What are the most retarded password restrictions you've ever seen? I'll start with my job that forces me to change every other month: >Must have 8 charactes minimum >But also can't go over 14 characters >Must have two numbers >But also can't start or end with a number >Must have at least one lower case >Must have at least one upper case >Must have any of the following: !^*()_|~`{}.#:#;'?, >Any other special character will NOT be accepted >Can't match any of the previous 4 passwords used >In fact, can't even be "similar" to any of the previous four passwords used >Can't have more than two repeating characters >Can't have character or number sequence >Can't be your login name >Can't be personal information about yourself
Some of these make sense. Some of them are fucking retarded, and the "similarity" clause tells me they store passwords in fucking plain text to even know that the password is "similar" to a previous one you used. As an example, I had a password like T1mIsanAnu5! and changed it to [T1mIzanAnu5] and it was able to tell that the two passwords were "similar" and rejected it. Pic related. Then they wonder why they find in security audits that everyone, even head executives, have their fucking passwords on fucking sticky notes out in the open.
I don't, but literally everyone I know in the 3 different offices in 3 different states that I work for do. Some think they're smart by keeping them under their keyboard or something instead of just hanging off the monitor.
Those are the requirements for passwords I had when working at a bank card processing company.
Jace Bailey
>In fact, can't even be "similar" to any of the previous four passwords used This shit is a big fucking huge red flag. It means that they are keeping passwords in a plain text.
David Taylor
>>But also can't go over 14 characters >>But also can't start or end with a number >>Any other special character will NOT be accepted This is the shit that drives me up the wall. If you want me to make a super password, don't tie my fucking hands. I need my money sign, we out here.
Carson Sanchez
At my job, our password must be exactly 8 characters long, contain no special characters, and have at least one number.
Probably due to legacy crap. I work at a financial institution.
Aiden Ortiz
Wouldn't even be an issue with me if I'm able to use a password manager, such as KeePass. You can set an entry's generation rules and expiration dates.
Alexander Lee
>and the "similarity" clause tells me they store passwords in fucking plain text to even know that the password is "similar" to a previous one you used. OP is aware.
Isaac Long
>ITT, complaining about a non issue because you can just use padding like any normal person Also, last 4 passwords? So change your password 4 times and then change it back to the original one.
Samuel Barnes
There's a limit of 2 changes per day. Padding your password doesn't work because of the "similarity" clause. If you use the same password but pad it out, it will tell you it's "too similar."
Two dumbest ones I've seen are, >must be no more or less than 8 characters >cannot use ! or repeating characters.
Jaxson Flores
Password length limits and similarity checks are both serious security concerns
Caleb Miller
> >Must have 8 charactes minimum > >But also can't go over 14 characters NTLM?
Luke Cooper
I can test it out tomorrow (used my password changes today) but from experience I'd assume so. I think it takes into account the positioning of special characters, capitalization, and proximity of characters. So in the case of the passwords you provided, I think they get disqualified from the start just from the ki2 combo. Even if the first one as a 1 before, I've tried mixing characters up in a similar fashion and still triggered the "lol nope" message. It's fucked. I have a pretty neat handful of strong passwords that I use and pad, but shit like this feels near impossible to humanly do every fucking month while having a storage of 5 passwords that meet their shitty criteria. I could Keepass but I need to log into my work laptop using this password at Windows startup so I'd prefer it be something I can easily and quickly type without pulling my fucking phone out all the time. Especially when the laptops are set to automatically lock after 5 minutes of inactivity and you can't disable that.
I fucking hate this. It gets more and more strict every few months. The "don't start your password with a number" for instance just showed up like 2 months ago. It's like they just arbitrarily think up of new restrictions just for the fuck of it. I imagine that soon they'll stay no starting with special characters as well. After so much restriction, you'd think they'd realize they're actively making passwords weaker by eliminating character combinations.
Oh, and most of my strong passwords are over 14 fucking characters.
Josiah Bell
You can do similarity checks without storing the password in clear text. Just have to have a program that strips all the fluff off of it, detects lower case letters in sequence of at least 3, hashes those, and stores that with maybe some location and order meta. For example Foxh()und12! Foxhund45^ They would be similar due to both having the similarly oxh followed by und.
Of course this is turbo-autism and no one probably does this
Literally just change it 4 times and then back to the old password problem solved
Jayden Gray
The more restrictions/guidelines they add the easier it is to crack. At least you get up to 14 characters though the place I work at has a limit of 10.
Lincoln Reed
My bank has only 2 rules for passwords >Must start with exactly 4 letters >Must end with exactly 2 numbers
Benjamin Lopez
Forgot to mention in OP but
Liam Nelson
Oh, they could also I guess be generating a mask and hashing that. So the mask for both my examples is the same at: ulllssllldds
Can also do trimming and compare so it must be less than 75% similar So any 9 sequential masks can not be the same as any 9 sequential masks of the new password.
Still turbo-autism
Bentley Jackson
They impose a 14 character limit on passwords. They are not jumping through all those hoops for their similarity checks, they'll just store the passwords as plaintext. Search your heart, you know it to be true.
Joshua Green
They want you to change your passwords often. Clearly, they're retards will have no idea what they're doing.
Brayden Myers
My university EE department wa back in 2012
>must be 8 letter passwords >must include upper, lower and numbers >must not be similar to the last 5 passwords >change every 3 months
I wrote an email bashing them for limiting my password size and storing it in plaintext. A few weeks later they sent out an email saying that they had changed password restrictions
the new one was
>min 8 characters
Colton Carter
How does password comparing work? I've understood that hashing algorithms snowball so even a small input will alter the output drastically.
Jack Reed
>cannot be similar to previous password >storing passwords in clear text
Shiggerydiggerydoo.
Nicholas Brooks
All these restrictions just reduce the number of possible symbol combinations and make a brute force attack easier to implement. And yes, they are storing passwords in plain text. Password restrictions should be removed and the ONLY thing they should force you to do is have at least 6 characters in length. Then, you should just use OTP as a 2nd form of required authentication.
They keep a plain text version of the password somewhere.
Jeremiah Adams
>how does password comparing work They store the passwords in plaintext.
Julian Reyes
What's wrong with 14 character limit aside from boxing you into making a shorter password than what you may normally like?
Robert Watson
I too work at a financial institution.
>passwords expire every 30 days >keep trying nice secure passwords >system keeps rejecting >use password same as last time with a different number at the end >accepted
Fug.
Oliver Collins
Thats pretty much what I thought.
Oliver Miller
>password not accepted >password not accepted >password not accepted >account locked. reset password *here* >new password can't be same as old password
> >What's wrong with 14 character limit aside from boxing you into making a shorter password than what you may normally like?
You could make a brute force formula to crack a password using all they're fucking restrictions. They're literally giving you boxes to tick to make it easier... Never try guess more than 14 characters. Check!
I mean, that's in theory. I know fuck all about cracking and coding, but logically what I'm saying seems correct.
Jayden Cooper
You are correct. The more rules you add to a password the easier it is to guess. Each rule added reduces the total amount of possible passwords. At most all you need is "password should be X or more characters" because then that password could be anything, greatly increasing the difficulty to guess.
Lincoln Kelly
>need to make between 6-14 character long special machine code password >doesn't let me write a 64 letter password thats super easy to remember FUCKING IDIOTS FAGGOTS!
Angel Brooks
So, basically it wants you to make the easiest to crack passwords you can?
Samuel Hernandez
>university has you reset password after each semester >if you dont reset after 2 weeks you get locked out >after each semester is always a big ass line for people net being able to access their accounts because people take time off >line is super huge after summer wew
Jose Hall
I use a 30+ char password that could never be hacked
Liam Peterson
What if you decrypt before comparing?
Jackson Lopez
The monitoring software I use at work forces a quarterly reset... only you have to log in to change that password, guess what happens if you don't update it before the period expires? That's right, it locks you out because you can't log in to change it so it has to be manually reinstated by IT. It also "deletes" the user account after five failed log in attempts and again, has to manually be reinstated by IT... I know a lot of you know how often people forget their passwords at work.
Needless to say; everyone but the suits who don't have to work with it every day hate it. It's truly garbage.
Jonathan Gray
post your hash, i'll give it 60s tops against proper rainbow tables
Cooper Williams
>Of course this is turbo-autism and no one probably does this You hash the power set of each password and set a rule for the number of power set hashes of the new password matching the power set hashes of old passwords. It's trivial, even if you're salting.