My favorite is "can't be more than x% similar to the last 3 passwords". Of course, you shouldn't ever define what "similar" actually means.
And the only way to check that is by storing the previous passwords in a recoverable format.
My understanding is this is done by saving the hashes and checking the current password against them, and (I'm much less concrete on this one) for "similar" it will run common iterations of the password and save those hashes
At a previous job one of the sysadmins checked all AD users for repeated hashes, and compared against hashes of the top 1000 most common passwords. He also identified one of the IT people had the same hash for both their normal account and their domain admin account, and spoke with them individually to change their domain admin account password
Or by generating the hashes of all expected permutations of the password the user has just set, and keeping them until the next password is set to compare against. Granted, that would be a prodigious number, but technically doable.
My personal life? Password manager with passwords as complicated and as long as each service will allow for.
Job that makes me change my password every 30 days? You get the same base password, followed by the next number in the series.
It feeds your last three passwords into an LLM and it decides if your next password is similar or not. This rule brought to you by Nvidia. Nvidia: the next time your company wants to apply AI to things where AI doesn't belong, think Nvidia.
This sounds like it could actually be implemented somewhere.
I just had to make a password for a hotel.
8 to 20 characters Uppercase Lowercase Digits OR special characters.
The capitalized OR is important. You can have either numbers in the password, or special characters, BUT NOT BOTH.
Took me 8 tries.
- First one was too long.
- Second and third used both numbers and characters, but I thought the characters were TOO special.
- 4 through 6 used both numbers and special characters.
- Seventh password used just letters and numbers, and it was accepted.
- Eighth try I used just letters and keyboard characters, and that was accepted too.
The best part to me is that they include all of these rules to increase the security, but then set a maximum length of the password, which from my understanding is the easiest way to add complexity/security to a password.
The actual funny (or sad) thing about this: even without a length limit all they do is make the password less secure because every constraint just reduces the possible password space.
As someone who generates every password with a password manager those sites are a pain in the ass because you have to somehow get these constraints into the generator.
Maximum length is the biggest red flag to me and was the catalyst for me making the effort to switch to unique passwords per-account years ago. There's just so, so many shitty homerolled security systems out there... and data breaches seem to be a perennial problem these days.
There's just no excuse for limiting the length if you're doing security correctly (other than perhaps a large upper limit just to protect against someone DOSing the backend with a bunch of 100MB strings; 512 characters seems reasonable).
By setting an upper limit, you're basically saying one or more of these things:
- We store your password in plaintext
- We store a hash but our hashing function has an unnecessarily arbitrarily limited input size
- The person/team implementing the backend has no idea what they're doing and/or just copy pasted login code from stack overflow
- We tried to get away with minimal password requirements but some middle manager wouldn't rubber stamp it without
arbitrary_list_of_bs
My 'favorite' password rules are incorrect rules. Recently signed up to a service, which looked like it hasn't been updated since the 90s. They sent me my password via letter, but hey, I was allowed to change it digitally.
So, I did. I set it to a reasonably long password (probably something like 22 characters), with no problems.
Then I went to login and it refused my login. I copied my password out of my password manager, for both setting it and logging in, so there was no way that it was wrong. I quadruple checked the login name, but no luck.
Eventually, I manually typed the password from my password manager. Then I saw it, their password field stopped accepting inputs after about 20 characters.
Presumably, I was able to set my long password on the registration page, but the login page did not accept this long of a password. Fucking ace.
I had to order another password letter.As a website developer, it’s easy to just use the 'maxlength' attribute on fields you don’t want to exceed a certain length (for valid reasons or not). But then exactly this happens: A user pastes something in there, doesn’t notice that their input got truncated, and something, somewhere breaks.
'maxlength' is terrible user experience.
I understand why stored information, such as passwords, usernames, stuff like that, has to have a max character count.
What I don't get is why so many people are so daft as to let stuff like this happen, and not even put the maximum password length anywhere people can obviously see it.
If you tell me what the maximum limit is, I'll be able to keep my password shorter than that.
But no.... Password minimum length is shown, symbols, numbers and special character requirements are plainly stated. Maximums? Ha.
Should have right clicked and hit 'inspect element' and changed it from 20 to 32487839423 then entered it. Bet it would have worked because, you know HTML hackers.
bonus points for capping the length silently.
I recently made a bit of software that does this. Maximum username and password length of 100 chars can be set, but the login panel only allows you to put 50 chars in the username and password fields. So if you use a password or username longer than 50 chars, youll soft lock yourself out.
But I picked it up in QC testing, it got nowhere near prod. And Im a one man band. I cant fathom how a company could let tgat get past QC.
You can't? I definitely can.
Got this site once stating "passwords can't contain parts of username" icw a 64 character pw.
And usenames like "daneelolivaw" block passwords with
da an ne ee el...
dan ane nee eel ...
dane anee neel.... etc in them
If I was a bad guy and saw this, I would look for users with many different charaters in long names and brute force them, because there's a high chance they just removed all characters in their names from the pool to generate a password, making it faster to go through the leftover combinations.
Fine, the hacker can see I ordered vegetable vindaloo last Friday. There's no credit card information stored.
For banks, make your password requirements as hard as you want. For everyone else, I feel like the developers are LARPING as security professionals to make their boring job making web pages for local businesses interesting.
That's absolutely understandable, since rdaneelolivaw would be the correct username.
That's what my friend Giskard said. 😁
Always upvote Asimov!
Go ahead. Make a password. Then be left to deal with the mental & emotional damage.
Calm down there satan.
The elements in your password must have atomic numbers that add up to 200.
Seriously?
Edit: I think I lost when my pw got burnt up. Is there more?
Edit2: 3rd try (i think) and I quelled the fire this time. Paul hatched. But: 😒
spoiler
I just wish these password requirements could be added as an attribute to the password field so password managers could generate a password that matches those rules.
And an implementation by Apple
nowadays we have passkeys anyways which is just making the good old "random max length password with all the character groups" explicit.
One that I loved was that you couldn't set any from a list of "common passwords"... You couldn't include anything from that list in any password you used. So if the list included the word "green" then "3875429$##&!32++_@greenbean2284&$@" would be rejected.
What's on the list? (Shrugs)
Good luck!
"Sorry, this password is too long"
Literally gotten this error before. So annoying. It was like 18 characters.
That could either mean they want to limit DDOS traffic caused by absurd long passwords, but unlikely.
Or they store your passwords in plain text instead of a proper hash value in their way to small fields in database.A more absurd possibility would be if they limit characters because they send the form by GET instead of POST and everybody could see your password in the URL (e.g. in all logs).
Security nightmare in any case.I had one site limit my password to 8 characters long
That's the worst. I already made a meme about it last week.
I'm sorry, but passwords must be unique across the entire platform. The one you entered matches johnDoh@xyz.dev. Please try again.
Expires every X months.
I've never been super into the idea of using a password manager rather than just using complex but memorable passwords for everything, but policy like this basically necessitates using one.
Unless it's the one password you actually use to login. I can't use a password manager for my Windows login.
Most people I've met simply use the same password and increment one number somewhere.
Or several numbers if it can't be too similar to a previous password.
The internet banking portal for one of my banks forces a monthly password reset. As a result it is the only bank account for which i have the password saved in my browser, instead of being a nice long memorable phrase that lives only in my head.
Password requirements so secure, eventually you go full circle to remember them and do shit like this.
at what point do password requirements start making password easier to crack?
They already do. If I know a number is required, I don't have to try any passwords that don't have a number.
They invariably do. They always constrain the list of things that a fully random generator could possibly make. They never add to that list.
Even rules like "can't use the same character twice in a row" constrain the list at least a little. That one makes it harder for dumb people to do dumb things, but also makes it harder for smart people to do smart things.
Don't forget general filters for bad passwords. That means no part of your name, username, anything sequential, your birthday, your pets birthday, or any of the 1000 most common passwords
Change your password every three months
My favourite: No uppercase. No numbers.
Wrote this in a different thread but the way PlayStation handles this...
Password reset is limited to 30 characters. Login isn't.
That would be fine if the password rules on reset would actually mention this and not just cut off the password at 30 characters without telling you that it is too long. So I generated the password used that on reset, saved it, login wrong...
I couldn't login to my PlayStation account because my 32 characters long password saved in my bitwarden vault wasn't correct.
Even worse, on the first support request I was basically told "looks fine on our side, bye".
Your password must contain at least 62 characters, you may only use lowercase and uppercase characters and numbers. All characters and numbers must be unique and sorted alphabetically, numbers may only be ordered ascending.
can they be interleaved?
Yes, aA12bBCc... is allowed as A12Bbc3C... or 1234AabBcC...
I'm no monster that only allows a single possible password. Just barely.
Perfect illustration of security compliance vs security.
I tried to do “obscure security policy combined with bad programming leads to user frustration“
Fucking macOS man. No 2 repetitive or 3 consecutive, so when using a random password generator you still can’t have loads of words and have to try multiple times to get it…
"One of the characters of your chosen password was used in the same position 12 password-changes ago, but I won't tell you which"
Keepassxc Password generator.
And it's still brute force hackable in about 3 to 5 days because it's an unbroken string of characters. These fuck weeds are just never gonna learn.
