File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

the internet is more hostile than ever

 
Randall Twede
Ranch Hand
Posts: 4353
2
Java
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
personally, i am sick of it.

password must be 156 characters long and must contain all the ascii characters.

to help fight spammers please type the following illegible crap.

i just had to create a new email account just to tell my brother i didn't send him the scam spam he recieved from me because hotmail blocked me since they got hacked.
 
John Jai
Rancher
Posts: 1776
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Randall Twede wrote:
password must be 156 characters long and must contain all the ascii characters.

Heights of Annoyance
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64185
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But the point is valid: overly restrictive password requirement reduce security, not enhance it.

I recently signed onto a service that required a password to be exactly 8 characters long and start with a capital letter. This is ridiculous for 2 reasons:
  • The password space becomes severly limited and makes passwords easier to guess/troll.
  • Makes it harder for a person to set a pasword that they'll remember leading to writing it on a sticky note to post on the wall.

  •  
    Pat Farrell
    Rancher
    Posts: 4660
    5
    Linux Mac OS X VI Editor
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Not only is @bear right, the stupid restrictions weaken security, but they indicate very weak design.

    Good security requires that you take the clear text password, and push it through a one-way hash such as a SHA256. It makes zero difference to the code, storage, or database, how long the entered password is, as all you store is the resulting hash. So let the user enter a phrase. A nice long phrase that the human can remember.

    Second, and sadly too common requirement, is that the "Strong" password be replaced every month or two. If its a hard passphrase, its hard to remember. The only way humans will remember something is to use it. Use it often enough to remember it. If the passphrase is used only twice a month and then changed, you will never remember it. What you will do is put the password on a 3M sticky note on your monitor. Now that, by cracky, is great security.

    I hate CAPATCHAs. I'm old, and my eyes are what they used to be. I often have no idea what the characters are supposed to be.
     
    Greg Charles
    Sheriff
    Posts: 2984
    12
    Firefox Browser IntelliJ IDE Java Mac Ruby
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    It's ridiculous to have any maximum password length. No organization should be storing your cleartext password anyway, just a hash of it, so storage space isn't an issue. As XKCD pointed out, all the requirements for numbers and mixed cases just lead to passwords that are hard to remember, but easy to crack. Also forcing us to change passwords every 30 days, or whatever, just leads to sequences like gregspassword1, gregspassword2, etc ... or worse: people keeping their passwords written on Post-it notes stuck to their monitors.
     
    Bear Bibeault
    Author and ninkuma
    Marshal
    Pie
    Posts: 64185
    83
    IntelliJ IDE Java jQuery Mac Mac OS X
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Mine are stuck to my wall. Much better security than a monitor!

    There are about 5 corporate passwords that I have to change every three months. It's a nightmare, and they all have stupid requirements.

     
    Bear Bibeault
    Author and ninkuma
    Marshal
    Pie
    Posts: 64185
    83
    IntelliJ IDE Java jQuery Mac Mac OS X
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    A somewhat related rant.

    We use a lot of Oracle crap for our HR stuff. As a UI expert, I despair whenever I use any of it. I used to think that Lotus was the King of Bad UI -- they have nothing on Oracle.

    Example in a microcosm:

    Every three months, the passwords expire. So when you try to do something with it, it redirects you to a change password page. No problem so far (except that the visual design is hideous and it's stupid to require new passwords regularly in the first place). Then you enter the old password and new password twice; standard stuff. On clicking Submit, the fields clear.

    That's all. They just clear.

    No error message.

    No notifications.

    Nothing.

    Just cleared fields.

    Did it "take"? No. Trying to log in or do anything else just brings you back to the same reset password form.

    After 3 days of back-and-forth with remote IT in San Jose (aye-yi-yi) it turns out that there are a barrage (and I do mean a long long long list) of password requirements which include complete nonsense such as no two of the same character in a row, and no non-alphanumeric characters.

