PDA

View Full Version : Most suffocating password policy ever


acemcmac
02-27-2006, 12:46 PM
This is for an employer's recruitment portal


Please note that the password must respect the following rules:

* It must contain between 7 and 32 characters. Use only characters from the following set: ! # $ % & ( ) * + , - . / 0123456789 : ; < = > ? @ ABCDEFGHIJKLMNOPQRSTUVWXYZ [ ] _ ` abcdefghijklmnopqrstuvwxyz { | } ~
* It must contain at least 1 lowercase letter(s) (abcdefghijklmnopqrstuvwxyz).
* It must contain at least 1 capital letter(s) (ABCDEFGHIJKLMNOPQRSTUVWXYZ).
* It must contain at least 1 numeric character(s) (0123456789).
* It must not contain your user name.
* It must not contain your email address.
* It must not contain your first name.
* It must not contain your last name.


none of my passwords fit that

letter, symbol, letter, letter, letter, letter, number, number = rejected no caps, rejected symbol not onlist

letter, letter, letter, letter, letter, number, number, number = rejected no caps

:|

If their recruitment portal is this anal, I wonder how bad it is to work there. The office complex is within visual distance of the meadowlands complex. I seriously doubt that it would be worth the trouble :thumbsdown:

MikeyIs4Dcats
02-27-2006, 12:47 PM
Fvcky0u


should work jut fine.

acemcmac
02-27-2006, 12:48 PM
Originally posted by: MikeyIs4Dcats
Fvcky0u


should work jut fine.

hmmmm

AMCRambler
02-27-2006, 12:48 PM
Hoooweee that's a good one. You must have Mordak The Preventer of Information Technology as your network admin, haha.

TallBill
02-27-2006, 12:48 PM
Not even close.

Must contain between 8-12 characters.
Must contain at least 2 upper case letters.
Must contain at least 2 lower case letters.
Must contain 2 numeric characters.
Must contain two non alphanumeric characters (!,@,#,$, etc)

:P

iroast
02-27-2006, 12:48 PM
!!aaAA00

BCYL
02-27-2006, 12:49 PM
We have a similar policy for our systems, in addition we must change our passwords every 30 days AND you cannot repeat the same password for 12 months

acemcmac
02-27-2006, 12:49 PM
Originally posted by: AMCRambler
Hoooweee that's a good one. You must have Mordak The Preventer of Information Technology as your network admin, haha.

No, this is for a place I thought I wanted to apply to work

Cooler
02-27-2006, 12:49 PM
Make the First Leter cap and use a word followed be a number

example.

Hello123

In my office we have to change our every 4 weeks and they never can be the same.

simms
02-27-2006, 12:49 PM
It's not that hard.

asD8ckdf

TallBill
02-27-2006, 12:50 PM
Just make sure you write it on a post it note and stick it to your screen so you dont forget.

saxophonoia
02-27-2006, 12:50 PM
That's pretty much exactly what ours is.

Kenazo
02-27-2006, 12:51 PM
Originally posted by: BCYL
We have a similar policy for our systems, in addition we must change our passwords every 30 days AND you cannot repeat the same password for 12 months

Although I understand the reasons for such a policy, I bet it ends up being less secure b/c employees are just going to write their PW on a stickynote and have it in their desk. If it wasn't changing all the time they'd actually be able to remember it.

mundane
02-27-2006, 12:52 PM
Originally posted by: TallBill
Just make sure you write it on a post it note and stick it to your screen so you dont forget.

:thumbsup:

Armitage
02-27-2006, 12:52 PM
Originally posted by: TallBill
Not even close.

Must contain between 8-12 characters.
Must contain at least 2 upper case letters.
Must contain at least 2 lower case letters.
Must contain 2 numeric characters.
Must contain two non alphanumeric characters (!,@,#,$, etc)

:P

That's similar to the rules at some places I've worked. In addition, they regularly run dictionary attacks against the password files using several languages including Klingon and various slang dictionaries.

acemcmac
02-27-2006, 12:53 PM
Originally posted by: saxophonoia
That's pretty much exactly what ours is.

A reasonable policy should not require more than two out of the following three: numbers, caps, symbols

Gand1
02-27-2006, 12:54 PM
Originally posted by: diegoalcatraz

Originally posted by: TallBill
Just make sure you write it on a post it note and stick it to your screen so you dont forget.

:thumbsup:

And put it on your monitor and/or under your keyboard!

