Passwords

[Hicks12]

Rant

WHY, in this day and age are companies allowed to have systems that REFUSE to accept special characters in passwords? This is such a petty and useless excuse for a system, ive just tried to sign up for Virgin media and my password must be "8-10 characters long, letters and numbers only, no spaces. First character must be a letter." What is with this? 8 - 10?? we should be up to damn 32 characters, it needs punctuation/special characters, its silly to deny a GOOD password.


/Rant

Seriously, why does this happen? In the age where people/governments complain that data is unsecure and all this crap yet its ok for companies to have systems unable to allow for a more secure login. What companies have you come across that also enforce such silly limitations?

[csgohan4]

Rant

WHY, in this day and age are companies allowed to have systems that REFUSE to accept special characters in passwords? This is such a petty and useless excuse for a system, ive just tried to sign up for Virgin media and my password must be "8-10 characters long, letters and numbers only, no spaces. First character must be a letter." What is with this? 8 - 10?? we should be up to damn 32 characters, it needs punctuation/special characters, its silly to deny a GOOD password.


/Rant

Seriously, why does this happen? In the age where people/governments complain that data is unsecure and all this crap yet its ok for companies to have systems unable to allow for a more secure login. What companies have you come across that also enforce such silly limitations?

Try remembering a 32 character password with all the numbers and special characters. You would have to write down either on your phone or a piece of paper, defeating the point. The worse ones are when you have to change your passwork every month. You run out memorable ones after a few months.

[Hicks12]

I dont think that is a strong point to limit passwords though, if you can remember it then why should you be forced to put in a weaker password? I can remember my main password which is 24 characters and i alternate characters/punctuation within that for each site but not all can support a password of such length.

Having your password expire/changed on a regular basis is the most secure method but as you say you can run out of memorable ones, its a good idea in theory and should be an optional extra, i know i could probably make a years worth of passwords to remember (if it was changing every 2 - 3 weeks) but if i was forced to make up passwords im confident i would adapt to sort it .

[BobF64]

Seriously, why does this happen? In the age where people/governments complain that data is unsecure and all this crap yet its ok for companies to have systems unable to allow for a more secure login.

Easy, its most likely due to back end data storage, in this case theres a plain text field that is 10 characters long, the rest of the limitations are probably to avoid having to deal with unsuitable symbols that mess up their SQL.

I once broke my email account because I used a : in the password, seems their system stored it plain and in a standard UNIX passwd file format.

[kalniel]

They should allow much more arbitrary field lengths though - having a limited range is worse than having a slightly lower maximum but allowing the full range up to it. Even so, a much larger maximum should be fine to cope with.

Special characters can cause problems due to the number of character sets out there, I agree.

[Steve]

Passwords are ****.

All the methods described above have problems.

Forcing people to choose passwords within certain criteria is annoying, because if you develop a strategy that works for you, then somebody changes the rules slightly, you're going to struggle to remember the password.

Expiring passwords is stupid because remembering the new passwords becomes a problem.

Ultimately passwords as a concept are flawed, because no matter what you do to try to make them stronger, it will lead to people taking insecure countermeasures to ensure they can somehow remember them.

edit: Also I appreciate the epic humour of the swear-filter's affect on my first sentence.

[Hicks12]

Yeah they all have flaws unfortunately but the main bit as you rightly say is forcing people to choose within a certain criteria, 8 - 10 is such a small range, just to allow a decent range would help alot .

[BobF64]

Even so, a much larger maximum should be fine to cope with.

Sure, but only if the system copes with it.

I encountered a good example of this a few years back.

Windows 9x has a maximum password length of 15 characters, the input box stops accepting key presses, but you can just keep typing and not notice.

Once you switch to an NT based system, the maximum length is much longer, so if youve been merrily typing in your 20 char password in 9x, and then do so on NT, you wont ever manage to log in, unless you only type the first 15 chars that is.

So, even in a decent and secure system, the password length is limited only by the possible password entry restrictions, as a password hash will always be a fixed size, eg 20 bytes for SHA.

[Steve]

I have no idea why length restrictions are imposed on the actual password. Win 9x was limited to 15 chars? Assuming alphanumeric with symbols that's something like 128^15 (4*10^31) possible passwords. A 128-bit hash would give you around 2^128 if it was perfect, and that's 3.4*10^38, so you've just lopped seven orders of magnitude off the complexity of your passwords. If it was a 15 char limit for SHA-1, then the difference 46 orders of magnitude.

[kasavien]

long passwords are easy (shamelessly stolen from an xkcd cartoon): take four random words that make no sense together e.g. asymetriccatapultspectatorhorses

problem is when the password is restricted by length :/

[Gerrard]

As soon as I read this post, I immediately thought of xkcd!

http://xkcd.com/936/

We have to change our password at work every 3 months, but the system generates three passwords, and you have to pick one. They are all nine characters long and are based on three phonetically sounds e.g. vim-pig-dep (no, that's not mine!). However, as I was training everyone on the new system last year, I noticed the password that I had picked turned up as one of the options for at least two other people.

At the moment I use pretty much the same password for everything, but I am moving to a system where the website/system I am using makes up part of the password, whilst the rest stays the same.

[Steve]

Yeah I sometimes used a phonetic password generator, but it's a bit better than the one you describe.

[kasavien]

As soon as I read this post, I immediately thought of xkcd!

http://xkcd.com/936/

We have to change our password at work every 3 months, but the system generates three passwords, and you have to pick one. They are all nine characters long and are based on three phonetically sounds e.g. vim-pig-dep (no, that's not mine!). However, as I was training everyone on the new system last year, I noticed the password that I had picked turned up as one of the options for at least two other people.

At the moment I use pretty much the same password for everything, but I am moving to a system where the website/system I am using makes up part of the password, whilst the rest stays the same.

We use a similar system for enforcing passwords on one of our sites, passwords are 9 letters long in 3 groups of 3 where each group is vowel consonant vowel i.e. catdogman, bigredbus etc the site is dual authentication though, a pin is required as well

[Jonatron]

I turned on two factor authentication for my Google account recently, it works well, and I hope more sites start using a similar system.

[TheAnimus]

often the length and character restrictions stem from the hashing algos used.

the same way it appears to be the law that every piss poor developer who makes a website simple MD5s the password, no salting, hmm secure!

[csgohan4]

I suppose it's to prevent people putting 1234 or qwertyuiop as their password lol