undefined

[-]

I came across a "special character" requirement while creating an account. The client validation was not the same as the server validation. The client proceeded as if my account was created, but it never was. The client functioned without an account until it was closed. I asked the creator what their app's problem was, why did I need to keep resetting my password, then be told that I don't have an account, and have to create it anew.

They would not believe I was creating an account and using the device, because their own logging was so terrible.

I had to send them a screen recording from me using this abomination, and only then was I told "you're using the wrong special characters". They helpfully gave me some examples of allowed special characters, which then would pass the server validation.

I wish they would have gotten rid of the account requirement, as the device and client software seemed to work fine without them.

by __MatrixMan__2 hours ago|

[-]

Sometimes when that happens, and any of `:({ |&;` are on the no-no list, I try bypassing the client validations and setting my password to a shell fork bomb. So far as I'm aware it hasn't broken anything yet, but I'm determined to keep trying.

[-]

Somewhat unrelated, is there any technical reason certain punctuation might be banned? I can understand maybe not allowing letters with diacritics or other NON-ASCII chars but why would a system reject an @ sign or bracket > for example?

by GoblinSlayer7 hours ago|

[-]

Depending on the protocol they can be url encoded or even helpfully html encoded; the same password can be used over different protocols. It's the best to not use punctuation by default (length supplies more entropy than charset), I add -0 at the end to make dumb password policies happy.

by InitialLastName3 hours ago|

[-]

Often, the same ones with limited punctuation also have length limits, so maximizing the character options is the only way to maximize entropy.

by angst_ridden7 hours ago|

[-]

A lot of the restricted stuff is cargo-cult fear of symbols that could be used in SQL-injection or XSS attacks.

A properly-coded system wouldn't care, but the people who write the rules have read old OWASP documents and in there they saw these symbols were somehow involved in big scary hacks that they didn't understand. So it's easier to ban them.

by delta_p_delta_x8 hours ago|

[-]

Having more than just alphanumeric characters widens the domain of the password hash function, and this directly increases the difficulty of brute-force cracking. But having a such a small maximum password length is... puzzling, to say the least. I would accept passwords of up to 1 KiB in length.

With rainbow tables, even 11-character simple passwords like 'password123' can be trivially cracked, and as the number of password leaks show, not everyone is great at managing secrets and credentials.

[-]

It's easier for me to remember really long passphrases than even short alphanumeric strings - small maximum password lengths set my teeth on edge. The passwords should be getting hashed anyway right?

by raddan7 hours ago|

[1] https://en.wikipedia.org/wiki/Credential_stuffing

[-]

The problem is that you never really know what a website operator does with your credentials. Ideally, you have both a unique email and a unique password for each site, because sadly credential stuffing [1] is a thing.

[-]

Should being the operative word...

by tshaddox8 hours ago|

[-]

I bet the rationale would be "anything over 12 characters will be too hard to remember and people will just write down the password."

[-]

But it's a maximum. It prevents people that want to use passphrases from doing so.

[-]

I think we (whoever we is) should start normalizing the concept of passphrases; on sign-up screens they should show the benefits of a passphrase. I'm surprised that Googles PW generator does not use passphrases, and I don't know about ios because I haven't tried theirs yet.

I started using passphrases after I saw this xkcd https://xkcd.com/936/

When I'm trying to log into something on a device that has a terrible keyboard, like a TV or giant touchscreen, it's a lot easier to type words I know than gibberish.

by delta_p_delta_x7 hours ago|

[-]

correct horse battery staple; knew it before I clicked the link.

by unethical_ban7 hours ago|

[-]

Until the late 2010s, the AD account password at my financial institution employer was capped at 12 characters because, for a subset of workers, AD creds were sync'ed to a mainframe application that could only support that many characters.

[-]

I recommend all my friends and family to use a password manager like Bitwarden, and if they can't do that for some reason, at least use a 3-word passphrase separated by a hyphen.

The amount of times people have complained to me that this doesn't work because of low max-chars on passwords is insane.

[-]

One time I had to reset my password with the power company - they had such a system, and the lady had to read me something like:

Uh4zB4DP55WD!

Apparently I was a bit salty with the system when I set it.

The fact that she shouldn't have even been able to look up the password in the first place due to hashing was lost on her.

[-]

That's pretty funny on a few levels, not in the least that they required a "secure" password like that but stored them in plain text.

by raddan7 hours ago|

[-]

I regularly conduct transactions at the branch of my local bank wherein they ask me for no credentials whatsoever. I also once forgot to bring my account number with me and the teller said "no worries, I'll look it up for you." Kind of horrifying.

by lostlogin6 hours ago|

[-]

Oh! But that’s safe! Secret question time: What’s your mother’s maiden name.

by jazzyjackson4 hours ago|

[-]

It helps that it’s a jailable offense to make fraudulent transactions

by tonyedgecombe6 hours ago|

[-]

My bank’s password field is case insensitive. Of course they could have lowercased it before hashing but I doubt it.

by empyrrhicist5 hours ago|

[-]

Yeah I was a bit shocked... like... you're not supposed to know that!

[-]

Haha having such a low range of max chars just makes it that much easier to brute force doesn't it?

On password length, I once had an account on Aetna that let me put whatever I want for my password, so I used a three-word passphrase that bitwarden generated for me. It ended up being like 20 chars.

Then I tried to log in with that password. Whooosies, the password input only allowed max 16 chars!

Ended up using a much less secure password because of this.

[-]

Maximum lengths like this are like a big neon sign that says:

"Hey idiot, I'm storing your password in plaintext, don't know anything about password security, and I'm also going to make you pick something you can't remember for 'security'."

by barbazoo9 hours ago|

[-]

> Pick up the can!

Gotta admit, this triggered me. I don’t think those are the same thing. If no one had a good password we wouldn’t affect each other negatively. If no one picked up trash, we would.

Edit: Sorry folks, didn’t get the reference.

by estebank8 hours ago|

[-]

I'm pretty sure it's referencing Half-Life 2, where an agent of an oppressive regime tells you to pick up a can that they just dropped on the floor as a sadistic display of authority (and to provide world-building and teach the grab mechanics to the player).

The GP is equating policies for strong passwords that aren't trivially cracked with authoritarianism.

If no one had a good password, we actually would affect each other negatively. If your personal banker can be easily compromised, that means that you could be easily parted with your money.

I do agree that they are not the same thing.

[-]

> The GP is equating policies for strong passwords that aren't trivially cracked with authoritarianism.

Incorrect - the requirements I mentioned make passwords less memorable and less secure (maximum length 12???). Obviously that's not as bad as authoritarianism, but I was trying to capture the arbitrary act being forced on us for no real justifiable reason.

by smlavine8 hours ago|