CVSiN
02-27-2006, 12:54 PM
Originally posted by: acemcmac
This is for an employer's recruitment portal


Please note that the password must respect the following rules:

* It must contain between 7 and 32 characters. Use only characters from the following set: ! # $ % & ( ) * + , - . / 0123456789 : ; < = > ? @ ABCDEFGHIJKLMNOPQRSTUVWXYZ [ ] _ ` abcdefghijklmnopqrstuvwxyz { | } ~
* It must contain at least 1 lowercase letter(s) (abcdefghijklmnopqrstuvwxyz).
* It must contain at least 1 capital letter(s) (ABCDEFGHIJKLMNOPQRSTUVWXYZ).
* It must contain at least 1 numeric character(s) (0123456789).
* It must not contain your user name.
* It must not contain your email address.
* It must not contain your first name.
* It must not contain your last name.


none of my passwords fit that

letter, symbol, letter, letter, letter, letter, number, number = rejected no caps, rejected symbol not onlist

letter, letter, letter, letter, letter, number, number, number = rejected no caps

:|

If their recruitment portal is this anal, I wonder how bad it is to work there. The office complex is within visual distance of the meadowlands complex. I seriously doubt that it would be worth the trouble :thumbsdown:

um thats pretty standard at most real workplaces...
everywhere ive ever worked used storng passwords.. and then every 3 months you need a brand new one... with nothing in common with the previous one...

at least here we only use smartbadges with a 4 digit PIN code.. love it.. but you are screwed if you forget it..

Steve
02-27-2006, 12:54 PM
Ours is comparatively lax - minimum five characters, no stipulations on caps or lowercase or use of numbers. Passwords expire every 40 days and you cannot use the same password you used up to five (or is that nine?) passwords ago. Many users do something simple like robert01, then robert02, etc.

TallBill
02-27-2006, 12:54 PM
Originally posted by: Armitage

Originally posted by: TallBill
Not even close.

Must contain between 8-12 characters.
Must contain at least 2 upper case letters.
Must contain at least 2 lower case letters.
Must contain 2 numeric characters.
Must contain two non alphanumeric characters (!,@,#,$, etc)

:P

That's similar to the rules at some places I've worked. In addition, they regularly run dictionary attacks against the password files using several languages including Klingon and various slang dictionaries.

Bwuahahaha, I'm betting that klingon has discovered a few hits.

notfred
02-27-2006, 12:54 PM
Umm, everyone has pretty much that same policy.

MikeyIs4Dcats
02-27-2006, 12:56 PM
what I want to know is WhoTF is using 32 character passwords???

spidey07
02-27-2006, 12:57 PM
Originally posted by: notfred
Umm, everyone has pretty much that same policy.

yep. That's what a strong password is and pretty much standard practice IMHO.

rdubbz
02-27-2006, 12:58 PM
That policy isn?t sh!t, domain admins here have the same with no less than 16 characters. Mine has 18, try typing that a few dozen times a day.

Demon-Xanth
02-27-2006, 12:58 PM
FuK7#155#17 fits.

CVSiN
02-27-2006, 01:00 PM
Originally posted by: sm8000
Ours is comparatively lax - minimum five characters, no stipulations on caps or lowercase or use of numbers. Passwords expire every 40 days and you cannot use the same password you used up to five (or is that nine?) passwords ago. Many users do something simple like robert01, then robert02, etc.

yah exactly what strong passwords are supposed to stop.. you have any idea how easy that is for someone to crack and gain access to the network/PC?

strong passwords should be mandatory for any company that has any kind of information on thier PCs/networks..

unless you like sharing insider company info with your competitors..

Steve
02-27-2006, 01:01 PM
Originally posted by: CVSiN

Originally posted by: sm8000
Ours is comparatively lax - minimum five characters, no stipulations on caps or lowercase or use of numbers. Passwords expire every 40 days and you cannot use the same password you used up to five (or is that nine?) passwords ago. Many users do something simple like robert01, then robert02, etc.

yah exactly what strong passwords are supposed to stop.. you have any idea how easy that is for someone to crack and gain access to the network/PC?

strong passwords should be mandatory for any company that has any kind of information on thier PCs/networks..

unless you like sharing insider company info with your competitors..


We don't have competitors :P

Atomicus
02-27-2006, 01:01 PM
my password for my college was restricted by that same policy.

its pretty easy to type in once you use it for a few weeks

theknight571
02-27-2006, 01:02 PM
Originally posted by: MikeyIs4Dcats
what I want to know is WhoTF is using 32 character passwords???

I had a user that was using a sentance as a PW...something like...

Th1sp@ssw0rdisapitatotype

Demon-Xanth
02-27-2006, 01:03 PM
leet makes good passwords :)

Babbles
02-27-2006, 01:07 PM
Originally posted by: spidey07

Originally posted by: notfred
Umm, everyone has pretty much that same policy.

yep. That's what a strong password is and pretty much standard practice IMHO.



