permaculture playing cards*
The moose likes Meaningless Drivel and the fly likes the internet is more hostile than ever Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Other » Meaningless Drivel
Bookmark "the internet is more hostile than ever" Watch "the internet is more hostile than ever" New topic
Author

the internet is more hostile than ever

Randall Twede
Ranch Hand

Joined: Oct 21, 2000
Posts: 4347
    
    2

personally, i am sick of it.

password must be 156 characters long and must contain all the ascii characters.

to help fight spammers please type the following illegible crap.

i just had to create a new email account just to tell my brother i didn't send him the scam spam he recieved from me because hotmail blocked me since they got hacked.

SCJP
Visit my download page
John Jai
Bartender

Joined: May 31, 2011
Posts: 1776
Randall Twede wrote:
password must be 156 characters long and must contain all the ascii characters.

Heights of Annoyance
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61232
    
  66

But the point is valid: overly restrictive password requirement reduce security, not enhance it.

I recently signed onto a service that required a password to be exactly 8 characters long and start with a capital letter. This is ridiculous for 2 reasons:
  • The password space becomes severly limited and makes passwords easier to guess/troll.
  • Makes it harder for a person to set a pasword that they'll remember leading to writing it on a sticky note to post on the wall.


  • [Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
    Pat Farrell
    Rancher

    Joined: Aug 11, 2007
    Posts: 4659
        
        5

    Not only is @bear right, the stupid restrictions weaken security, but they indicate very weak design.

    Good security requires that you take the clear text password, and push it through a one-way hash such as a SHA256. It makes zero difference to the code, storage, or database, how long the entered password is, as all you store is the resulting hash. So let the user enter a phrase. A nice long phrase that the human can remember.

    Second, and sadly too common requirement, is that the "Strong" password be replaced every month or two. If its a hard passphrase, its hard to remember. The only way humans will remember something is to use it. Use it often enough to remember it. If the passphrase is used only twice a month and then changed, you will never remember it. What you will do is put the password on a 3M sticky note on your monitor. Now that, by cracky, is great security.

    I hate CAPATCHAs. I'm old, and my eyes are what they used to be. I often have no idea what the characters are supposed to be.
    Greg Charles
    Sheriff

    Joined: Oct 01, 2001
    Posts: 2851
        
      11

    It's ridiculous to have any maximum password length. No organization should be storing your cleartext password anyway, just a hash of it, so storage space isn't an issue. As XKCD pointed out, all the requirements for numbers and mixed cases just lead to passwords that are hard to remember, but easy to crack. Also forcing us to change passwords every 30 days, or whatever, just leads to sequences like gregspassword1, gregspassword2, etc ... or worse: people keeping their passwords written on Post-it notes stuck to their monitors.
    Bear Bibeault
    Author and ninkuma
    Marshal

    Joined: Jan 10, 2002
    Posts: 61232
        
      66

    Mine are stuck to my wall. Much better security than a monitor!

    There are about 5 corporate passwords that I have to change every three months. It's a nightmare, and they all have stupid requirements.

    Bear Bibeault
    Author and ninkuma
    Marshal

    Joined: Jan 10, 2002
    Posts: 61232
        
      66

    A somewhat related rant.

    We use a lot of Oracle crap for our HR stuff. As a UI expert, I despair whenever I use any of it. I used to think that Lotus was the King of Bad UI -- they have nothing on Oracle.

    Example in a microcosm:

    Every three months, the passwords expire. So when you try to do something with it, it redirects you to a change password page. No problem so far (except that the visual design is hideous and it's stupid to require new passwords regularly in the first place). Then you enter the old password and new password twice; standard stuff. On clicking Submit, the fields clear.

    That's all. They just clear.

    No error message.

    No notifications.

    Nothing.

    Just cleared fields.

    Did it "take"? No. Trying to log in or do anything else just brings you back to the same reset password form.

    After 3 days of back-and-forth with remote IT in San Jose (aye-yi-yi) it turns out that there are a barrage (and I do mean a long long long list) of password requirements which include complete nonsense such as no two of the same character in a row, and no non-alphanumeric characters.