    So this is completely stupid in 3 ways:
  • Stupid password restrictions that make no sense and hinder rather than enhance security.
  • Not listing these restrictions on the change password page.
  • Indicating a failure by clearing the fields with no message of any type -- not even one that says that an error of any type occurred.

  • And they make gobs of money selling this stuff.
     
    Greg Charles
    Sheriff
    Posts: 2984
    12
    Firefox Browser IntelliJ IDE Java Mac Ruby
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    That reminds me of the error message haiku:

    Errors have occurred
    We won't tell you where or why
    Lazy programmers


    Of course you didn't get any message at all, so those "lazy programmers" of yesteryear would be considered diligent at Oracle today.
     
    Hussein Baghdadi
    clojure forum advocate
    Bartender
    Posts: 3479
    Clojure Mac Objective C
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Bear Bibeault wrote:Mine are stuck to my wall. Much better security than a monitor!

    There are about 5 corporate passwords that I have to change every three months. It's a nightmare, and they all have stupid requirements.


    Have you considered using 1Password?
     
    Bear Bibeault
    Author and ninkuma
    Marshal
    Pie
    Posts: 64185
    83
    IntelliJ IDE Java jQuery Mac Mac OS X
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    John Todd wrote:
    Have you considered using 1Password?

    I use 1Password. It doesn't help trying to come up with passwords that meet the requirements -- which sometimes are top secret!
     
    Jesper de Jong
    Java Cowboy
    Saloon Keeper
    Pie
    Posts: 15150
    31
    Android IntelliJ IDE Java Scala Spring
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Cryptic passwords are less safe that you'd think.

     
    Bear Bibeault
    Author and ninkuma
    Marshal
    Pie
    Posts: 64185
    83
    IntelliJ IDE Java jQuery Mac Mac OS X
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Exactly! When free to use passwords of my own choosing -- I always pick a long pass-phrase that I can remember but would be nearly impossible to guess.
     
    Greg Charles
    Sheriff
    Posts: 2984
    12
    Firefox Browser IntelliJ IDE Java Mac Ruby
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Jesper de Jong wrote:Cryptic passwords are less safe that you'd think.


    That's the same comic I linked to. Stupid me; I never think of just embedding images. I wonder if Randall has got the math right here though. He's certainly making some assumptions that didn't make the panels. Still, he's got a good a point, and I hope to see more research on the topic. It wouldn't be the first time inconveniencing users to provide an illusion of security took precedence over, you know, actual security. TSA: I'm looking at you!
     
    Bear Bibeault
    Author and ninkuma
    Marshal
    Pie
    Posts: 64185
    83
    IntelliJ IDE Java jQuery Mac Mac OS X
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    I frequently take a pass phrase from the lyrics of a song -- after all, what's more memorable? Some previous passwords I've used: iputonsomemusictostartmyday, andImeanteverywordIsaid, and inthemiddleofmyroomIdidnothearfromyou.

    (Extra points to those who can identify the songs.)
     
    fred rosenberger
    lowercase baba
    Bartender
    Pie
    Posts: 12021
    25
    Chrome Java Linux
    • 1
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Boston - More Than a Feeling
    REO Speedwagon - Keep On Lovin' You
    Stevie Nicks - Stand Back


    Too easy.

    unrelated: on this day in 1971, Led Zeppelin IV was released.
     
    Stephan van Hulst
    Bartender
    Pie
    Posts: 4838
    34
    Chrome Netbeans IDE Windows
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Bunch of geezers :P
     
    Bear Bibeault
    Author and ninkuma
    Marshal
    Pie
    Posts: 64185
    83
    IntelliJ IDE Java jQuery Mac Mac OS X
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    That's when music rocked, my young Padiwan!

     
    Kaustubh G Sharma
    Ranch Hand
    Posts: 1283
    Chrome Java Netbeans IDE
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    I also pissed out to fill unreadble captcha..
     
    fred rosenberger
    lowercase baba
    Bartender
    Pie
    Posts: 12021
    25
    Chrome Java Linux
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Stephan van Hulst wrote:Bunch of geezers :P

    Respect the classics, man!!!

