Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.
Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…
A company I used to work for is big enough that everyone reading this has heard of it. They had this wonderful security nightmare going on:
When you were hired, the company would issue your user credential with a standard password that was “CompanyName1” and require you to immediately change it at first logon. Everyone knew this password because everyone got it when they were hired.
Password policy required everyone to reset their password every 60 days. Not the worst ever but still pretty aggressive. And with the rise of all the mobile devices connecting with your corp account it was getting to be a worse and worse experience.
Can you guess yet how these two policies are linked in my story?
Well, some of the C-Suite executives didn’t have time for any of these security shenanigans. So they would have their executive support person log into an administrative console and reset the exec’s password every 59 days to the same value that it currently had, thereby bypassing the password re-use filter.
That value they were continuously setting was… “CompanyName1”
I know of at least two executives that were doing this while I worked there.
When I was in middle and high school the school district would always do this at the beginning of the school year.
One year my best friend moved away so in the following years I discovered his account still existed. If I was in the mood to hack (dumb stuff like forging email with their horrible SMTP server for example) I’d just find another computer I wasn’t just using and log in using the default password.
“Password must contain letters numbers, and at least one of these special characters.”
Turns out, half of those special characters weren’t allowed 🫠
My community colleges:
Passwords must be 12 characters long, contain at least one uppercase letter, one lowercase letter, a number, and a special character; it must also be changed every 30 days. There was also some sort of alogarithm that checked if your new password is too similar to any previous password you had used, and rejected it if it was too close.
Hilariously, if you had a link to the page the password was supposed to limit access to, you could bypass the password page entirely. As such, I never changed my password.
[offtopic?]
Debbie’s password is “PlutoGoofyMickeyMinnieDaffyBugsThorLosAngles”
She was told that the password needed seven characters and a capital.
Except Sacramento is the capital of California, Debbie gonna struggle
Los Angeles is considered the Movie Capital of the World.
Checkmate, liberal!
Nope, that’s Hollywood! Checkmate, sovcit!
What a strange choice to have 6 cartoon characters and a Norse god.
Well, they certainly managed to get her to make a strong password.
/c/dadjokes is over there ->
Anything that requires regular password resets. It’s fine if it’s changed on the site and in the user’s vault automatically, but if a user has to type in their password with any sort of regularity, it’s a recipe for disaster to require regular changes.
People write predictable or formulaic passwords, or just end up resetting their password more often than necessary because they forgot it (making them more susceptible to phishing).
There was an episode of Elementary where they were able to find the victims password on a post-it note, because the company requires a new password every month and he didn’t want to remember a new one that often.
Very common
I memorized a handful of randomly generated passwords in high school (around 2005) and never looked back.
These days I use a password manager, but for semi-low security stuff (on my LAN) I use one, for my Apple account a long combination of three. And that’s it! The password manager is where it’s at.
Just one of my passwords was leaked in data breach (from back when I was younger and recycled passwords) so that one’s out, but otherwise I’m doing pretty well with the memorized randomly generated passwords.
The most basic rules commonly required everywhere. When you have such specific rules, it ironically actually makes finding the password through brute force easier because you can eliminate a bunch of variables that could have existed without all the rules. I can eliminate any permutation under 8 characters, doesn’t contain a number, and doesn’t contain a special character.
It will still possibly take a billion years to guess, but it could have been two billion without the rules.
Of course, I also find it wild that the metric for how good an encryption or password system is, is just how long it would take to guess every possible combination of input it could be, sequentially. It doesn’t account for a brute force attempt that just selects random inputs. It could take until the heat death of the universe… It could take 3 seconds. It’s up to chance at that point. Not to mention all the easier ways of getting a password. Like gaslighting the person who knows it into giving it up.
It’s something like the second law of Thermodynamics. It’s probability, not absolute. It’s possible all the gas molecules in the room arrange themselves one corner, but it’s fantastically unlikely. It’s possible to choose the right encryption key to a 256-bit cipher at random the first time, but it’s fantastically unlikely.
