Trying to set up a login on some client’s stupid system. It’s insisting that my password is…

1. At least 8 characters
2. At least 2 lowercase characters
3. At least 1 lowercase and 2 uppercase characters
4. Can’t use an old password
5. Max allowed consecutive characters are 2
6. At least 1 digit (0-9)
7. At least two out of: !, @, #, $, %, ^, &, *, ?, _, ~, (, )

For a start, surely first part of rule 3 is redundant given rule 2?

Anyway more bloody rules than my internet banking! I’m just going to end up setting it to something that I’ll never be able to remember 😕

@ABcdefg123#

I’m just going to end up setting it to something that I’ll never be able to remember

That’s what postit notes are for. All my client’s passwords are stuck on my monitor….

#P@ssW0rd?

Use a password manager.

That’s just it, you end up having to write it down or pop it in whatever app you use for notes or passwords, which immediately makes it a lot less secure than having maybe less ridiculous rules and something you might be able to remember.

Oh and there seems to be another rule that isn’t even listed that doesn’t allow more than one set of 2 consecutive characters.

Last Pass (or similar) FTW.

Just use a car you’ve owned.
Eg Mini1275!

I used to work somewhere with similar password rules.

On three separate systems.

Plus they changed once a month.

Unsurprisingly lots of people had their passwords written down.

Mad isn’t it?

It’s a lazy / cheap way to enforce cyber security, real world an 6 character password is pretty secure, add a number of upper case letter into the mix to stop someone getting in by guessing it.

So you move onto brute force attacks and the like – you could use a system that locks out users for ever increasing amounts of time if you get the password wrong 3 times – we have systems like that, they reckon to break into our disc encryption system would take 600 years at least, or use 2FA but that’s all too much of a faf and costs money so we’ll make the password hugely complex instead – which is invariably insecure – because when faced with a set of password rules above users think about it for a second, realise it’s another one of a few dozen they need to remember and write it down somewhere, usually in a little book in their drawer or even better, on a post-it on their desk… insecure, but as long as you say in the HR book they’re not allowed to do it, you comply with ICO rules.

Mini1275!

FAIL!!! You need two symbol characters, two upper case, and at the rate the passwords expire I’d quickly run out of cars! 😉

a system that locks out users for ever increasing amounts of time if you get the password wrong 3 times

They have something similar, which again is comedy, because most users have things like email on their smartphones that poll using the password. So the password expires and within a few minutes the account is locked so you can’t even log in to change your password. Still it keeps the helpdesk busy!

Use a phrase such as ‘My fist pet was a dog called spot who died when he was 14’. Create a password ‘Mfpwadcswdwhw14!#’. Then stick a postit note on your screen with ‘first pet’ written on it. Simples 😉

I had to set up a minimum of 10 chars with similar rules to the OP. Luckily the randomly generated password I had originally for STW is easy to remember and lends itself to extending with a few “!!”s. Sorted. Gawd knows what I’ll do when it expires. Usually I base them on a recent cycling purchase.
Like –
P3arlIzum! (thats not a real one)

It’s stupid rules like that that make insecure passwords. Just need a phrase, best one which is not grammatically correct or makes no sense so it’s not used elsewhere.

LastPass has just been shown to be insecure…again

https://it.slashdot.org/story/16/07/27/1342205/lastpass-accounts-can-be-completely-compromised-when-users-visit-sites

I sense the frustration … I have to change my work password every month and have a similar set of rules.My simple tip is to have a bit of a system. For example:

Always start the password with a special character that you can remember (eg #)

Second character a capital letter

Substitute letters with easily remembered characters (eg $ for S, £ for L, @ for A etc)

Replace an easily remembered date with the special characters on the keyboard eg, 1966 becomes !(^^

It is also extremely important not to reuse passwords – there’s a lot of leaked password databases out there to trawl….

Funny thing is I only need to access this system to download some files from a client’s client, I’ll probably never use it again, or at least not for months. But then I’ll still need to remember my password so I can log in to have to change it to something else I’ll not remember 😉

Relevant courtesy of XKCD…

*logs out*
*logs in to dan’s account*
😉

Do this for a living and password enforcement around NHS PCI DSS drives people nuts and password sharing is common place. Trouble is the password is still the most common line of first defence – the reality is 7 digit alpha numeric upper and lower case with a maximum of 3 to 5 attempts before lock out provides robust protection – provided of course when the individual calls the help desk for a password reset and they just pass them out? How many people’s organisations have challenge response for password resets?

How many people’s organisations have challenge response for password resets?

I’d be curious to know how many helpdesk calls concern password resets and locked accounts. I’d assume at least half. That’s pretty much all I use the helpdesk for.

@mrblobby, a service desk I used to work on back in the day introduced a self-service password reset procedure, you could request one yourself or get your manager to do it if you’d locked out your network password.

Following it’s introduction c20% of the demand into the service desk went away, followed by another large chunk when we automated the request process for shared network storage. Obviously other service desk’s MMV but it sure made monday mornings a bit more less hectic.

I’m actually quite impressed with LastPass having read the full story. Fixed and patch rolled out in under a day.

01(then 02 etc)MrBlobby(postcode of the place you’re in, typed with shift key down)

My fist pet was a dog called spot who died when he was 1

died after intestinal rupture? 🙁

Yes a quick turnaround but it’s not the first time so it gives me pause.

I’m actually quite impressed

I’m not! That’s pretty sloppy coding. If that’s indicative of the quality of the rest of their implementation then I’d be quite worried.

Yes a quick turnaround but it’s not the first time so it gives me pause.

You’ll struggle to type any password with those…

wat

OKOK- Bad grammerizms abound.

*goes outside*

“GAAAH SO BRITE”

I’m not! That’s pretty sloppy coding.

And that’s just the known issues, how many zero day exploits are still being used?

Its an oldie.. but goodie:

Please set a password to register.

cabbage

Sorry, the password must be more than 8 characters.

boiled cabbage

Sorry, the password must contain 1 numerical character.

1 boiled cabbage

Sorry, the password cannot have blank spaces.

50soddingboiledcabbages

Sorry, the password must contain at least one upper case character.

50SODDINGboiledcabbages

Sorry, the password cannot use more than one upper case character
consecutively.

50SoddingBoiledCabbagesShovedUpYours, IfYouDon’tGiveMeAccessImmediately

Sorry, the password cannot contain punctuation.

NowIAmGettingReallyPissedOff50SoddingBoiledCabbagesShovedUpYoursIfYou
DontGiveMeAccessImmediately

Sorry, that password is already in use !

dabaldie… 🙂

It’s a lazy / cheap way to enforce cyber security, real world an 6 character password is pretty secure, add a number of upper case letter into the mix to stop someone getting in by guessing it.

So you move onto brute force attacks and the like – you could use a system that locks out users for ever increasing amounts of time if you get the password wrong 3 times

It’s not, really. You can set whatever clever tricks you like, but if the password database is compromised then a hacker can potentially attack that in isolation without worrying about timeouts. And (most) six-character passwords will fall in minutes.

This is one of the fatal flaws with NTLM authentication; it stores long passwords by splitting them into chunks (6 or 7 characters, I forget exactly) so you can’t have long passwords by design, just a series of short ones concatenated together. If you can get access to the SAM database, you can crack all the passwords in a few minutes (many in seconds).

For all the various complexity requirements, the best thing you can do with passwords (aside from 2FA and not reusing them on multiple systems) is increase the length.

Had one with so many rules, that in the end it worked out that the only password format was *exactly* 8 characters, with 6 of them letters, 1 digit and one symbol (from a small set).

Think it was a bank. But not the bank where the password is a 5 digit PIN.

And with so many rules like that, there was no way I could make it a variation of something I’d use as a base password, so it had to be written down.

Check the computerphile youtube channel – 2 of the most recent videos posted are on this topic, with some live demos of cracking actual passwords on a PC with 4 GPUs. Covers all the usual “rules” that people use for stuff like swapping letters for numbers.

There’s a depressing irony in that some of the worst password policies are banks and credit card providers. “Select from this restrictive list of characters” – no, learn to sanitise your bloody data input properly.

Keychain takes care of mine,

That cartoon always makes me laugh as the last part isn’t the password.

The only reason I can think of to restrict the character list is to be really sure that there’s no odd international features going on, and to be sure that wherever you are in the world and from any keyboard or phone you can be 100% positive that what you type is what your password character is.

But I’ve only ever see that go wrong once with something like ~n in a password that on a UK k/b you type ~n but a german one you’d type ~~ then delete a ~ then n, else you get ñ.

That cartoon always makes me laugh as the last part isn’t the password.

It is?

His password is “correct horse battery staple”.

The last pane just shows his visual mnemonic for remembering it: him saying correct to a horse identifying a battery staple

That cartoon always makes me laugh as the last part isn’t the password

I’ve seen funnier to be honest.

Turn your mouse or keyboard over.
Use a suitable serial or part number.

Totally random string of numbers and letters, likely with a few special characters in it. Written down so you know where to find it tomorrow.

eg. HSTNN-pn12 (is not one that I use)
HP desktop mouse.

Turn your mouse or keyboard over.
Use a suitable serial or part number.

Ok if you are always working at the same computer I suppose.