RANT: Sites with ridiculous password policies...

[DaWhim]

If you think US banking is ridiculous, try UK.

With the # of accounts I have, remember each of them has been an impossible task. I have since turned to truencrpt and passkeep. they work wonder.

 

[Fayd]

Originally posted by: Argo
2 rants actually:

Site 1: Requires a password that is at least 8 characters long, has 1 capital, 1 digit and one punctuation sign and cannot ressemble any word. The site falls into the category of sites that has financial data but that I access fairly seldomly. So of course I don't want to write down the password, and of course I forget it. To top it all off their "forgot my password" functionality appears to be unavailable. When I try it I litterally get a message saying "This functionality is not available, please try again later".

Site 2: Requires you to change your password once every 3 months. You CANNOT use any passwords that you used in the past. It wouldn't be so bad, it this wasn't another one of those financial data sites that I access once every 2 or 3 months. So of course I constantly keep forgetting the password, causing me to go through the stupid reset password functionality.

Really, the only thing these stupid policies cause is for people to start writing their passwords and sticking them onto a monitor. Btw, both sites are personal financial sites from major institutions.

one of the jobhunting sites i visit has such a policy.

i soooo hate it.

 

[kranky]

It's pretty well understood now that absurdly difficult password rules actually lessen security since people have to write them down. The more password "rules" and the more often it has to be changed, the more likely it's going to be written down. We use an app at work that has rules similar to "site 1" in the OP, but to make things worse it has to be EXACTLY 8 characters, no more, no less. I never understood the benefit of not allowing a password that was ever used in the past.

It's fine to not allow passwords which a brute-force dictionary attack could find, but some sites go too far.

I would argue that using a password-style answer to every security question is actually more secure than using the real answer. Someone trying to hack a financial account might know your father's middle name was Dennis, but if you answered the security question with "g45kSS-X" you're better protected.

 

[daniel1113]

I agree 100%. I can't tell you the number of sites I stopped registering for as soon as I saw they had these crazy password policies.

When it comes to the security questions, I use the same answer regardless of the question since they tend to have non-permanent answers. Hell, I don't even know what my favorite movie is, much less that it won't change. Of course, now there are sites that require multiple security questions, and of course, each requires a different answer. Fuckers.

 

[RichardE]

Originally posted by: Brainonska511

Originally posted by: Exterous
I hate sites that make you choose off the wall security questions:
"Whats your favorite dinner food?"
"Who was your father's friends third wife's maiden name?"

Not just off the wall questions, but questions that have variable answers and could easily change over time, like "what's your favorite movie?"

The solution to this is to use one random word to answer every question.

Like..


Madagascar

 

[sandorski]

I hate it too, but have only had it happen once. I think it was Gmail or some other Online E-mail account. It was just pissing me off with the stupid requirements, I just wanted E-mail FFS and not use it to pass Classified Information. :|

 

[Jeff7]

Originally posted by: coldmeat
All my passwords are in a text document on my desktop.

Truecrypt. Use it.

My passwords are saved on my computer and on a thumbdrive I always take with me. They're saved in an otherwise inconspicuous file, beneath dual-layer encryption. According to Truecrypt's documentation, the file contents will simply look like random data, with nothing to identify it as a Truecrypt file.

Originally posted by: Exterous
I hate sites that make you choose off the wall security questions:
"Whats your favorite dinner food?"
"Who was your father's friends third wife's maiden name?"

It's not like you need to answer accurately.
What's your favorite dinner food? Chicken.
What was your father's friends third wife's maiden name? Chicken.
Where was your third cousin born? Chicken.


Edit: Truecrypt's biggest problem is that it can't be used on campus or at work unless someone with administrative access will install it for you.

 

[SpunkyJones]

Originally posted by: FP
KeePass ftw

I don't know any of my passwords. I simply copy/paste from KeePass. I backup my encrypted password file remotely and have it on a couple of USB keys.

This what I use and do. :thumbsup:

 

[FelixDeCat]

asdfjkl1! or any varient thereof

9 digits

not a word

has a numeral

includes a shift based special character from 1-10

easy to remember

 

[Injury]

One of my student loan websites requires you to change your password every 30 days. Which means you need to log in every 30 days or you'll need to reset your account & make a new password through a horribly slow email confirmation link.

If you log in once monthly just to pay on your loan, then any month with 31 days in it would cause you to need to reset your password. It would always take about an hour or more for the email to show up and security questions needed an EXACT match... none of the questions are one word answers.

I can't think of what kind of person logs in regularly enough to make that sort of "protection" necessary. What the hell does this "protect", anyway? Is someone going to log in and pay my bill for me or something?

 

[Drakkon]

I can understand it for financial sites but I'm seeing it more and more for things like forums and things that really have no personal data whatsoever.

Then there is the univ i work for - user accounts on computers have to have a pass with no common words in it, 2 capitols, 1 special character, at least 10 characters, and must be changed every 6 months, cannot use a password used n the past, and must be at least 5 characters different. Most people i know end up having a stick note with it somewhere on their desk anyways which ends up defeating the whole purpose. And best part of all this account is in no way linked to financial data or other school systems.

 

[rh71]

I use password corral.

 

[Mardeth]

Originally posted by: FP
KeePass ftw

I don't know any of my passwords. I simply copy/paste from KeePass. I backup my encrypted password file remotely and have it on a couple of USB keys.

Same.

 

[imported_Imp]

I write all of mine down on a notepad that's kept in a drawer of my desk.

Don't really need to write it down actually. I use a the same 3 or 4 passwords everywhere and just add maybe 1 unique thing to it depending on the site. The jokes on you though, I never store my credit cards on store websites.

 

[pontifex]

Originally posted by: Brainonska511

Originally posted by: Exterous
I hate sites that make you choose off the wall security questions:
"Whats your favorite dinner food?"
"Who was your father's friends third wife's maiden name?"

Not just off the wall questions, but questions that have variable answers and could easily change over time, like "what's your favorite movie?"

and they have to be like a certain amount of characters long to. one was 1st pet or favorite pet's name and it was 3 letters long but they needed it to be 4 characters or somethings.

 

[Codewiz]

Originally posted by: yh125d

Originally posted by: DayLaPaul
Fingerprint reader ftw?

biometrics! *highfive*

Yeah because it is REALLY easy to get a new finger print once your print has been lifted. Not to mention, you rarely touch anything so it is pretty much impossible to lift finger prints. :roll:

I am always amazed at people who have a hardon for biometrics. It is absolutely the WORST idea. A non revocable non-replaceable key, BRILLIANT.

While biometrics don't pose a risk right now because they aren't used. But if companies actually started using them, thieves would be lifting all sorts of prints in public. You wouldn't be able to use ATM machines anymore.

Biometrics FTL.

 

[gsverz]

download keepass... it can generate passwords for you... all you have to do is remember the master password...

 

[oznerol]

Add to your rant those sites that also require you to enter the password via the on-screen keyboard. I am assuming this is to prevent key-loggers, but seriously - when the password needs to be 8+ characters - upper and lowercase - numbers and symbols - it gets ridiculous.

 

[AyashiKaibutsu]

That's not too bad. One of the passwords I need requires 2 upper case 2 lower case 2 numbers and 2 special symbols in the first 9 characters. Cannot match any patterns the security group checks for or any of your previous passwords.

 

[acheron]

I used to work as a bank teller, and the passwords to login to the bank's computer system had to be exactly 8 characters, 4 letters followed by 4 numbers.

 

[Jeff7]

Originally posted by: ducci
Add to your rant those sites that also require you to enter the password via the on-screen keyboard. I am assuming this is to prevent key-loggers, but seriously - when the password needs to be 8+ characters - upper and lowercase - numbers and symbols - it gets ridiculous.

I have encountered one of those sites - Treasury Direct, for savings bonds. I'd like to use a computer mouse cord to strangle whoever thought of that idea.

 

[iamwiz82]

There is a site I go to for work that has a maximum size of 8 characters, but if you type in more than that it will accept it, dropping anything after 8. By the time you realize your password for the month was 9 characters the stupid system is locked out.

 

[meltdown75]

@W1nrarisU

 

[Number1]

http://keepass.info/

 

[Injury]

Originally posted by: Codewiz

Originally posted by: yh125d

Originally posted by: DayLaPaul
Fingerprint reader ftw?

biometrics! *highfive*

Yeah because it is REALLY easy to get a new finger print once your print has been lifted. Not to mention, you rarely touch anything so it is pretty much impossible to lift finger prints. :roll:

I am always amazed at people who have a hardon for biometrics. It is absolutely the WORST idea. A non revocable non-replaceable key, BRILLIANT.

While biometrics don't pose a risk right now because they aren't used. But if companies actually started using them, thieves would be lifting all sorts of prints in public. You wouldn't be able to use ATM machines anymore.

Biometrics FTL.

Yup. Just watch the mythbusters episode on this and you'll never trust it again.