12 characters, upper/lower/special requirement, and no more than two occurrences of the same character together. That’s FedEx.
Two other thoughts on the topic:
- Websites/apps/etc should always list their password requirements on the login page to make it easier to determine what password you used for the site in question.
- There are plenty of websites where I literally log in only by using the “forgot password” flow because their password requirements are so ridiculous.
Extremely limited password length. I think it was around 6 or 8 characters. Exactly! So every password was the same length.
No other requirements. The best part? It was a bank. But not a customer facing service.
My bank had a limit of six characters, for the customer facing login. Oops.
Westpac?
Yes 🤭
Not sure but I think Schwab did it too.
Banks are amazingly bad at digital security. I once was in a bank (where my wife had an account) where they used first generation wireless keyboards. The ones that did not encrypt anything and could be received to a distance of up to 10m, more if you had a better antenna. I told them about the security issues, but they did not understand. I went to the newspaper agent and bought the newest edition of a computer magazine that had detailed descriptions of how to eavesdrop on those keyboards, returned to the bank, and handed them the article. Which featured exactly their keyboard model as the title photo. I told them “If you don’t understand this, it’s fine, but then give it to the person responsible for your IT and security, they should know how to deal with this.”
Next time we were there, they still had the insecure keyboards. Yes, the IT department had told them that they should replace them with wired ones, but they rejected it, because the wireless ones were sooo convenient. Our next move was to close my wifes’ account there.
Facebook got caught having a flat text file being send around between employees to make accessing data easier. That text file contained tens of thousands of peoples username and password.
Why? Facebook being facebook I guess
Not so much password requirements as just a completely removed implementation:
To access payment stubs in a data center (not us) that I worked at, the user account was our public email address and the password was a personal code, sorta like SSN, but that code could be easily looked up as it was public info.
I showed the director of HR, who authorized this her own payment stub as evidence that this was baaaaadddd
So she asked me to check that system for more issues
Turns out it stored passwords in blank (wtf) and would authenticate with two queries. First query would check if the username (email) exists. Second query would check if the password exists. If both exists, you’re in! So i could login to any account with MY password…
This is a tip of a very big iceberg there
This has to be the best one here. The sheer lack of understanding of how to authenticate an account by the dev.
Sounds like the initial part of password testing, and then they either forgot to complete it, or someone came along to fix the later parts, commented them out for testing and never got around to fixing/uncommenting. Surprising how often things that ‘work’ are set aside and no one is in charge of reviewing.
Anyone remember the Password Game?
I personally hate character limits. I understand minimum character count, but I can’t have more than 15 characters? Bruh
It happens a bit too often that I make an account somewhere with a long, generated password and then when I log in it throws errors at me.
But a few times a website didn’t just show me an error, I got the whole crash dump including their encryption approach and versioning
I’ve encountered a few sites that restricted repeating or sequential characters. Of course told after failing the first creation attempt. Makes things like randomly generated passphrases fun to figure out. Particularly when their idea of “sequential” involves both in alpha/numerical order, but also adjacent spacing on the (assumed?) qwerty keyboard!
Most absurd was from a job I had in college. This was the password to log into an ancient dumb terminal (literally a monochrome black and green display) on a local-only network that only handled our time clock.
Requirements:
- 8 characters exactly
- You supply the first 4, the system generated the last 4
- I can’t remember if it allowed numbers, but there were definitely no special characters and I think it was also case-insensitive
Required to change password every 30 days.
- There was the multi user operating system in the 1990s that required every user to have a unique password. We were young and innocent then and used common English words. Upon changing your password, it would check your new password against all other users. An error like
That password is already used by johnp. Please choose another password.was not uncommon.
- When I started using a password manager, I got keen and changed my passwords to 64 random characters. My bank would change this to uppercase, delete special characters, and save the first 8 characters of what was left. So when I logged in, it would compare the 64 character password I entered to the converted 8 character password that they saved, and find that they were different. (I found this out when I rang and complained, and they told me my password over the phone … 😱). They don’t do that any more.
