Password restrictions
-
So yesterday I go up in the morning to find that I was getting an Authentication Error on my home Wifi. Sure enough, my password that I had for at least 2 years didn't work. I called up my ISP which rhymes with Denture-y Fink. To make a long story short, they changed something and now they do not allow spaces to be in a password phrase. They had to reset my password because I couldn't get in with my disallowed passwords any more. My question to you who deal with security is, do you restrict what characters can be in a password? and why? Thanks for letting me gripe.
Brent
Yes, but not for security, for usability. There is nothing worse than a user raising a support issue because their "password doesn't work". 99% of the time they just don't remember it. Allowing a password to have spaces is more prone to user error, especially when it starts or ends with a space. So I can see why they might not want to allow spaces. But don't go too far... one site I used recently doesn't allow special characters at all! Only letters or numbers, so this means your password cannot be as complex as you might want it to be (which is definitely a security concern).
-
Yes, but not for security, for usability. There is nothing worse than a user raising a support issue because their "password doesn't work". 99% of the time they just don't remember it. Allowing a password to have spaces is more prone to user error, especially when it starts or ends with a space. So I can see why they might not want to allow spaces. But don't go too far... one site I used recently doesn't allow special characters at all! Only letters or numbers, so this means your password cannot be as complex as you might want it to be (which is definitely a security concern).
I have found a several places don't allow you to end the password with a number which increases when reset Password01, becomes Password02 etc. back to the Dilbert Cartoon where you have to have squirrel noises in your password...
-
So yesterday I go up in the morning to find that I was getting an Authentication Error on my home Wifi. Sure enough, my password that I had for at least 2 years didn't work. I called up my ISP which rhymes with Denture-y Fink. To make a long story short, they changed something and now they do not allow spaces to be in a password phrase. They had to reset my password because I couldn't get in with my disallowed passwords any more. My question to you who deal with security is, do you restrict what characters can be in a password? and why? Thanks for letting me gripe.
Brent
I had one some years ago: a friends mother had signed up with a password she could remember - her daughter's first pet, a cat called "PEPSI". And this worked for ages, until the company was bought out by one with more restrictive passwords. When she replaced the computer, she couldn't sign in to her email any more because the password was wrong. And she couldn't change it because they required her old password to set a new one and that wasn't valid under their new rules ... It took some long drawn out phone conversations to sort that one out.
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony AntiTwitter: @DalekDave is now a follower!
-
So yesterday I go up in the morning to find that I was getting an Authentication Error on my home Wifi. Sure enough, my password that I had for at least 2 years didn't work. I called up my ISP which rhymes with Denture-y Fink. To make a long story short, they changed something and now they do not allow spaces to be in a password phrase. They had to reset my password because I couldn't get in with my disallowed passwords any more. My question to you who deal with security is, do you restrict what characters can be in a password? and why? Thanks for letting me gripe.
Brent
I would be annoyed to have such a limitation. Passwords shouldn't be stored in clear text in the first place anyway, but rather salted and hashed, so I don't see any reason to limit the character set (except maybe for control characters).
"Five fruits and vegetables a day? What a joke! Personally, after the third watermelon, I'm full."
-
So yesterday I go up in the morning to find that I was getting an Authentication Error on my home Wifi. Sure enough, my password that I had for at least 2 years didn't work. I called up my ISP which rhymes with Denture-y Fink. To make a long story short, they changed something and now they do not allow spaces to be in a password phrase. They had to reset my password because I couldn't get in with my disallowed passwords any more. My question to you who deal with security is, do you restrict what characters can be in a password? and why? Thanks for letting me gripe.
Brent
My ISP gives you an IP address with a password (which YOU can change). When you point your browser to the IP address, You enter a page where you can configure many of the router parameters. (Dangerous in some hands! :omg: ) You have full control of the router and WiFi passwords. Nice (for me, at least.) :)
-
Yes, but not for security, for usability. There is nothing worse than a user raising a support issue because their "password doesn't work". 99% of the time they just don't remember it. Allowing a password to have spaces is more prone to user error, especially when it starts or ends with a space. So I can see why they might not want to allow spaces. But don't go too far... one site I used recently doesn't allow special characters at all! Only letters or numbers, so this means your password cannot be as complex as you might want it to be (which is definitely a security concern).
I'd agree - no spaces, but any other printable character in the Unicode set is fine (including hieroglyphs, squirrel noises, and the blood of a virgin (only available in the "Cthulhu" font).) Only spaces and control codes are forbidden. What annoys me more is people who decide that only "." and a single "@" is allowed in email addresses. Domains can legitimately contain "-", and mine does. Some sites just puke up at the sight of one ... which means a trip to mailinator to sign up (then change the email address and it generally works)
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony AntiTwitter: @DalekDave is now a follower!
-
Yes, but not for security, for usability. There is nothing worse than a user raising a support issue because their "password doesn't work". 99% of the time they just don't remember it. Allowing a password to have spaces is more prone to user error, especially when it starts or ends with a space. So I can see why they might not want to allow spaces. But don't go too far... one site I used recently doesn't allow special characters at all! Only letters or numbers, so this means your password cannot be as complex as you might want it to be (which is definitely a security concern).