    And quite frankly, those songs are too young for my taste. Give me some Wynonnie Harris, Louis Prima, or Cab Calloway any day (and i'm several years younger than Bear, so I don't know what that makes me...)
     
    Stephan van Hulst
    Bartender
    Pie
    Posts: 4838
    34
    Chrome Netbeans IDE Windows
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Oh, I have a big list of classics that I really enjoy. Mind you, I don't think anything older than the 70s, except for actual classical music.

    I do think however that a lot of modern rock is under-appreciated, especially when compared to the classics. I think a factor is that these days the market is saturated with cheap horrible music that drowns out the good stuff.

    But of course, it's all subjective. Isn't it? Can one contend that a certain style of music is better than another simply by virtue of it having more fans? Because honestly I do consider Britney Spears' songs to be musically inferior to say, Prokofiev.
     
    Randall Twede
    Ranch Hand
    Posts: 4353
    2
    Java
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    the used laptop i bought came with open office. they wanted me to register it so they can prove market share. since i am so grateful to have it, i decided i would. they required minimum 8 character password. i am so sorry Oracle. i use one password everywhere and it is only 6 characters.

    as for hotmail, aka MSN, they still have my old account blocked because they got hacked. i have had a hotmail account since 2000, long before microsoft took them over. maybe it's time to try gmail.
     
    Akhilesh Trivedi
    Ranch Hand
    Posts: 1599
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Bear Bibeault wrote:Mine are stuck to my wall. Much better security than a monitor!

    There are about 5 corporate passwords that I have to change every three months. It's a nightmare, and they all have stupid requirements.



    We must have dinner together at your residence some day.
     
    Sameer Jamal
    Ranch Hand
    Posts: 1870
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    What will be the situation after 15-20 years or so. Requirements will be like

    You need to scan both of your retinas(please remove your contact lenses)
    Please use any nine fingerprints out of your ten.
    well your facial bone structure doesn't fit our criteria for facial recognition go an get some surgery.

     
    Akhilesh Trivedi
    Ranch Hand
    Posts: 1599
    • 1
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Sameer Jamal wrote:
    ...Please use any nine fingerprints out of your ten.




    Could be out of twenty too.



    "As a child, my father and I tried to design a birdfeeder that was easily accessible by birds but impossible to reach by squirrels. Our birdfeeders ranged from the simple to the absurd. Each design worked temporarily, but eventually the squirrels would figure out a way around our defenses. The more challenging we made our design the more cunning our squirrels had to be in order to defeat it. In essence, our efforts were helping breed a smarter, craftier squirrel.

    -Foreword - Hack Proofing Sun Solaris 8 By Wyman Miles, Ed Mitchell, F. William Lynch"




     
    Randall Twede
    Ranch Hand
    Posts: 4353
    2
    Java
    • 0
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator

    "As a child, my father and I tried to design a birdfeeder that was easily accessible by birds but impossible to reach by squirrels. Our birdfeeders ranged from the simple to the absurd. Each design worked temporarily, but eventually the squirrels would figure out a way around our defenses. The more challenging we made our design the more cunning our squirrels had to be in order to defeat it. In essence, our efforts were helping breed a smarter, craftier squirrel.

    after several years of camping i have finally found the way to defeat squirrels and raccoons. you run some twine or very thin rope between two trees, high enough off the ground so only a human can reach it. then you hang your food from the line. they haven't learned tightrope walking yet.
     
    Bear Bibeault
    Author and ninkuma
    Marshal
    Pie
    Posts: 64185
    83
    IntelliJ IDE Java jQuery Mac Mac OS X
    • 2
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Just a matter of time!

     
    Randall Twede
    Ranch Hand
    Posts: 4353
    2
    Java
    • 1
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    damned squirrels.
    the point is valid though. hackers will find a way regardless.
     
    I agree. Here's the link: http://aspose.com/file-tools
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic