Password restrictions
-
I'd agree - no spaces, but any other printable character in the Unicode set is fine (including hieroglyphs, squirrel noises, and the blood of a virgin (only available in the "Cthulhu" font).) Only spaces and control codes are forbidden. What annoys me more is people who decide that only "." and a single "@" is allowed in email addresses. Domains can legitimately contain "-", and mine does. Some sites just puke up at the sight of one ... which means a trip to mailinator to sign up (then change the email address and it generally works)
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony AntiTwitter: @DalekDave is now a follower!
OriginalGriff wrote:
What annoys me more is people who decide that only "." and a single "@" is allowed in email addresses.
More evil - the morons who create email address input and decide that .info (and who know how many others) are not legitimate email addresses. My primary business-use email is a .info (catch-all) so everyplace has its own addresses. So I just don't do business with them. If they have a contact . . . oh wait - they won't accept my email there, either. All that comes to mind is that they probably outsourced the interface to . . .
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein
"If you are searching for perfection in others, then you seek disappointment. If you seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010
-
musefan wrote:
Not difficult to lock an account after 5 or so failed attempts, right?
Hackers are not brute forcing on the site; they already have the encrypted password in a file and are brute forcing until the result matches. There are tools to set up all this and even guessing salt values.
-
Passwords should be hashed so who cares about the characters? I would allow only printable ASCII though because those are universal and won't create problems in case of bad / strange keyboard configuration. Still a lot of characters for passwords.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
I prefer the Kerberos strategy: You send no password at all across the network. You send a request for a "ticket", a proof that you are entitled to use a specific service. This request need not be encrypted at all (well, maybe if you want to keep it a secret that you make use of that service, but in any case, a MITM will see which IP address you go to). In return you get a ticket that is encrypted with your password. You decrypt it locally, at your own PC, and enclose it with your requests to the service. Part of the ticket is encrypted with the password of the service, so you can't fix it up to give you any rights that you are not entitled to. The ticket is valid for a limited period (like 8 hours), so if anyone steals it, they can't use it the next day. The ticket may contain your IP address, so that service requests from an intruder on a different IP address are rejected. It may contain a one-time encryption key that you can use for the session with the service; the service will find the corresponding key in the part encrypted with the service's key. I think the Kerberos strategy is so great that I cannot understand why it hasn't been universally adopted. It certainly is not because we have something that is a lot better. It seems like web service developers simply do not know about it, which is a pity.
-
So yesterday I go up in the morning to find that I was getting an Authentication Error on my home Wifi. Sure enough, my password that I had for at least 2 years didn't work. I called up my ISP which rhymes with Denture-y Fink. To make a long story short, they changed something and now they do not allow spaces to be in a password phrase. They had to reset my password because I couldn't get in with my disallowed passwords any more. My question to you who deal with security is, do you restrict what characters can be in a password? and why? Thanks for letting me gripe.
Brent
Well someone had to say it. Passwords, no matter how complex, are easily hack-able. This is what BitCoin depends on, they call them "Miners". The only difference, is that Transactions in Bit Coin, are much more complex, and harder to crack than any password you can come up with, or (Generate). 2-factor (Cell phone) - is being touted as a cure, but once they get in, they have your phone number, and can easily change profile setting to be their (burner) phone. The fuss about the lengths, characters, and all that.... is also frustrating. You could depend on the hacker to take the easier way out, and not spend the time to crack a good password... but then again, it may incent them to spend the "crack time" , because of the implication of it being a special case, which might reward the extra time. Yes, I said "Crack time". Keep It Simple, keep it moving.
-
So yesterday I go up in the morning to find that I was getting an Authentication Error on my home Wifi. Sure enough, my password that I had for at least 2 years didn't work. I called up my ISP which rhymes with Denture-y Fink. To make a long story short, they changed something and now they do not allow spaces to be in a password phrase. They had to reset my password because I couldn't get in with my disallowed passwords any more. My question to you who deal with security is, do you restrict what characters can be in a password? and why? Thanks for letting me gripe.
Brent
Here's an interesting take. They should have allowed you to enter whatever you think your password was. They only had to address it when RESETTING it. And quite frankly, they should be hashing your password to death, with enough salt to raise the blood pressure of a cadaver! hash = GoodHashOf( PASSWORD, username, date account created, date password was set, password, USERID); Where every comma is really + "SALT" + and each repetition is different salt. And should be userID dependent. FINALLY, their site should have only mentioned the extra characters are no longer allowed on a password failed page! I really hate when people don't allow ";" (I understand the SQL Injection filters. But if you are not using bind variables, you should be beaten and shot and beaten again... LOL
-
So yesterday I go up in the morning to find that I was getting an Authentication Error on my home Wifi. Sure enough, my password that I had for at least 2 years didn't work. I called up my ISP which rhymes with Denture-y Fink. To make a long story short, they changed something and now they do not allow spaces to be in a password phrase. They had to reset my password because I couldn't get in with my disallowed passwords any more. My question to you who deal with security is, do you restrict what characters can be in a password? and why? Thanks for letting me gripe.
Brent
You might want to have a look at the NIST document"Digital Identity Guidelines": NIST Special Publication 800-63B[^] The guidelines have been updated this year, and specifically reverse some prior password policies that have been found to encourage bad behavior, like using post-it notes stuck to your monitor. It's boring reading though, here's a good summary: NIST 800-63 Password Guidelines - Security Boulevard[^]
-
So yesterday I go up in the morning to find that I was getting an Authentication Error on my home Wifi. Sure enough, my password that I had for at least 2 years didn't work. I called up my ISP which rhymes with Denture-y Fink. To make a long story short, they changed something and now they do not allow spaces to be in a password phrase. They had to reset my password because I couldn't get in with my disallowed passwords any more. My question to you who deal with security is, do you restrict what characters can be in a password? and why? Thanks for letting me gripe.
Brent
To me it seems obvious that the message should be "To improve the security, you are invited to create a new password respecting rules described at this page (link). Please do that before February 25th, problems can appear afterwards." And of course, for obvious security reasons, you can access the site with your previous password.
-
"let me in" Yep... ain't nobody cracking that bad boy :laugh: Anyway, I don't disagree about the study, but a good site shouldn't allow brute force attacks, so it shouldn't matter. Not difficult to lock an account after 5 or so failed attempts, right?
-
So yesterday I go up in the morning to find that I was getting an Authentication Error on my home Wifi. Sure enough, my password that I had for at least 2 years didn't work. I called up my ISP which rhymes with Denture-y Fink. To make a long story short, they changed something and now they do not allow spaces to be in a password phrase. They had to reset my password because I couldn't get in with my disallowed passwords any more. My question to you who deal with security is, do you restrict what characters can be in a password? and why? Thanks for letting me gripe.
Brent
I restrict nothing, nor require digits or special chars, but most of all I don't limit length, and encourage my users to use a long, easy to remember pass-phrase.
"'Do what thou wilt...' is to bid Stars to shine, Vines to bear grapes, Water to seek its level; man is the only being in Nature that has striven to set himself at odds with himself." —Aleister Crowley