A study was done that claims a 3-word password is MORE secure than the arbitrary password rules used by 99% of the business entities out there because it's harder to use brute force them. A space is a valid character and should not be disallowed.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
So yesterday I go up in the morning to find that I was getting an Authentication Error on my home Wifi. Sure enough, my password that I had for at least 2 years didn't work. I called up my ISP which rhymes with Denture-y Fink. To make a long story short, they changed something and now they do not allow spaces to be in a password phrase. They had to reset my password because I couldn't get in with my disallowed passwords any more. My question to you who deal with security is, do you restrict what characters can be in a password? and why? Thanks for letting me gripe.
Brent
Passwords should be hashed so who cares about the characters? I would allow only printable ASCII though because those are universal and won't create problems in case of bad / strange keyboard configuration. Still a lot of characters for passwords.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
-
Yes, but not for security, for usability. There is nothing worse than a user raising a support issue because their "password doesn't work". 99% of the time they just don't remember it. Allowing a password to have spaces is more prone to user error, especially when it starts or ends with a space. So I can see why they might not want to allow spaces. But don't go too far... one site I used recently doesn't allow special characters at all! Only letters or numbers, so this means your password cannot be as complex as you might want it to be (which is definitely a security concern).
Sort of reminds me of a site I was on earlier this week that had a "contact us" page. In the Comment box, I asked my question, and properly terminated it with a question mark. Clicking the Submit button produced a "The comment field does not allow special characters" message. I spent several minutes fiddling with the characters, spacing, etc, only to eventually remove the question mark and it went through. :rolleyes:
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
-
A study was done that claims a 3-word password is MORE secure than the arbitrary password rules used by 99% of the business entities out there because it's harder to use brute force them. A space is a valid character and should not be disallowed.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
Yes, but not for security, for usability. There is nothing worse than a user raising a support issue because their "password doesn't work". 99% of the time they just don't remember it. Allowing a password to have spaces is more prone to user error, especially when it starts or ends with a space. So I can see why they might not want to allow spaces. But don't go too far... one site I used recently doesn't allow special characters at all! Only letters or numbers, so this means your password cannot be as complex as you might want it to be (which is definitely a security concern).
So I cannot use 'correct horse battery staple' as my password? Awwww
-
Sort of reminds me of a site I was on earlier this week that had a "contact us" page. In the Comment box, I asked my question, and properly terminated it with a question mark. Clicking the Submit button produced a "The comment field does not allow special characters" message. I spent several minutes fiddling with the characters, spacing, etc, only to eventually remove the question mark and it went through. :rolleyes:
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
-
So I cannot use 'correct horse battery staple' as my password? Awwww
-
I had one some years ago: a friends mother had signed up with a password she could remember - her daughter's first pet, a cat called "PEPSI". And this worked for ages, until the company was bought out by one with more restrictive passwords. When she replaced the computer, she couldn't sign in to her email any more because the password was wrong. And she couldn't change it because they required her old password to set a new one and that wasn't valid under their new rules ... It took some long drawn out phone conversations to sort that one out.
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony AntiTwitter: @DalekDave is now a follower!
-
So I cannot use 'correct horse battery staple' as my password? Awwww
-
My ISP gives you an IP address with a password (which YOU can change). When you point your browser to the IP address, You enter a page where you can configure many of the router parameters. (Dangerous in some hands! :omg: ) You have full control of the router and WiFi passwords. Nice (for me, at least.) :)
Mine does the same, except the router apparently runs past their software as well. I actually tried to log into my router to change the password myself. My error message was "Cannot connect to the internet!" So I couldn't connect to the internet and I couldn't change the password so I could connect to the internet.
Brent
-
Mine does the same, except the router apparently runs past their software as well. I actually tried to log into my router to change the password myself. My error message was "Cannot connect to the internet!" So I couldn't connect to the internet and I couldn't change the password so I could connect to the internet.
Brent
-
Sort of reminds me of a site I was on earlier this week that had a "contact us" page. In the Comment box, I asked my question, and properly terminated it with a question mark. Clicking the Submit button produced a "The comment field does not allow special characters" message. I spent several minutes fiddling with the characters, spacing, etc, only to eventually remove the question mark and it went through. :rolleyes:
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
-
So yesterday I go up in the morning to find that I was getting an Authentication Error on my home Wifi. Sure enough, my password that I had for at least 2 years didn't work. I called up my ISP which rhymes with Denture-y Fink. To make a long story short, they changed something and now they do not allow spaces to be in a password phrase. They had to reset my password because I couldn't get in with my disallowed passwords any more. My question to you who deal with security is, do you restrict what characters can be in a password? and why? Thanks for letting me gripe.
Brent
-
"let me in" Yep... ain't nobody cracking that bad boy :laugh: Anyway, I don't disagree about the study, but a good site shouldn't allow brute force attacks, so it shouldn't matter. Not difficult to lock an account after 5 or so failed attempts, right?
musefan wrote:
Not difficult to lock an account after 5 or so failed attempts, right?
Hackers are not brute forcing on the site; they already have the encrypted password in a file and are brute forcing until the result matches. There are tools to set up all this and even guessing salt values.
