The Dark Ages of the Web are still upon us...
-
Ok, time for a bit of a rant... This is about a company that is one of the larger multi-national corporations in the world. Not the largest, but definitely up there on the list, and known throughout the world. So, that being said, they are in charge of a WHOLE lot of personal, sensitive information (including mine, which is why I don't name them). So, I had a lame password, and with all the highly publicized security breaches lately, I thought, 'Ok, time for a stronger password'...click, 'Change Password', and lo and behold, the following password 'rules': Your Password should: * Contain 6 to 8 characters - at least one letter and one number (not case sensitive) * Contain no spaces or special characters (e.g., &, >, *, $, @) * Be different from your User ID and your last Password WTF?!?!?!?!?!?!?!?!?!?!?! :wtf: Are they absolutely INSANE!!! Only 6-8 characters? NOT case sensitive? NO special characters? Are they still living in the dark ages?! :doh: And these idiots are in charge of MY personal, and sensitive information?! Not to mention millions of others world-wide?! Wow...they are just a disaster waiting to happen...seriously, how can any company, especially a huge one that would likely be a prime target, do this in this day and age? Ok...rant over...
-
Ok, time for a bit of a rant... This is about a company that is one of the larger multi-national corporations in the world. Not the largest, but definitely up there on the list, and known throughout the world. So, that being said, they are in charge of a WHOLE lot of personal, sensitive information (including mine, which is why I don't name them). So, I had a lame password, and with all the highly publicized security breaches lately, I thought, 'Ok, time for a stronger password'...click, 'Change Password', and lo and behold, the following password 'rules': Your Password should: * Contain 6 to 8 characters - at least one letter and one number (not case sensitive) * Contain no spaces or special characters (e.g., &, >, *, $, @) * Be different from your User ID and your last Password WTF?!?!?!?!?!?!?!?!?!?!?! :wtf: Are they absolutely INSANE!!! Only 6-8 characters? NOT case sensitive? NO special characters? Are they still living in the dark ages?! :doh: And these idiots are in charge of MY personal, and sensitive information?! Not to mention millions of others world-wide?! Wow...they are just a disaster waiting to happen...seriously, how can any company, especially a huge one that would likely be a prime target, do this in this day and age? Ok...rant over...
FB? "Your password should be either 'password', your date of birth or 'gandalf'."
------------------------------------ I will never again mention that I was the poster of the One Millionth Lounge Post, nor that it was complete drivel. Dalek Dave
-
FB? "Your password should be either 'password', your date of birth or 'gandalf'."
------------------------------------ I will never again mention that I was the poster of the One Millionth Lounge Post, nor that it was complete drivel. Dalek Dave
Dalek Dave wrote:
"Your password should be either 'password', your date of birth or 'gandalf'."
Lol! Yeah, pretty much! :laugh: This company long pre-dates the web, and have had an online presence since the mid 90's. You would think that by NOW they would have it figured out...
-
Ok, time for a bit of a rant... This is about a company that is one of the larger multi-national corporations in the world. Not the largest, but definitely up there on the list, and known throughout the world. So, that being said, they are in charge of a WHOLE lot of personal, sensitive information (including mine, which is why I don't name them). So, I had a lame password, and with all the highly publicized security breaches lately, I thought, 'Ok, time for a stronger password'...click, 'Change Password', and lo and behold, the following password 'rules': Your Password should: * Contain 6 to 8 characters - at least one letter and one number (not case sensitive) * Contain no spaces or special characters (e.g., &, >, *, $, @) * Be different from your User ID and your last Password WTF?!?!?!?!?!?!?!?!?!?!?! :wtf: Are they absolutely INSANE!!! Only 6-8 characters? NOT case sensitive? NO special characters? Are they still living in the dark ages?! :doh: And these idiots are in charge of MY personal, and sensitive information?! Not to mention millions of others world-wide?! Wow...they are just a disaster waiting to happen...seriously, how can any company, especially a huge one that would likely be a prime target, do this in this day and age? Ok...rant over...
CREATE TABLE Users (UserID BIGINT IDENTITY, UserName VARCHAR(20), Password VARCHAR(8));
Cheers, Vikram. (Got my troika of CCCs!)