    So this is completely stupid in 3 ways:
  • Stupid password restrictions that make no sense and hinder rather than enhance security.
  • Not listing these restrictions on the change password page.
  • Indicating a failure by clearing the fields with no message of any type -- not even one that says that an error of any type occurred.

  • And they make gobs of money selling this stuff.
    Greg Charles
    Sheriff

    Joined: Oct 01, 2001
    Posts: 2851
        
      11

    That reminds me of the error message haiku:

    Errors have occurred
    We won't tell you where or why
    Lazy programmers


    Of course you didn't get any message at all, so those "lazy programmers" of yesteryear would be considered diligent at Oracle today.
    Hussein Baghdadi
    clojure forum advocate
    Bartender

    Joined: Nov 08, 2003
    Posts: 3479

    Bear Bibeault wrote:Mine are stuck to my wall. Much better security than a monitor!

    There are about 5 corporate passwords that I have to change every three months. It's a nightmare, and they all have stupid requirements.


    Have you considered using 1Password?
    Bear Bibeault
    Author and ninkuma
    Marshal

    Joined: Jan 10, 2002
    Posts: 61232
        
      66

    John Todd wrote:
    Have you considered using 1Password?

    I use 1Password. It doesn't help trying to come up with passwords that meet the requirements -- which sometimes are top secret!
    Jesper de Jong
    Java Cowboy
    Saloon Keeper

    Joined: Aug 16, 2005
    Posts: 14157
        
      19

    Cryptic passwords are less safe that you'd think.



    Java Beginners FAQ - JavaRanch SCJP FAQ - The Java Tutorial - Java SE 7 API documentation
    Scala Notes - My blog about Scala
    Bear Bibeault
    Author and ninkuma
    Marshal

    Joined: Jan 10, 2002
    Posts: 61232
        
      66

    Exactly! When free to use passwords of my own choosing -- I always pick a long pass-phrase that I can remember but would be nearly impossible to guess.
    Greg Charles
    Sheriff

    Joined: Oct 01, 2001
    Posts: 2851
        
      11

    Jesper de Jong wrote:Cryptic passwords are less safe that you'd think.


    That's the same comic I linked to. Stupid me; I never think of just embedding images. I wonder if Randall has got the math right here though. He's certainly making some assumptions that didn't make the panels. Still, he's got a good a point, and I hope to see more research on the topic. It wouldn't be the first time inconveniencing users to provide an illusion of security took precedence over, you know, actual security. TSA: I'm looking at you!
    Bear Bibeault
    Author and ninkuma
    Marshal

    Joined: Jan 10, 2002
    Posts: 61232
        
      66

    I frequently take a pass phrase from the lyrics of a song -- after all, what's more memorable? Some previous passwords I've used: iputonsomemusictostartmyday, andImeanteverywordIsaid, and inthemiddleofmyroomIdidnothearfromyou.

    (Extra points to those who can identify the songs.)
    fred rosenberger
    lowercase baba
    Bartender

    Joined: Oct 02, 2003
    Posts: 11320
        
      16

    Boston - More Than a Feeling
    REO Speedwagon - Keep On Lovin' You
    Stevie Nicks - Stand Back


    Too easy.

    unrelated: on this day in 1971, Led Zeppelin IV was released.


    There are only two hard things in computer science: cache invalidation, naming things, and off-by-one errors
    Stephan van Hulst
    Bartender

    Joined: Sep 20, 2010
    Posts: 3647
        
      16

    Bunch of geezers :P
    Bear Bibeault
    Author and ninkuma
    Marshal

    Joined: Jan 10, 2002
    Posts: 61232
        
      66

    That's when music rocked, my young Padiwan!

    Kaustubh G Sharma
    Ranch Hand

    Joined: May 13, 2010
    Posts: 1270

    I also pissed out to fill unreadble captcha..


    No Kaustubh No Fun, Know Kaustubh Know Fun..
    fred rosenberger
    lowercase baba
    Bartender

    Joined: Oct 02, 2003
    Posts: 11320
        
      16

    Stephan van Hulst wrote:Bunch of geezers :P

    Respect the classics, man!!!