Yup, here too.

Ours is just alpha-numeric entries with at least one capitalized letter and one number and it expiries every three months.

BigToque
02-27-2006, 01:08 PM
IdwtguIatruktahmtticpw!

That's a good password, and easy to remember. I'll never use it, but it's a good example.

gsellis
02-27-2006, 01:09 PM
Originally posted by: acemcmac
This is for an employer's recruitment portal


Please note that the password must respect the following rules:

* It must contain between 7 and 32 characters. Use only characters from the following set: ! # $ % & ( ) * + , - . / 0123456789 : ; < = > ? @ ABCDEFGHIJKLMNOPQRSTUVWXYZ [ ] _ ` abcdefghijklmnopqrstuvwxyz { | } ~
* It must contain at least 1 lowercase letter(s) (abcdefghijklmnopqrstuvwxyz).
* It must contain at least 1 capital letter(s) (ABCDEFGHIJKLMNOPQRSTUVWXYZ).
* It must contain at least 1 numeric character(s) (0123456789).
* It must not contain your user name.
* It must not contain your email address.
* It must not contain your first name.
* It must not contain your last name.


none of my passwords fit that

letter, symbol, letter, letter, letter, letter, number, number = rejected no caps, rejected symbol not onlist

letter, letter, letter, letter, letter, number, number, number = rejected no caps

:|

If their recruitment portal is this anal, I wonder how bad it is to work there. The office complex is within visual distance of the meadowlands complex. I seriously doubt that it would be worth the trouble :thumbsdown:
As covered, that is just a strong password. Quit whining ;) They just wrote it out longhand for the slow. In fact, they may not be as bad as you thought. They could add valid for 30 days and you cannot reuse any 5 previous passwords, and here is your two factor token. It is a checkbox in Windows password policy that turns all of that on.

As for "who has a 32 character password", try pass phrase. Something like, "At0T Nef at night cr3w! For the Win" That can be a strong password and less successful to a dictionary attack. And, it can be easy to remember.

Edit - still looking for the opportunity to use "Mares eat oats and does eat oats and little lambs eat ivy. A kid will eat ivy too. Wouldn't you?" :P

toant103
02-27-2006, 01:10 PM
Originally posted by: acemcmac

Originally posted by: AMCRambler
Hoooweee that's a good one. You must have Mordak The Preventer of Information Technology as your network admin, haha.

No, this is for a place I thought I wanted to apply to work


i guess more work for your Admin when he has to reset your pw everyday since you don't remember what your current pw is. 3 strike and your pw is locked.

Maybe not just you, but other users as well

acemcmac
02-27-2006, 01:12 PM
I used the password

"goodmorningvietnam" for a while

Gunslinger08
02-27-2006, 01:13 PM
At my university, they checked passwords against multiple large, well known dictionary files. If any part of your password matched, it was rejected.

Phoenix86
02-27-2006, 01:13 PM
Originally posted by: Demon-Xanth
leet makes good passwords :)

The admin password for MS training is "Pa$$w0rd" or something very similar.

Injury
02-27-2006, 01:14 PM
That's also the criteria for choosing an AIM username, minus the non-alpha/numerics

mugs
02-27-2006, 01:15 PM
Yeah that's normal. And when they make you change it once a month it to something entirely different, it encourages writing the password down. Great security feature. :thumbsup:

gsellis
02-27-2006, 01:18 PM
Originally posted by: mugs
Yeah that's normal. And when they make you change it once a month it to something entirely different, it encourages writing the password down. Great security feature. :thumbsup:
Write it down? Crap, I have been tattooing them on my forearm. A piece of paper would be so much easier. Hey, I could write it on a Post-It note and put it on my monitor!

Thanks! :P

sao123
02-27-2006, 01:24 PM
Originally posted by: acemcmac
This is for an employer's recruitment portal


Please note that the password must respect the following rules:

* It must contain between 7 and 32 characters. Use only characters from the following set: ! # $ % & ( ) * + , - . / 0123456789 : ; < = > ? @ ABCDEFGHIJKLMNOPQRSTUVWXYZ [ ] _ ` abcdefghijklmnopqrstuvwxyz { | } ~
* It must contain at least 1 lowercase letter(s) (abcdefghijklmnopqrstuvwxyz).
* It must contain at least 1 capital letter(s) (ABCDEFGHIJKLMNOPQRSTUVWXYZ).
* It must contain at least 1 numeric character(s) (0123456789).
* It must not contain your user name.
* It must not contain your email address.
* It must not contain your first name.
* It must not contain your last name.


none of my passwords fit that

letter, symbol, letter, letter, letter, letter, number, number = rejected no caps, rejected symbol not onlist

letter, letter, letter, letter, letter, number, number, number = rejected no caps

:|

If their recruitment portal is this anal, I wonder how bad it is to work there. The office complex is within visual distance of the meadowlands complex. I seriously doubt that it would be worth the trouble :thumbsdown:



thats ez...
try this where i work...

you must have 3 separate passwords...


* All three must contain between 7 and 32 characters. Use only characters from the following set: ! # $ % & ( ) * + , - . / 0123456789 : ; < = > ? @ ABCDEFGHIJKLMNOPQRSTUVWXYZ [ ] _ ` abcdefghijklmnopqrstuvwxyz { | } ~
* All three must contain at least 1 lowercase letter(s) (abcdefghijklmnopqrstuvwxyz).
* All three must contain at least 1 capital letter(s) (ABCDEFGHIJKLMNOPQRSTUVWXYZ).
* All three must contain at least 1 numeric character(s) (0123456789).
* All three must not contain your user name.
* All three must not contain your email address.
* All three must not contain your first, middle, or last name.
* All three must not contain your wifes/childs/pets first, middle, or last name.
* All three must not contain your initials.
* All three must not contain your birthday, social security number, or telephone number.
* All three must not contain a matching string of 3 or more sequencial characters to one of the other passwords.
* All three must be changed every 60 days.
* A password can never be reused, on any of the systems. A password used on system A, cant ever be used on system B... etc

rbrandon
02-27-2006, 01:32 PM
stop bitching. its a common company policy. were you expecting blank passwords?

Kelvrick
02-27-2006, 01:42 PM
I'd rather have that then the ones that change every 2 weeks. That, and you log in like 3 times. Once to the computer, every time you access the data base, and every time you log into the remote data server... They all change.

Then I see people with stickies on their monitors with their passwords. :D

Ramma2
02-27-2006, 01:46 PM
I've seen places that don't accept any word in the dictionary. Cripes!

djheater
02-27-2006, 01:48 PM
Originally posted by: Kelvrick
I'd rather have that then the ones that change every 2 weeks. That, and you log in like 3 times. Once to the computer, every time you access the data base, and every time you log into the remote data server... They all change.

Then I see people with stickies on their monitors with their passwords. :D

It was 2000 before the major national corporation I work for changed from a universal domain password to individual passwords. I was in awe.

DaWhim
02-27-2006, 01:51 PM
write down the password somewhere.

torpid
02-27-2006, 01:54 PM
It's a matter of culpability. The password policy people want to be able to say they did nothing wrong with their overly restrictive password policy because even if it ultimately makes the system less secure because someone writes their PW down on a sticky, it's not THEIR fault that the employee wrote it down on a sticky, it's the employee's fault. Rarely will management be smart enough to see the big picture - that overly restrictivy password policies end up making the system less secure because people can't think of a new password every 60 days and still remember it each time they log in.

I like the one about no pet names. How do they know your pet's name?? If my employer required me to fill out a form with my pets' names I would just lie, then if caught in the lie say that the name I gave them is their real name, but what I call them is just a nickname.

TitanDiddly
02-27-2006, 01:54 PM
My new school required a pretty tough password.
Must have at least 3 of 4 categories:
Lowercase
Numbers
Uppercase
Symbols

At first I was annoyed, but now I'm glad, I have better passwords now.

Slap
02-27-2006, 01:55 PM
One of our passwords here cannot have a letter or number in the same spot as the previous password. That really makes it tough. You basically have to write your old passwrod down and the new guesses under it to make sure you don't have a letter or number in the same spot. You also cannot have repeating numbers or letters.

Saint Nick
02-27-2006, 01:56 PM
)O(I8u7yy7u8

cthulhu
02-27-2006, 01:58 PM
Originally posted by: TallBill
Just make sure you write it on a post it note and stick it to your screen so you dont forget.

:laugh: Yea.

Rock Hydra
02-27-2006, 01:58 PM
Originally posted by: MikeyIs4Dcats
what I want to know is WhoTF is using 32 character passwords???

My friend from this forums, JuJu fish, his logon to our high school server was 100+ characters.

markgm
02-27-2006, 02:02 PM
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?

Whoever invented that message should be shot. How about I change the ****** thing when it expires!

Ime
02-27-2006, 02:13 PM
Originally posted by: torpid
It's a matter of culpability. The password policy people want to be able to say they did nothing wrong with their overly restrictive password policy because even if it ultimately makes the system less secure because someone writes their PW down on a sticky, it's not THEIR fault that the employee wrote it down on a sticky, it's the employee's fault. Rarely will management be smart enough to see the big picture - that overly restrictivy password policies end up making the system less secure because people can't think of a new password every 60 days and still remember it each time they log in.

I like the one about no pet names. How do they know your pet's name?? If my employer required me to fill out a form with my pets' names I would just lie, then if caught in the lie say that the name I gave them is their real name, but what I call them is just a nickname.



As a system admin, I will submit that no matter how lax or restrictive your password policies are, people are stupid/forgetful and will write them down. I've seen lax policies, so lax that a password like "welcome" is allowed. Guess what? Some people really were too lazy to remember their password as "welcome" (WHICH THEY SET THEMSELVES!) and either called to get it changed or wrote it down and stuck it to their monitor, or in the case of laptop users, stuck it to the bottom of their laptops.

I think passwords are an evil thing, and should be replaced with smart-cards + pin codes and/or biometrics ASAP.

randomlinh
02-27-2006, 02:17 PM
i came in here expecting some weird ass policy... i'm highly disappointed. (from the OP)

DanTMWTMP
02-27-2006, 02:19 PM
heh, luckly, i have a password that fits that description.

gsellis
02-27-2006, 02:21 PM
Originally posted by: markgm
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?
You're password will expire in 90 days, would you like to change it?

Whoever invented that message should be shot. How about I change the ****** thing when it expires!

We are still waiting for the bug fix that will allow us to remind you every 15 minutes... ;)

KillerCharlie
02-27-2006, 02:21 PM
I worked for the USAF and every aspect of the passwords required was more strict than yours.

Minimum 8 characters, not 7
Minimum 1 uppercase letter
Minimum 1 lowercase letter
Minimum 1 number
AND minimum 1 special character (!@#$%^&*)

Not only could it not be your name, it could not be ANY common name.

Furthermore, it could not contain any words (or prefixes or suffixes) in it at all. If your password was %2@rEZ*$3, that would not work because it had the prefix "re" in it. It took my like 5 tries randomly typing in character combinations to get a password accepted.

BlueFlamme
02-27-2006, 02:36 PM
Originally posted by: KillerCharlie
I worked for the USAF and every aspect of the passwords required was more strict than yours.

Minimum 8 characters, not 7
Minimum 1 uppercase letter
Minimum 1 lowercase letter
Minimum 1 number
AND minimum 1 special character (!@#$%^&*)

Not only could it not be your name, it could not be ANY common name.

Furthermore, it could not contain any words (or prefixes or suffixes) in it at all. If your password was %2@rEZ*$3, that would not work because it had the prefix "re" in it. It took my like 5 tries randomly typing in character combinations to get a password accepted.


It has gotten worse...

Any common 4 character sequence is not allowed (NCC-1701, 1qaz, !QAZ, repeating numbers, etc.)

I worked on the team that brute forced all of the pwds within our MAJCOM (i believe over 300K users) and searched for any common strings that appeared too often, if so we put them in the do not allow list.

Use an extended ASCI char FTW, i always liked using "csar"in my pwd, of course they remember your previous 10 pwds and you can only change your pwd like once a week.

WobbleWobble
02-27-2006, 02:38 PM
Looks no different from what Windows 2003 considers a complex password.

markgm
02-27-2006, 02:42 PM
Originally posted by: KillerCharlie
I worked for the USAF and every aspect of the passwords required was more strict than yours.

Minimum 8 characters, not 7
Minimum 1 uppercase letter
Minimum 1 lowercase letter
Minimum 1 number
AND minimum 1 special character (!@#$%^&*)

Not only could it not be your name, it could not be ANY common name.

Furthermore, it could not contain any words (or prefixes or suffixes) in it at all. If your password was %2@rEZ*$3, that would not work because it had the prefix "re" in it. It took my like 5 tries randomly typing in character combinations to get a password accepted.



Can't it just be added to the message telling me I need to reboot my computer after I install updates? :D

SWScorch
02-27-2006, 02:44 PM
that's pretty lenient compared to the USAF as KillerCharlie pointed out. My admin account PW was 16 chars long and had more restrictions than that.

rh71
02-27-2006, 02:44 PM
Originally posted by: BCYL
We have a similar policy for our systems, in addition we must change our passwords every 30 days AND you cannot repeat the same password for 12 monthsthat sucks... for our Windows policy, we're just not supposed to repeat the last 4 used so I just change it 4 times in a row back to the previous one. :D

Alkesh
02-27-2006, 02:47 PM
My friend works at a hedge fun and the PW he has for his e-mail is only half of the password, the other half is on a keychain assigned to him that randomizes the numbers ever five minutes. In order to check his mail he has to put in the correct code at the correct time in additon to the part only he knows.

cscpianoman
02-27-2006, 02:49 PM
Instead of words or phrases use patterns on the keyboard.

Mark R
02-27-2006, 02:54 PM
I've found Qw3rTyU1Op{, A5DfGhJkL;, and Z+Cv8nM< have stood me very well for some time.

Unfortuantely, I had some problems with them on the old ATOT forums - if your password had a symbol in it, you couldn't edit your posts - WTF.

I've had other problems, mainly at work, where there are strange password policies.

We've got about 6 computer systems at work that I need access to - and they all have their own password. Some can't cope with different cases (all caps only), some can't cope with symbols, one requires that your password be 6 characters long (3 digits followed by 3 upper-case letters).

Another has a very peculiar login system - you just enter a password, not user name (it appears that your user name is assumed from the password) - again, WTF x2!

It's a real pain managing 6 different password simultaneously - I tried syncing them up - but with the different rules it was difficult. I was then scuppered because they all have different expiry times (and on some you can't change the PW before it expires).

KillerCharlie
02-27-2006, 02:58 PM
Originally posted by: Alkesh
My friend works at a hedge fun and the PW he has for his e-mail is only half of the password, the other half is on a keychain assigned to him that randomizes the numbers ever five minutes. In order to check his mail he has to put in the correct code at the correct time in additon to the part only he knows.

Now that would suck.

spidey07
02-27-2006, 03:02 PM
Originally posted by: KillerCharlie

Originally posted by: Alkesh
My friend works at a hedge fun and the PW he has for his e-mail is only half of the password, the other half is on a keychain assigned to him that randomizes the numbers ever five minutes. In order to check his mail he has to put in the correct code at the correct time in additon to the part only he knows.

Now that would suck.

It's called two factor authentitcation and actually is growig in popularity.

Lot better than just a username/password

Winchester
02-27-2006, 03:06 PM
Originally posted by: TallBill
Not even close.

Must contain between 8-12 characters.
Must contain at least 2 upper case letters.
Must contain at least 2 lower case letters.
Must contain 2 numeric characters.
Must contain two non alphanumeric characters (!,@,#,$, etc)

:P


Our was the same but 12-16 characters.

drinkmorejava
02-27-2006, 03:28 PM
all of mine work :)

Phlargo
02-27-2006, 03:38 PM
that's a pretty easy going password policy - my former company required that we change our passwords every 2 weeks, had to have:

1 symbol (non number/letter)
1 upper case
1 number
no fewer than 8 characters, with no more than two successive or sequential characters

Welcome to Enterprise Data Storage!

Kristi2k
02-27-2006, 03:57 PM
Originally posted by: CVSiN

Originally posted by: acemcmac
This is for an employer's recruitment portal


Please note that the password must respect the following rules:

* It must contain between 7 and 32 characters. Use only characters from the following set: ! # $ % & ( ) * + , - . / 0123456789 : ; < = > ? @ ABCDEFGHIJKLMNOPQRSTUVWXYZ [ ] _ ` abcdefghijklmnopqrstuvwxyz { | } ~
* It must contain at least 1 lowercase letter(s) (abcdefghijklmnopqrstuvwxyz).
* It must contain at least 1 capital letter(s) (ABCDEFGHIJKLMNOPQRSTUVWXYZ).
* It must contain at least 1 numeric character(s) (0123456789).
* It must not contain your user name.
* It must not contain your email address.
* It must not contain your first name.
* It must not contain your last name.


none of my passwords fit that

letter, symbol, letter, letter, letter, letter, number, number = rejected no caps, rejected symbol not onlist

letter, letter, letter, letter, letter, number, number, number = rejected no caps

:|

If their recruitment portal is this anal, I wonder how bad it is to work there. The office complex is within visual distance of the meadowlands complex. I seriously doubt that it would be worth the trouble :thumbsdown:

um thats pretty standard at most real workplaces...
everywhere ive ever worked used storng passwords.. and then every 3 months you need a brand new one... with nothing in common with the previous one...


That's how it is where I work, it's not a big deal.

Al Neri
02-27-2006, 04:23 PM
Password, must be greater than 8 characters and less than 3 characters.

That's the most suffocating policy.

DaShen
02-27-2006, 04:25 PM
that is actually the standard. More constraint is better though. Easy hack otherwise.

spidey07
02-27-2006, 04:26 PM
oh and the big reason for strong passwords besides unauthorized access is worms/viruses.

Lot's of them will automatically dictionary attack resources.

lrad50
02-27-2006, 04:31 PM
most college websites are worse

Armitage
02-27-2006, 04:33 PM
Originally posted by: spidey07

Originally posted by: KillerCharlie

Originally posted by: Alkesh
My friend works at a hedge fun and the PW he has for his e-mail is only half of the password, the other half is on a keychain assigned to him that randomizes the numbers ever five minutes. In order to check his mail he has to put in the correct code at the correct time in additon to the part only he knows.

Now that would suck.

It's called two factor authentitcation and actually is growig in popularity.

Lot better than just a username/password

I think I heard something recently that online banking sites are going to have to go to that soon.
That's how our VPN access at work is - RSA card.

imported_Phil
02-27-2006, 04:38 PM
At my old company, one of the Directors had a password of... you guessed it... "password". And somehow, he'd lock his account out two or three times per week and need it unlocked. How do you miss-type "password" every other morning?

djheater
02-27-2006, 04:40 PM
Ten pounds IS NOT bulk!!!

oops, I meant

That's not a very restrictive policy!!!

Argo
02-27-2006, 04:43 PM
This isn't even close to the most suffocating. Try all of the above, plus it cannot contain any english words in it, plus you have to change it every 3 months.

imported_Phil
02-27-2006, 04:43 PM
Originally posted by: djheater
Ten pounds IS NOT bulk!!!

oops, I meant

That's not a very restrictive policy!!!

Can you imagine how much more work we would have had were we to switch to complex?

jagec
02-27-2006, 04:52 PM
Originally posted by: TallBill
Not even close.

Must contain between 8-12 characters.
Must contain at least 2 upper case letters.
Must contain at least 2 lower case letters.
Must contain 2 numeric characters.
Must contain two non alphanumeric characters (!,@,#,$, etc)

:P

The only problem my two "secure" passwords have with that policy is that they're too long :(

No problem with the OP's requirements, though...


Originally posted by: Armitage
That's similar to the rules at some places I've worked. In addition, they regularly run dictionary attacks against the password files using several languages including Klingon and various slang dictionaries.
That's why you break out the 1337 and start replacing a couple letters with numbers or symbols. That way you can use an easy-to-remember password, and still be secure.

Kyteland
02-27-2006, 05:34 PM
The password B(.)(.)B13s seems to fit all of your rules.

shortylickens
02-27-2006, 05:43 PM
Am I the only person here who realizes these policies dont actually secure sh1t?
If they were really worried about security they would get thumb scanners or something.

But, like so many issues related to saftey and security, its cheaper and easier to keep pushing the BS, inneffective methods that dont do jack, just so people can FEEL safer.
Because FEELING safer is much more desirable to a fool than actually BEING safe.

Ilmater
02-27-2006, 05:46 PM
Originally posted by: TallBill
Not even close.

Must contain between 8-12 characters.
Must contain at least 2 upper case letters.
Must contain at least 2 lower case letters.
Must contain 2 numeric characters.
Must contain two non alphanumeric characters (!,@,#,$, etc)

:P
Oooh, one of ours is close (I have 26 different passwords in use at my company currently, so this is just one of them):

At least 8 characters
At least 1 upper-case character
At least 1 lower-case character
At least 1 numeric character
At least 1 non-alphanumeric character

jagec
02-27-2006, 05:51 PM
Originally posted by: shortylickens
Am I the only person here who realizes these policies dont actually secure sh1t?
If they were really worried about security they would get thumb scanners or something.

But, like so many issues related to saftey and security, its cheaper and easier to keep pushing the BS, inneffective methods that dont do jack, just so people can FEEL safer.
Because FEELING safer is much more desirable to a fool than actually BEING safe.

Hate to break it to you, but a solid password, that you DON'T write on a sticky note to remember, is much more secure than a thumb scanner. Biometrics tends to be easy to fool.

shortylickens
02-27-2006, 05:56 PM
You didnt hate breaking anything to me. You liked it. :P

In the words of George Constanza "Or something. I said Or Something."
I was actually thinking of a smart card along with the password.

Gobadgrs
02-27-2006, 05:58 PM
At my company I have all of the above, password changes every month and you cant reuse any of your last 12 passwords

Hummin
02-27-2006, 06:06 PM
Originally posted by: jagec

Originally posted by: shortylickens
Am I the only person here who realizes these policies dont actually secure sh1t?
If they were really worried about security they would get thumb scanners or something.

But, like so many issues related to saftey and security, its cheaper and easier to keep pushing the BS, inneffective methods that dont do jack, just so people can FEEL safer.
Because FEELING safer is much more desirable to a fool than actually BEING safe.

Hate to break it to you, but a solid password, that you DON'T write on a sticky note to remember, is much more secure than a thumb scanner. Biometrics tends to be easy to fool.

Gummi bears, anyone?

Armitage
02-27-2006, 06:22 PM
Originally posted by: jagec

Originally posted by: TallBill
Not even close.

Must contain between 8-12 characters.
Must contain at least 2 upper case letters.
Must contain at least 2 lower case letters.
Must contain 2 numeric characters.
Must contain two non alphanumeric characters (!,@,#,$, etc)

:P

The only problem my two "secure" passwords have with that policy is that they're too long :(

No problem with the OP's requirements, though...


Originally posted by: Armitage
That's similar to the rules at some places I've worked. In addition, they regularly run dictionary attacks against the password files using several languages including Klingon and various slang dictionaries.
That's why you break out the 1337 and start replacing a couple letters with numbers or symbols. That way you can use an easy-to-remember password, and still be secure.

I'm sure some of the more common 1337 is in the slang dictionaries.

Zaitsevs
02-27-2006, 06:34 PM
put your name into leet

CVSiN
02-27-2006, 07:18 PM
Originally posted by: shortylickens
You didnt hate breaking anything to me. You liked it. :P

In the words of George Constanza "Or something. I said Or Something."
I was actually thinking of a smart card along with the password.



we use smart cards here.. i like them alot..

sao123
02-27-2006, 07:30 PM
does anyone use secure id 16 digit keyfobs for passwords?

Eli
02-27-2006, 08:01 PM
Originally posted by: Armitage

Originally posted by: TallBill
Not even close.

Must contain between 8-12 characters.
Must contain at least 2 upper case letters.
Must contain at least 2 lower case letters.
Must contain 2 numeric characters.
Must contain two non alphanumeric characters (!,@,#,$, etc)

:P

That's similar to the rules at some places I've worked. In addition, they regularly run dictionary attacks against the password files using several languages including Klingon and various slang dictionaries.Jeebus Christ, WTF? LOL

cpacini
02-27-2006, 08:18 PM
Originally posted by: spidey07

Originally posted by: KillerCharlie

Originally posted by: Alkesh
My friend works at a hedge fun and the PW he has for his e-mail is only half of the password, the other half is on a keychain assigned to him that randomizes the numbers ever five minutes. In order to check his mail he has to put in the correct code at the correct time in additon to the part only he knows.

Now that would suck.

It's called two factor authentitcation and actually is growig in popularity.

Lot better than just a username/password

MLS uses that system as well, athough it is really designed to prevent cheap realtors from sharing accounts, not security. :)

thirdlegstump
02-27-2006, 09:13 PM
Y0uR_m0M_(_!_)_after_m3_(_8_)

cavemanmoron
02-27-2006, 09:18 PM
K1ssmyA$$$

LOL

Pepsei
02-27-2006, 09:52 PM
I think Charlotte1 fits right? that's our local admin password for every servers. Ok, I'm lying, but it's close.

spidey07
02-27-2006, 09:54 PM
Originally posted by: Pepsei
I think Charlotte1 fits right? that's our local admin password for every servers. Ok, I'm lying, but it's close.

heh, for a while this was my standard...

H0und!3y3

yep, original half-life reference.
:)

Apathetic
02-28-2006, 12:17 PM
Here's our policy:

15 character minimum (i'm not making this up)
must contain 1 or more upper, 1 or more lower, 1 or more symbol, 1 or more digits
changed every 45 days
remebers the past 10 or 12 (i don't remember which)
not allowed to end with a digit
not allowed to simply increment the digit in the password

shoot me

Dave

axnff
02-28-2006, 01:59 PM
One one of our boxes:

Minimum 8 characters
At least 4 letters
At least 3 numbers
Symbols okay
Account locked after ONE invalid attempt
Changed every 14 days (you can use it up through 28 days, but cannot change it after 14 days)
Cannot reuse previous passwords ever.

But it's on a trusted box with all the UNIX "r" commands ("rcp", "rlogin", etc) still installed.....

I've been here over six years.

bmacd
02-28-2006, 02:05 PM
here is what the DOD demands for our passwords:

Change Password
Complete this section and click submit when you are finished to change your password. For information regarding your privacy, please see the Privacy Policy on the Login Page by clicking here. Your password has the following restrictions:
? It must be at least 10 characters
? It must contain at least 2 special characters: !@#$%^&*_-+=':;.,
? It must contain at least 2 numbers
? It must contain at least 2 uppercase and 2 lowercase letters
? It must not be one of your last 10 passwords.
? It IS case sensitive


-=bmacd=-