-
Ok, time for a bit of a rant... This is about a company that is one of the larger multi-national corporations in the world. Not the largest, but definitely up there on the list, and known throughout the world. So, that being said, they are in charge of a WHOLE lot of personal, sensitive information (including mine, which is why I don't name them). So, I had a lame password, and with all the highly publicized security breaches lately, I thought, 'Ok, time for a stronger password'...click, 'Change Password', and lo and behold, the following password 'rules': Your Password should: * Contain 6 to 8 characters - at least one letter and one number (not case sensitive) * Contain no spaces or special characters (e.g., &, >, *, $, @) * Be different from your User ID and your last Password WTF?!?!?!?!?!?!?!?!?!?!?! :wtf: Are they absolutely INSANE!!! Only 6-8 characters? NOT case sensitive? NO special characters? Are they still living in the dark ages?! :doh: And these idiots are in charge of MY personal, and sensitive information?! Not to mention millions of others world-wide?! Wow...they are just a disaster waiting to happen...seriously, how can any company, especially a huge one that would likely be a prime target, do this in this day and age? Ok...rant over...
Well...this was their response: "I can understand your concern regarding the security of your password. I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily. The length of the password is limited to eight characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed". Therefore, lesser keys punched in a given frame of time lessens the possibility of the password being cracked." So, according to them, weak passwords are more secure? :wtf:
-
Well...this was their response: "I can understand your concern regarding the security of your password. I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily. The length of the password is limited to eight characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed". Therefore, lesser keys punched in a given frame of time lessens the possibility of the password being cracked." So, according to them, weak passwords are more secure? :wtf:
-
FB? "Your password should be either 'password', your date of birth or 'gandalf'."
------------------------------------ I will never again mention that I was the poster of the One Millionth Lounge Post, nor that it was complete drivel. Dalek Dave
-
Well...this was their response: "I can understand your concern regarding the security of your password. I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily. The length of the password is limited to eight characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed". Therefore, lesser keys punched in a given frame of time lessens the possibility of the password being cracked." So, according to them, weak passwords are more secure? :wtf:
Alexander DiMauro wrote:
our website has a 128 bit encryption
Ooh. I'm quaking in fear at how advanced they are. Tell you what, I'll loan you my tame hacker - I reckon it would take him about 20 minutes.
"WPF has many lovers. It's a veritable porn star!" - Josh Smith
As Braveheart once said, "You can take our freedom but you'll never take our Hobnobs!" - Martin Hughes.
-
Well...this was their response: "I can understand your concern regarding the security of your password. I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily. The length of the password is limited to eight characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed". Therefore, lesser keys punched in a given frame of time lessens the possibility of the password being cracked." So, according to them, weak passwords are more secure? :wtf:
Unless your 128 bit encryption creates an algorithm that magically makes it so that no one can guess a 6-8 letter word, it is worthless. The greatest weakness in a password is not the encryption being decoded, it is the password being compromised by other means. The lack of special characters or even case sensitivity creates a situation where common words are encouraged. Brute force dictionary cracks are very easily done. Hacking software that somehow sees one character more than another is a fallacy and a bad one. If their encryption algorithm can't handle that, they need to get better encryption. The password software that can decipher passwords based on most common keys pressed will be having a field day with less charactrers to resolve. More keyboard contact with special characters only makes this sort of software work harder. It increases the difficulty of hacking the passwords. It's not like the software is as slow as a person, it is grabbing every key pressed. The two big issues with this system are social engineering passwords and dictionary look ups. Say a user has a name like " Mike Weber" My first attempt would be grill123 after that grill456. According to them, these are good passwords... According to history I got the password of a user on the second attempt. This actually happened and he became very upset. Bad password security is dangerous.
If I have accidentally said something witty, smart, or correct, it is purely by mistake and I apologize for it.
