Kottke presents a list of really bad password requirements. I was reminded of this when I was informed of a 60-day limit for my password on a sports message board. Seriously, a sports message board has stricter password requirements than my bank. What the heck?
Due to problems related to a WordPress update, the site's layout had to be moderately altered. Some of the changes are temporary.
on Open Mic for the week of 3/24/25Kennedy pushes out top Vaccine doc at FDA, I bet we are about a year away from vaccine bans: https:/…
on Weekend Plans Post: Pantherine VandalsDate Nite With Maribou was "Wicked". I'd never seen it, never seen the musical, never heard the soun…
on Open Mic for the week of 3/24/25Is that before or after he tries to migrate Social Security off its legacy systems and onto newer on…
on Open Mic for the week of 3/24/25I don't see even the slightest connection to George Floyd. All reviews say the movie is a trainwreck… on Open Mic for the week of 3/24/25https://www.app.com/story/news/nation/2025/03/28/donald-trump-elon-musk-leaving-doge-may-2025-report…
on Open Mic for the week of 3/24/25One full of and run by f*cking idiots. on Open Mic for the week of 3/24/25And we managed to really alienate Canada. What kind of country manages to alienate Canada? on Open Mic for the week of 3/24/25Apologies on Open Mic for the week of 3/24/25You know how, periodically, there's a situation in California that results in house insurance compan… on The HoldoutIs it just thumb wrestling and something you say before the match? It's not a rhyme and googling it…
March 28, 2025
They’re Acting Queer in Cleveland
March 27, 2025
A Loaf of Bread, a Container of Milk, and a Stick of Butter
March 26, 2025
Bowling — Balling Up the Score
March 25, 2025
on Open Mic for the week of 3/24/25 on Open Mic for the week of 3/24/25 on Weekend Plans Post: Pantherine Vandals
on Weekend Plans Post: Pantherine Vandals on Open Mic for the week of 3/24/25
on Open Mic for the week of 3/24/25 on Open Mic for the week of 3/24/25
on Open Mic for the week of 3/24/25 on Open Mic for the week of 3/24/25 on Open Mic for the week of 3/24/25 on Open Mic for the week of 3/24/25 on Open Mic for the week of 3/24/25 on Open Mic for the week of 3/24/25 on Weekend Plans Post: Pantherine Vandals on Open Mic for the week of 3/24/25
But is it a really good sports message board? That might be more valuable than the totality of what is in your financial accounts.Report
It was the hometeam message board to a Conference USA school that I didn’t even attend but whose fans I enjoy chatting with. One of the best fanboards I’ve ever seen, but for a team that’s the equivalent of Marshall or Tulsa.Report
I think we can all recognize the value of a quality online community… 🙂Report
(obligatory xkcd)Report
And, as is often the case, xkcd is wrong. He’s comparing one 11-character password to 4 passwords each up to 7 characters. If I was writing a “password buster”, I would start with letters and numbers (with extra weight for “real” words). That would catch his silly example long before the one he thinks is bad.
One thing I’ve discovered from xkcdsucks is that Randall is really bad at math.Report
Yes, he’s wrong, but he’s not as far off as that.
Since the sub-words in the passphrase are of unknown individual length, it’s not four separate passwords. It’s still one big one, particularly if you use any non-alpha character as a word separator.
thisismyuniquepassword
(the MD5 hash 9aacebbd75c2d8804cfc8b3ff20055dc is not in any currently published rainbow table)
is not as easy to crack as
this
is
my
unique
password
(which would be trivial)
Of course, if you *know* from social engineering what sorts of words your target picks from, then yes it’s a pretty crappy algorithm for generating passwords.
Note: everybody still uses MD5 and they ought to switch to SHA-256, but that’s an aside.Report
There’s an interesting little site I’ve bookmarked which explains how this works.Report
Thanks for the link to that website. I’ve devised my own casual algorithm for coming up with memorable but, I hoped, difficult to break passwords. Turns out that the online attack scenario timeline for them runs into the century–in one case of an easily remembered password, 2.7 hundred thousand centuries. I’m gratified to be reconfirmed in my satisfaction with my method.Report
Banks are by far the worst in this regard. It’s unfathomable, why they insist on such dumbass password schemes.
But the absolute worst, and I’ve been seeing a lot of it lately, is open username/pwd combinations in PHP
$link = mysql_connect(“localhost”, “user”, “tr00t”) or die(mysql_error());
mysql_select_db(“mydatabase”);
Stuff like that causes me to stomp and shoot and spit. So I talk to the client about it: “oh, don’t worry about it, there’s nothing important back there anyway.”Report
I’ve been trying — in vain — to get my work to switch to RSA tokens. I use them for another aspect of my work, and I don’t work in a small shop. There are far, far, far and away enough people to make it economically feasible.
But nope. We’re up to 12 character passwords, changed every 60 days, no reuse for a year, one upper case and one special character, no dictionary words, and god knows what else.
So everyone cheats and writes them down.
RSA tokens are dirt cheap and secure. (Blizzard was subsidizing the dang things for World of Warcraft, basically charging you shipping to get one). A four digit pin, which everyone can remember, and a 6 digit number that changes every 60 seconds.
Secure as hell, even if you lose the token. You’d have to be dumb enough to write your PIN ON the token to break it.Report
I issue revokable X.509 certs from my own CA, loaded onto an encrypted USB drive. Lots cheaper than RSA. No tickee, no washee, you mount the USB drive, point your app security to that cert, then it will runReport
Well, a good number of enterprise IT folks (at least in the government) consider USB drives to be the bisexual heroin addict prostitutes of computer hardware and won’t let a USB drive even come into their buildings anymore, much less on their systems.Report
This is really nothing but the good ol’ CAC card X.509 paradigm, only a hell of a lot cheaper and far more secure. The cert is tied to the absolute release of the executable instance: Bob can’t run Sally’s installed software. The last thing I want is some GS-3 moron fucking with my security. If they want, I’ll retrofit the security model to their OS security but I will not play li’l password games with this species of chump.Report
USB drives aren’t the Evil Widget, there… it’s “Autorun”. This is a trivial problem to fix.Report
One of the amazing things about security is how many holes are trivial to close but stay wide open. (Something everyone in this conversation is painfully aware of.)Report
Tangential, but I was once upon a time reluctant to get a smartphone because I thought my Pocket PC plus a regular phone suited me just fine. This changed when I got a job at a place that banned Pocket PCs… but didn’t ban smartphones. Pocket PCs represented a security threat, by a Pocket PC with cellular capability and a camera (which most PPC’s lacked) didn’t.Report
Most corporate security is a joke. Everyone knows it. Industrial espionage is big business and everyone’s doing it. Most intel breaches are inside jobs anyway.
All this hoo-hah about prohibiting devices onsite: anyone who’s running an MS Exchange Server has already hung his big naked ass out the window for the world to see, and the family jewels too.Report
> Most intel breaches are inside jobs anyway.
This.Report
What’s a pocket PC?Report
Also called PDAs. Smartphones without the cell part (and, because of the technology at the time, usually without a camera). The modern equivalent would be the iPod Touch.Report
Once, Kazzy, back when the plesiosaurs’ reign of terror was sweeping across the coasts of Pangaea, there was the Pocket PC, which ran an operating system called Windows CE, short for Cretaceous Edition, though some believe CE arose from Cretinous Excel. The archaeologists differ on this subject but all agree on that bit about the plesiosaurs.
As its name implies, WinCE was half o’ this and none o’ that. It featured manly edition names like Stinger and Chainsaw, but its chief attributes were Slow and Stupid, which the aforementioned plesiosaurs were not, let me tell you. We early mammals continued to believe in low-powered ARM processors and evolved smaller and more efficient kernels to best utilise their very considerable resources.
Well, the plesiosaurs are gone and good riddance. They were fast and rude and predatorious in extremis. But WinCE is still out there, somewhere, equally irrelevant but still an annoyance.Report
Actually, I’m just happy to see you.Report
As others have pointed out, banks produce layers upon layers of password requirements… that are undone by simply knowing the street that the account-holder grew up on or their favorite pet.Report
Who steals my purse steals trash, but who steals my opinion of Alex Smith steals red and gold.Report
‘Twas mine, ’tis his, and has been slave to thousands…Report
FWIW, a couple of GPU machines can break 8 character passwords in feasible time, now.
(http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125)
Probably the right number of characters is now > 12, for anything you want to keep secure for a while. Passwords are right out; you need a passphrase instead.
RSA tokens are a possible solution, but they are an administrative pain (there’s a guy at JPL whose full-time job is replacing and revoking RSA tokens) and you can’t transmit them over the Internet or the phone… so if a traveling user loses their token, they’re SOL until they get back to the office. This can be a deal breaker.Report
RSA got beat down. Google’s certs got beat down. All these third-party sites are trivially beat down. The CA mechanism is dead.
Physical tokens are the way to go. Nobody whines about needing a physical key to get in their front door or into their cars.Report
They also last five years. JPL is a big, big place.
My company? One of the HR reps handles it. There’s generally a few weeks where she’s handling a couple hundred RSA turnovers (when they expire — generally tied to some contract reaching a 5 year milestone), but msotly she hands out one a week.
True, being on travel can screw you — but in the age of smartphones (and Blizzard has done this as well) syncing an app to cell is another fashion of generating a token. You can still clone the cell phone and probably access the token that way, but you’d still need the PIN.
Treat cell-generated tokens as suspect requiring a check-in or prior authorization (give them a use or three gratis), and you’ve got a guy on travel who can use an app on his phone.
If he’s lost both his phone AND his token, well he’s fucked enough that they’re shipping him new stuff anyways.Report
> One of the HR reps handles it.
I imagine that’s the weak part of your security chain, there.Report
This information is a few years old, but at one point, 60% of all web passwords were one of the following:
Report
You could get up to five bits of entropy by picking three of them at random (with possible repeats) and stringing them together.Report
I wouldn’t be surprised if an appreciable number of “7 character or more” passwords were “sexsexsex”.Report