• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Why do password systems have so many stupid rules?

P

pmv

Lifer
I recently spent some time struggling to come up with a password that satisfied the arbitrary rules of a certain site.

It had the usual random variations on must/mustn't have non-alphanumerics, minimum and maximum lengths etc. All of which are exasperating.

The problem is

(a) that so many sites don't tell you what the rules are till after you've tried a password. This is especially ridiculous when there's a maximum length yet the form allows you to enter passwords longer than that length, and only _then_ tells you off for doing so. This happens a lot.

(b) that the rules vary so much from one site to another. One will insist on punctuation characters, another will ban them. Some insist on variable case, some don't, some say exactly one numeral...all kinds of random variations.

Also this one added the weird restriction that passwords must be 'non-offensive' (what is the logic in that? Who is it going to offend, if they are encrypted as they should be? Are they just taking it for granted that their password file is going to be stolen by hackers, who might then complain about bad language or controversial political sentiments?). I think I fell foul of that one when I lost my temper on my Nth attempt at an acceptable password and put a rude word in it.

Surely in 2017 there should be a set standard for 'password choosing' by now?
 
I hate those stupid websites. Some do this, others don't. Really pisses me off when I use a very good password mechanism and yet I still didn't satisfy their criteria.
 
yeah this pisses me off, luckily most websites have none of these bs rules except minimum length which I understand.
 
Murloc said:
yeah this pisses me off, luckily most websites have none of these bs rules except minimum length which I understand.
Click to expand...
You're lucky. I make good passwords(Read Keepass makes good passwords), and I run into all kinds of obstacles. There should be a sensible maximum length; maybe 32 characters, and an entropy check. If it meets minimum standards, anything should be usable.
 
PliotronX said:
That's the entire point. Watch how much computational power it requires just by adding alphanumeric characters.
Click to expand...
is a combination of random alphabetical characters worse than a combination of random alphanumeric characters, if the attacker does not know that it does not actually contain numbers?
 
PliotronX said:
This is why..
Click to expand...

I tried that with a typical random, spur-of-the-moment-invented password and it said it would take 7 quindecillion years to crack, so quite good. But that password would have been thrown out by many sites as being too long and for not having numerals in it.
The thing is, it's not rules insisting on numerals or punctuation that I get irritated by, it's just that those rules vary so much from one site to another, and don't tell you clearly in advance what they are, obliging you to go through multiple failed-attempts to find out what they want.

I particularly dislike sites that insist I use absurdly short passwords. I don't see the logic in that at all.
 
Worse yet is when your password, username, E-mail and everything else is hacked and then you find out the damn data was stored in plain text.

Here's a great website. They are down for maintenance right now though.

https://www.leakedsource.com/main

Here's another one. https://haveibeenpwned.com/ I'll get an E-mail if my Info. shows up in a hacked database.

I found out freeadvice.com was hacked and I never so much as got an E-mail. So was Webhostingtalk.com.
 
Do realize that when they say it takes NN years, they probably mean with a single computer using today's known tech. ex: not a huge data centre full of dedicated ASICs and/or quantum computers designed for that specific algorthm. The big boys like the NSA and GCHQ can probably do it in less than a year with the the technology they have. But if a site is hacked and the password info is stolen, chances are good that the info that password was protecting was also stolen anyway. So what the hashing will really serve a purpose at here is to buy you enough time to change your password everywhere else if you use the same one. Consider the info that was on that website compromised either way. Even if the info itself is encrypted it will eventually be decrypted offline.
 
PliotronX said:
This is why..
Click to expand...

It might be a useful site for people who literally have no clue about password security, but there are plenty of reasons that the figures it gives out aren't even vaguely accurate in many scenarios (e.g. NTLM passwords, wifi passwords, scenarios where unauthorised access to the password database was successful, scenarios where no prior unauthorised access was managed and brute-forcing say an e-mail server over the Internet, then add security precautions like servers telling possible brute-forcers to take a hike for an hour after three wrong passwords... the list goes on).

It also reckons that 'password123' could take a month to crack. Yeahhh, no.
 
PliotronX said:
This is why..
Click to expand...
I put in a password similar in length and character type to one of my current ones and it said 3 trillion years. OK, I'm good with that. For reference, I put in one similar to a very early password that I still remembers (late 90's) and it said 2 hours. Well, I guess that means I have improved. I wonder how long my old password would have taken to crack back then.
 
The more rules you have about a password, then once the rules are known, there are fewer combinations available (ie, reduced sample space) and the easier it would be to "crack" for someone who also knows the password formulation restriction rules (eg, for the particular site).

Classic Bayes Theorem

"One way to think about this problem is to consider the sample space, which Monty alters by opening one of the doors that has a goat behind it. In doing so, he effectively removes one of the two losing doors from the sample space."

http://mathforum.org/dr.math/faq/faq.monty.hall.html
 
Yeah to me the only rule should be minimum length and that should be rather conservative. Like I'd say even 6 characters is fine. Having to brute force that extra 6 and 7 possibilities adds extra work to anyone brute forcing. Something like $&1(n` would be more secure than something like Words12!

Though I wonder how many crappy web systems out there would croak at certain special characters like quotes. I like to put quotes in random forms sometimes to see if they're being escaped properly. If you get a database error you know they aren't. 😛

'; drop table xf_users;

Hey, I had to try. 😛
 
Red Squirrel said:
'; drop table xf_users;

Hey, I had to try. 😛
Click to expand...
exploits_of_a_mom.png
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top