• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

the internet is more hostile than ever

 
Ranch Hand
Posts: 4716
9
Scala Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
personally, i am sick of it.

password must be 156 characters long and must contain all the ascii characters.

to help fight spammers please type the following illegible crap.

i just had to create a new email account just to tell my brother i didn't send him the scam spam he recieved from me because hotmail blocked me since they got hacked.
 
Rancher
Posts: 1776
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Randall Twede wrote:
password must be 156 characters long and must contain all the ascii characters.


Heights of Annoyance
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
But the point is valid: overly restrictive password requirement reduce security, not enhance it.

I recently signed onto a service that required a password to be exactly 8 characters long and start with a capital letter. This is ridiculous for 2 reasons:
  • The password space becomes severly limited and makes passwords easier to guess/troll.
  • Makes it harder for a person to set a pasword that they'll remember leading to writing it on a sticky note to post on the wall.

  •  
    Rancher
    Posts: 4803
    7
    Mac OS X VI Editor Linux
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Not only is @bear right, the stupid restrictions weaken security, but they indicate very weak design.

    Good security requires that you take the clear text password, and push it through a one-way hash such as a SHA256. It makes zero difference to the code, storage, or database, how long the entered password is, as all you store is the resulting hash. So let the user enter a phrase. A nice long phrase that the human can remember.

    Second, and sadly too common requirement, is that the "Strong" password be replaced every month or two. If its a hard passphrase, its hard to remember. The only way humans will remember something is to use it. Use it often enough to remember it. If the passphrase is used only twice a month and then changed, you will never remember it. What you will do is put the password on a 3M sticky note on your monitor. Now that, by cracky, is great security.

    I hate CAPATCHAs. I'm old, and my eyes are what they used to be. I often have no idea what the characters are supposed to be.
     
    Sheriff
    Posts: 3063
    12
    Mac IntelliJ IDE Python VI Editor Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    It's ridiculous to have any maximum password length. No organization should be storing your cleartext password anyway, just a hash of it, so storage space isn't an issue. As XKCD pointed out, all the requirements for numbers and mixed cases just lead to passwords that are hard to remember, but easy to crack. Also forcing us to change passwords every 30 days, or whatever, just leads to sequences like gregspassword1, gregspassword2, etc ... or worse: people keeping their passwords written on Post-it notes stuck to their monitors.
     
    Bear Bibeault
    Sheriff
    Posts: 67746
    173
    Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Mine are stuck to my wall. Much better security than a monitor!

    There are about 5 corporate passwords that I have to change every three months. It's a nightmare, and they all have stupid requirements.

     
    Bear Bibeault
    Sheriff
    Posts: 67746
    173
    Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    A somewhat related rant.

    We use a lot of Oracle crap for our HR stuff. As a UI expert, I despair whenever I use any of it. I used to think that Lotus was the King of Bad UI -- they have nothing on Oracle.

    Example in a microcosm:

    Every three months, the passwords expire. So when you try to do something with it, it redirects you to a change password page. No problem so far (except that the visual design is hideous and it's stupid to require new passwords regularly in the first place). Then you enter the old password and new password twice; standard stuff. On clicking Submit, the fields clear.

    That's all. They just clear.

    No error message.

    No notifications.

    Nothing.

    Just cleared fields.

    Did it "take"? No. Trying to log in or do anything else just brings you back to the same reset password form.

    After 3 days of back-and-forth with remote IT in San Jose (aye-yi-yi) it turns out that there are a barrage (and I do mean a long long long list) of password requirements which include complete nonsense such as no two of the same character in a row, and no non-alphanumeric characters.

    So this is completely stupid in 3 ways:
  • Stupid password restrictions that make no sense and hinder rather than enhance security.
  • Not listing these restrictions on the change password page.
  • Indicating a failure by clearing the fields with no message of any type -- not even one that says that an error of any type occurred.

  • And they make gobs of money selling this stuff.
     
    Greg Charles
    Sheriff
    Posts: 3063
    12
    Mac IntelliJ IDE Python VI Editor Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    That reminds me of the error message haiku:

    Errors have occurred
    We won't tell you where or why
    Lazy programmers


    Of course you didn't get any message at all, so those "lazy programmers" of yesteryear would be considered diligent at Oracle today.
     
    clojure forum advocate
    Posts: 3479
    Mac Objective C Clojure
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Bear Bibeault wrote:Mine are stuck to my wall. Much better security than a monitor!

    There are about 5 corporate passwords that I have to change every three months. It's a nightmare, and they all have stupid requirements.


    Have you considered using 1Password?
     
    Bear Bibeault
    Sheriff
    Posts: 67746
    173
    Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    John Todd wrote:
    Have you considered using 1Password?


    I use 1Password. It doesn't help trying to come up with passwords that meet the requirements -- which sometimes are top secret!
     
    Java Cowboy
    Posts: 16084
    88
    Android Scala IntelliJ IDE Spring Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Cryptic passwords are less safe that you'd think.

     
    Bear Bibeault
    Sheriff
    Posts: 67746
    173
    Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Exactly! When free to use passwords of my own choosing -- I always pick a long pass-phrase that I can remember but would be nearly impossible to guess.
     
    Greg Charles
    Sheriff
    Posts: 3063
    12
    Mac IntelliJ IDE Python VI Editor Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Jesper de Jong wrote:Cryptic passwords are less safe that you'd think.



