would think she was contacting too many people and lock her account. She made around a 1000 contacts to whittle down to about half a dozen people who'd actually end up being interviewed
Our office in the spare room looked like that scene where Carrie loses her marbles in Homeland
[img] 
[/img]
I had a dickens of a job trying to set a password for my Oyster card, it kept refusing my suggestions, until I realised that there was a rule regarding a character that wasn't stated in the list of rules for setting up a password! 🙄
For one memorable password that requires an ever changing choice of three characters from the main password I used the make, model and registration number of an old car, as one continuous word.
Another useful source of non-dictionary words is foreign aboriginal languages, in particular North American, which is very rich in unusual words, some of which have been used as the titles of a series of films with music soundtracks.
Of course, they can be difficult to remember, although repetition will make them easier to remember.