What is your favourite password rule?
My favorite is “can’t be more than x% similar to the last 3 passwords”. Of course, you shouldn’t ever define what “similar” actually means.
And the only way to check that is by storing the previous passwords in a recoverable format.
I’m not sure but I think the previous password is mostly stored in an unrecoverable format and only upon changing your password, when you have to enter your previous one, does it store it in an unrecoverable format for 10x or so generations. Just a guess though for how AD might do it.
That doesn’t make it better.
Even if you only store past passwords, that is absolutely disgusting security practice.
My understanding is this is done by saving the hashes and checking the current password against them, and (I’m much less concrete on this one) for “similar” it will run common iterations of the password and save those hashes
At a previous job one of the sysadmins checked all AD users for repeated hashes, and compared against hashes of the top 1000 most common passwords. He also identified one of the IT people had the same hash for both their normal account and their domain admin account, and spoke with them individually to change their domain admin account password
My personal life? Password manager with passwords as complicated and as long as each service will allow for.
Job that makes me change my password every 30 days? You get the same base password, followed by the next number in the series.
Which is probably why they added the “50% similar” rule. Of course, that just makes the number longer.
I haven’t worked at a company that prevented me from starting over again at my original password after 9 months/resets e.g. password9 reverts back to password0.
If I have to increase the length of my password and make password10, it means they’ve won.
Fuck them.
Of course, if you respect, or even like, the company you work at, you may feel differently.
It feeds your last three passwords into an LLM and it decides if your next password is similar or not. This rule brought to you by Nvidia. Nvidia: the next time your company wants to apply AI to things where AI doesn’t belong, think Nvidia.
Requirement: Needs special characters
Not accepted for some reason: using ọ̵̑h̸̞̉ ̴̰͒g̴͛ͅõ̸̦ḓ̵͠ ̸̳͌w̵̡̛h̴̦͘ŷ̵̫
I like my special littlev̵̂̊̅͌͜ó̶͎̫̜̘̲̭̪̯̔̎̊́̽̒̄̄̕i̸̼̠͓̥̬̙͉͋̿́d̷̨̗̼̖̦͇̲͑̀̈́̔̿̌characters :(
I just had to make a password for a hotel.
8 to 20 characters Uppercase Lowercase Digits OR special characters.
The capitalized OR is important. You can have either numbers in the password, or special characters, BUT NOT BOTH.
Took me 8 tries.
- First one was too long.
- Second and third used both numbers and characters, but I thought the characters were TOO special.
- 4 through 6 used both numbers and special characters.
- Seventh password used just letters and numbers, and it was accepted.
- Eighth try I used just letters and keyboard characters, and that was accepted too.
The best part to me is that they include all of these rules to increase the security, but then set a maximum length of the password, which from my understanding is the easiest way to add complexity/security to a password.
The actual funny (or sad) thing about this: even without a length limit all they do is make the password less secure because every constraint just reduces the possible password space.
As someone who generates every password with a password manager those sites are a pain in the ass because you have to somehow get these constraints into the generator.
It’s sad that this project from Apple has gotten literally zero traction with any password manager that I know of.
Free, open source repository of password requirements that are just an API call away, and you wouldn’t have to worry about tweaking your password generator at all, but no one is using it. Except maybe Apple and I refuse to use their password manager.
Maximum length is the biggest red flag to me and was the catalyst for me making the effort to switch to unique passwords per-account years ago. There’s just so, so many shitty homerolled security systems out there… and data breaches seem to be a perennial problem these days.
There’s just no excuse for limiting the length if you’re doing security correctly (other than perhaps a large upper limit just to protect against someone DOSing the backend with a bunch of 100MB strings; 512 characters seems reasonable).
By setting an upper limit, you’re basically saying one or more of these things:
- We store your password in plaintext
- We store a hash but our hashing function has an unnecessarily arbitrarily limited input size
- The person/team implementing the backend has no idea what they’re doing and/or just copy pasted login code from stack overflow
- We tried to get away with minimal password requirements but some middle manager wouldn’t rubber stamp it without
arbitrary_list_of_bs
My senior project for uni was replacing the professor’s friend’s website. We had a meeting to gather requirements, have him demo the site as different kinds of users, etc. Dude said “Hold on a sec” and went to a page with all accounts and their passwords listed. Was like, dude, the hell
My ‘favorite’ password rules are incorrect rules. Recently signed up to a service, which looked like it hasn’t been updated since the 90s. They sent me my password via letter, but hey, I was allowed to change it digitally.
So, I did. I set it to a reasonably long password (probably something like 22 characters), with no problems.
Then I went to login and it refused my login. I copied my password out of my password manager, for both setting it and logging in, so there was no way that it was wrong. I quadruple checked the login name, but no luck.
Eventually, I manually typed the password from my password manager. Then I saw it, their password field stopped accepting inputs after about 20 characters.
Presumably, I was able to set my long password on the registration page, but the login page did not accept this long of a password. Fucking ace.
I had to order another password letter.
As a website developer, it’s easy to just use the ‘maxlength’ attribute on fields you don’t want to exceed a certain length (for valid reasons or not). But then exactly this happens: A user pastes something in there, doesn’t notice that their input got truncated, and something, somewhere breaks.
‘maxlength’ is terrible user experience.
Yeah, thinking about it now, I could’ve probably tried removing the maxlength attribute to see if the server accepts the longer password.
That wouldn’t have been (as much of) a problem if the initial password form also truncated the input. The mismatch is the problem.
Let’s say “you wouldn’t have noticed there was a problem if there was no mismatch”. But then a few years later that max length gets dropped or increased and suddenly your password, which has always worked, isn’t accepted anymore, because now you’re pasting 2 extra characters.
I was also not talking about password fields, exclusively. Pasting stuff like customer identifiers or zipcodes into maxlength’d fields also begs for surprises, especially when you can’t see the whole input when you’re done with it.
I understand why stored information, such as passwords, usernames, stuff like that, has to have a max character count.
What I don’t get is why so many people are so daft as to let stuff like this happen, and not even put the maximum password length anywhere people can obviously see it.
If you tell me what the maximum limit is, I’ll be able to keep my password shorter than that.
But no… Password minimum length is shown, symbols, numbers and special character requirements are plainly stated. Maximums? Ha.
I recently made a bit of software that does this. Maximum username and password length of 100 chars can be set, but the login panel only allows you to put 50 chars in the username and password fields. So if you use a password or username longer than 50 chars, youll soft lock yourself out.
But I picked it up in QC testing, it got nowhere near prod. And Im a one man band. I cant fathom how a company could let tgat get past QC.
Go ahead. Make a password. Then be left to deal with the mental & emotional damage.
I shared this one with the other IT people at work suggesting we should set it as our new corporate password policy. One of the guys literally finished the game. It took him a week but he did it
Who is he? 😍
For real, though, that’s dedication! Not at all an easy feat. Impressive!
You didn’t even get to the part where you have to hatch the egg yet? Weak.
The elements in your password must have atomic numbers that add up to 200.
Seriously?
Edit: I think I lost when my pw got burnt up. Is there more?
Edit2: 3rd try (i think) and I quelled the fire this time. Paul hatched. But: 😒
spoiler
I stopped at wordle. Didn’t want to do anything that required external resources.