    That's the same comic I linked to. Stupid me; I never think of just embedding images. I wonder if Randall has got the math right here though. He's certainly making some assumptions that didn't make the panels. Still, he's got a good a point, and I hope to see more research on the topic. It wouldn't be the first time inconveniencing users to provide an illusion of security took precedence over, you know, actual security. TSA: I'm looking at you!
     
    Bear Bibeault
    Sheriff
    Posts: 67746
    173
    Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    I frequently take a pass phrase from the lyrics of a song -- after all, what's more memorable? Some previous passwords I've used: iputonsomemusictostartmyday, andImeanteverywordIsaid, and inthemiddleofmyroomIdidnothearfromyou.

    (Extra points to those who can identify the songs.)
     
    lowercase baba
    Posts: 13089
    67
    Chrome Java Linux
    • Likes 1
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Boston - More Than a Feeling
    REO Speedwagon - Keep On Lovin' You
    Stevie Nicks - Stand Back


    Too easy.

    unrelated: on this day in 1971, Led Zeppelin IV was released.
     
    Saloon Keeper
    Posts: 15510
    363
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Bunch of geezers :P
     
    Bear Bibeault
    Sheriff
    Posts: 67746
    173
    Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    That's when music rocked, my young Padiwan!

     
    Ranch Hand
    Posts: 1283
    Netbeans IDE Chrome Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    I also pissed out to fill unreadble captcha..
     
    fred rosenberger
    lowercase baba
    Posts: 13089
    67
    Chrome Java Linux
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Stephan van Hulst wrote:Bunch of geezers :P


    Respect the classics, man!!!

    And quite frankly, those songs are too young for my taste. Give me some Wynonnie Harris, Louis Prima, or Cab Calloway any day (and i'm several years younger than Bear, so I don't know what that makes me...)
     
    Stephan van Hulst
    Saloon Keeper
    Posts: 15510
    363
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Oh, I have a big list of classics that I really enjoy. Mind you, I don't think anything older than the 70s, except for actual classical music.

    I do think however that a lot of modern rock is under-appreciated, especially when compared to the classics. I think a factor is that these days the market is saturated with cheap horrible music that drowns out the good stuff.

    But of course, it's all subjective. Isn't it? Can one contend that a certain style of music is better than another simply by virtue of it having more fans? Because honestly I do consider Britney Spears' songs to be musically inferior to say, Prokofiev.
     
    Randall Twede
    Ranch Hand
    Posts: 4716
    9
    Scala Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    the used laptop i bought came with open office. they wanted me to register it so they can prove market share. since i am so grateful to have it, i decided i would. they required minimum 8 character password. i am so sorry Oracle. i use one password everywhere and it is only 6 characters.

    as for hotmail, aka MSN, they still have my old account blocked because they got hacked. i have had a hotmail account since 2000, long before microsoft took them over. maybe it's time to try gmail.
     
    Ranch Hand
    Posts: 1609
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Bear Bibeault wrote:Mine are stuck to my wall. Much better security than a monitor!

    There are about 5 corporate passwords that I have to change every three months. It's a nightmare, and they all have stupid requirements.



    We must have dinner together at your residence some day.
     
    Ranch Hand
    Posts: 1871
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    What will be the situation after 15-20 years or so. Requirements will be like

    You need to scan both of your retinas(please remove your contact lenses)
    Please use any nine fingerprints out of your ten.
    well your facial bone structure doesn't fit our criteria for facial recognition go an get some surgery.

     
    Akhilesh Trivedi
    Ranch Hand
    Posts: 1609
    • Likes 1
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Sameer Jamal wrote:
    ...Please use any nine fingerprints out of your ten.





    Could be out of twenty too.



    "As a child, my father and I tried to design a birdfeeder that was easily accessible by birds but impossible to reach by squirrels. Our birdfeeders ranged from the simple to the absurd. Each design worked temporarily, but eventually the squirrels would figure out a way around our defenses. The more challenging we made our design the more cunning our squirrels had to be in order to defeat it. In essence, our efforts were helping breed a smarter, craftier squirrel.

    -Foreword - Hack Proofing Sun Solaris 8 By Wyman Miles, Ed Mitchell, F. William Lynch"




     
    Randall Twede
    Ranch Hand
    Posts: 4716
    9
    Scala Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator


    "As a child, my father and I tried to design a birdfeeder that was easily accessible by birds but impossible to reach by squirrels. Our birdfeeders ranged from the simple to the absurd. Each design worked temporarily, but eventually the squirrels would figure out a way around our defenses. The more challenging we made our design the more cunning our squirrels had to be in order to defeat it. In essence, our efforts were helping breed a smarter, craftier squirrel.


    after several years of camping i have finally found the way to defeat squirrels and raccoons. you run some twine or very thin rope between two trees, high enough off the ground so only a human can reach it. then you hang your food from the line. they haven't learned tightrope walking yet.
     
    Bear Bibeault
    Sheriff
    Posts: 67746
    173
    Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
    • Likes 2
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Just a matter of time!

     
    Randall Twede
    Ranch Hand
    Posts: 4716
    9
    Scala Java
    • Likes 1
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    damned squirrels.
    the point is valid though. hackers will find a way regardless.
     
    Consider Paul's rocket mass heater.
    reply
      Bookmark Topic Watch Topic
    • New Topic