    And quite frankly, those songs are too young for my taste. Give me some Wynonnie Harris, Louis Prima, or Cab Calloway any day (and i'm several years younger than Bear, so I don't know what that makes me...)
    Stephan van Hulst
    Bartender

    Joined: Sep 20, 2010
    Posts: 3647
        
      16

    Oh, I have a big list of classics that I really enjoy. Mind you, I don't think anything older than the 70s, except for actual classical music.

    I do think however that a lot of modern rock is under-appreciated, especially when compared to the classics. I think a factor is that these days the market is saturated with cheap horrible music that drowns out the good stuff.

    But of course, it's all subjective. Isn't it? Can one contend that a certain style of music is better than another simply by virtue of it having more fans? Because honestly I do consider Britney Spears' songs to be musically inferior to say, Prokofiev.
    Randall Twede
    Ranch Hand

    Joined: Oct 21, 2000
    Posts: 4347
        
        2

    the used laptop i bought came with open office. they wanted me to register it so they can prove market share. since i am so grateful to have it, i decided i would. they required minimum 8 character password. i am so sorry Oracle. i use one password everywhere and it is only 6 characters.

    as for hotmail, aka MSN, they still have my old account blocked because they got hacked. i have had a hotmail account since 2000, long before microsoft took them over. maybe it's time to try gmail.
    Akhilesh Trivedi
    Ranch Hand

    Joined: Jun 22, 2005
    Posts: 1527
    Bear Bibeault wrote:Mine are stuck to my wall. Much better security than a monitor!

    There are about 5 corporate passwords that I have to change every three months. It's a nightmare, and they all have stupid requirements.



    We must have dinner together at your residence some day.


    Keep Smiling Always — My life is smoother when running silent. -paul
    [FAQs] [Certification Guides] [The Linux Documentation Project]
    Sameer Jamal
    Ranch Hand

    Joined: Feb 16, 2001
    Posts: 1870
    What will be the situation after 15-20 years or so. Requirements will be like

    You need to scan both of your retinas(please remove your contact lenses)
    Please use any nine fingerprints out of your ten.
    well your facial bone structure doesn't fit our criteria for facial recognition go an get some surgery.

    Akhilesh Trivedi
    Ranch Hand

    Joined: Jun 22, 2005
    Posts: 1527
    Sameer Jamal wrote:
    ...Please use any nine fingerprints out of your ten.




    Could be out of twenty too.



    "As a child, my father and I tried to design a birdfeeder that was easily accessible by birds but impossible to reach by squirrels. Our birdfeeders ranged from the simple to the absurd. Each design worked temporarily, but eventually the squirrels would figure out a way around our defenses. The more challenging we made our design the more cunning our squirrels had to be in order to defeat it. In essence, our efforts were helping breed a smarter, craftier squirrel.

    -Foreword - Hack Proofing Sun Solaris 8 By Wyman Miles, Ed Mitchell, F. William Lynch"




    Randall Twede
    Ranch Hand

    Joined: Oct 21, 2000
    Posts: 4347
        
        2


    "As a child, my father and I tried to design a birdfeeder that was easily accessible by birds but impossible to reach by squirrels. Our birdfeeders ranged from the simple to the absurd. Each design worked temporarily, but eventually the squirrels would figure out a way around our defenses. The more challenging we made our design the more cunning our squirrels had to be in order to defeat it. In essence, our efforts were helping breed a smarter, craftier squirrel.

    after several years of camping i have finally found the way to defeat squirrels and raccoons. you run some twine or very thin rope between two trees, high enough off the ground so only a human can reach it. then you hang your food from the line. they haven't learned tightrope walking yet.
    Bear Bibeault
    Author and ninkuma
    Marshal

    Joined: Jan 10, 2002
    Posts: 61232
        
      66

    Just a matter of time!

    Randall Twede
    Ranch Hand

    Joined: Oct 21, 2000
    Posts: 4347
        
        2

    damned squirrels.
    the point is valid though. hackers will find a way regardless.
     
    permaculture playing cards
     
    subject: the internet is more hostile than ever