-
Unless your 128 bit encryption creates an algorithm that magically makes it so that no one can guess a 6-8 letter word, it is worthless. The greatest weakness in a password is not the encryption being decoded, it is the password being compromised by other means. The lack of special characters or even case sensitivity creates a situation where common words are encouraged. Brute force dictionary cracks are very easily done. Hacking software that somehow sees one character more than another is a fallacy and a bad one. If their encryption algorithm can't handle that, they need to get better encryption. The password software that can decipher passwords based on most common keys pressed will be having a field day with less charactrers to resolve. More keyboard contact with special characters only makes this sort of software work harder. It increases the difficulty of hacking the passwords. It's not like the software is as slow as a person, it is grabbing every key pressed. The two big issues with this system are social engineering passwords and dictionary look ups. Say a user has a name like " Mike Weber" My first attempt would be grill123 after that grill456. According to them, these are good passwords... According to history I got the password of a user on the second attempt. This actually happened and he became very upset. Bad password security is dangerous.
If I have accidentally said something witty, smart, or correct, it is purely by mistake and I apologize for it.
Great response. I couldn't have said it better myself. Literally, I couldn't have. I hope you don't mind that I used your response to send to them. We'll see if they respond with anything more than a 'form letter'. 'Thank you for your response, we value your comments...' blah blah blah. :zzz:
-
Ok, time for a bit of a rant... This is about a company that is one of the larger multi-national corporations in the world. Not the largest, but definitely up there on the list, and known throughout the world. So, that being said, they are in charge of a WHOLE lot of personal, sensitive information (including mine, which is why I don't name them). So, I had a lame password, and with all the highly publicized security breaches lately, I thought, 'Ok, time for a stronger password'...click, 'Change Password', and lo and behold, the following password 'rules': Your Password should: * Contain 6 to 8 characters - at least one letter and one number (not case sensitive) * Contain no spaces or special characters (e.g., &, >, *, $, @) * Be different from your User ID and your last Password WTF?!?!?!?!?!?!?!?!?!?!?! :wtf: Are they absolutely INSANE!!! Only 6-8 characters? NOT case sensitive? NO special characters? Are they still living in the dark ages?! :doh: And these idiots are in charge of MY personal, and sensitive information?! Not to mention millions of others world-wide?! Wow...they are just a disaster waiting to happen...seriously, how can any company, especially a huge one that would likely be a prime target, do this in this day and age? Ok...rant over...
Just as bad going the other way, too. Change every 90 days, 10+ characters, at least 2 each of upper and lower, numbers, special characters. And you can't use any of your last 10 passwords. Pick something you can remember, because you can't you're not supposed to write it down. Ha. Oh, and the 17 different systems you have to log into all have slightly different requirements, so forget about using the same password for everything at work. 3M is making a killing in yellow stickies.
-
Unless your 128 bit encryption creates an algorithm that magically makes it so that no one can guess a 6-8 letter word, it is worthless. The greatest weakness in a password is not the encryption being decoded, it is the password being compromised by other means. The lack of special characters or even case sensitivity creates a situation where common words are encouraged. Brute force dictionary cracks are very easily done. Hacking software that somehow sees one character more than another is a fallacy and a bad one. If their encryption algorithm can't handle that, they need to get better encryption. The password software that can decipher passwords based on most common keys pressed will be having a field day with less charactrers to resolve. More keyboard contact with special characters only makes this sort of software work harder. It increases the difficulty of hacking the passwords. It's not like the software is as slow as a person, it is grabbing every key pressed. The two big issues with this system are social engineering passwords and dictionary look ups. Say a user has a name like " Mike Weber" My first attempt would be grill123 after that grill456. According to them, these are good passwords... According to history I got the password of a user on the second attempt. This actually happened and he became very upset. Bad password security is dangerous.
If I have accidentally said something witty, smart, or correct, it is purely by mistake and I apologize for it.
Yep, I got an expected response: :zzz: 'Thank you for responding to the email. I understand your concern regarding the security of your password. Also, I appreciate you taking your valuable time to contact us about this matter. We are continuously seeking ways to improve our website content, and I have forwarded your comments to our webmaster for review. We are grateful that you have shared your thoughts with us. Be assured that the feedback we receive from members plays an important role in enhancing your customer experience. I also noticed that you have been a valued member since 1995. We appreciate your loyalty and it has been a privilege to serve you since then. Sincerely, Varun Sharma Email Servicing Team' X| :mad: Of course, what can you expect from customer service...they didn't even get the date right, it's 1993. :doh: