There are a couple of sites I use that make you retype, not paste, the password into the confirm password field. Ok, I guess it’ll be
p@ssw0rd7!!
instead of
DMwQ(>`sA:A{0N{P(’|e#6c$|sCoQ:{LN!x,k[9}wv0=/-sRG5Gc,Aw|MJpJ$en
I’ve gotten to the point of unique email addresses for account with a appended long hash. So like FaceBook-vHQI8Ms1fDTEAmL78WQ@blah.com. It helps controlling my own email server on my own domains so I can spawn addresses like that. It spreads the accounts out so it is trickier to just assume to each account if somebody was trying to match accounts.
What I hate are the unlock questions, you might have a 25 character random hash of a password and then the account could be unlocked with say the word fluffy for favorite pet essentially destroying all security. I started just putting in long hashes for those and storing them in a password vault.
I’m dancieing up Sinisfoot with Reggahol RIGHT NOW!!
I ran into a bank that wouldn’t allow pasting of passwords. The level of stupid was staggering.
There actually is a reason to set a upper limit, but were talking around 100-1000 characters for an upper limit.
Older password hashing functions would take a random salt, and your password and then hash them hash = function(salt, password)
, theoretically a larger password took longer to hash, but not enough to really matter.
Modern password hashing functions work by iterating on this process, start with the salt as an intermediate value, then hash the intermediate and the password storing the result as the new intermediate. Do that a total of 1000 (or more) times and the final result is the hash. (the exact details very but this is good enough to explain the point)
In the old method a longer password takes longer to hash, but only by hundredths of a second or less. The modern methods are designed to take a long time, you pick an iteration count that causes a “average” password to take a tenth or even a whole second to hash. If you allow a password 1000 times longer than average then it could take 100+ seconds to hash. This lets attackers bog down your login system denying access to real users.
So, if we say average is 10 characters, and we are tuned to take a tenth of a second, and we don’t want to take more than 2 seconds per login attempt we would set an upper limit around 200 characters.
“no more than 3 consecutive letters that can be found in the dictionary” - which dictionary? And can’t all letters be found in the dictionary? I guess it’s all special symbols and numbers, then!
What makes the cumbersome rules even worse is when they don’t tell you the ^@#$^@# rules up front. They dole them out one at a time, as you violate each rule in succession:
“airport”
ERROR: PASSWORD MUST BE A MINIMUM OF 8 CHARACTERS.
“airports”
ERROR: PASSWORD MUST CONTAIN A MIXTURE OF UPPER AND LOWER CASE.
“airPorts”
ERROR: PASSWORD MUST CONTAIN AT LEAST ONE DIGIT 0-9.
“airPorts7”
ERROR: PASSWORD MUST CONTAIN AT LEAST ONE NON-ALPHA, NON-NUMERIC CHARACTER.
“air#Ports7”
ERROR: PASSWORD MUST CONTAIN THE FIRST NAME OF A MEMBER OF THE PARTRIDGE FAMILY.
“air#Ports7Laurie”
ERROR: TOO MANY ATTEMPTS. ACCOUNT IS LOCKED. CALL CUSTOMER HELP LINE.
Well yeah but I’m talking about the ones that have a limit of 8 or 10 characters. Some developer has actively decided that that’s a sensible limit and implemented it. Probably the same type of developer who prohibits pasting into the password field.
“Your password must be longer than 7 characters, contain an upper case letter, a lower case letter, a digit between 3 and 5, three forms of punctuation, it must include the initials of a historic Mongolian warlord, it may not contain two or more consecutive sequential alphabetic characters, it must be divisible by a prime number, and it cannot include any word found in the OED.
As a time saving measure for you, our valued customer, you should know there is only one password that actually complies with all these requirements. It has been assigned to your account.”
I’ve always thought that the only correct way to do this if you’re going to do it at all is to run a script that tries to crack your password using all the lowest hanging fruit algorithms. If you are trying to make people understand that their password is weak, show them that a computer can crack it in nothing.
Also show them the below video as well which is a good explainer on how crap most people’s passwords are and shows how some ‘not entirely terrible’ passwords can easily be brute forced using graphics cards.
KeePass 2, which I use, lets you copy the password to the clipboard with a click and wipes it shortly afterward; that might fit your use-case. I imagine other software has a similar feature.
(Assuming there’s a reason you’re not using key auth to get into your servers…)
This topic was automatically closed after 5 days. New replies are no longer allowed.