www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
Password rules are bullshit
By Thom Holwerda on 2017-03-10 23:35:32

Of the many, many, many bad things about passwords, you know what the worst is? Password rules.

Read this.

 Email a friend - Printer friendly - Related stories
.
Read Comments: 1-10 -- 11-20 -- 21-30 -- 31-38
.
uk guidance is good too
By project_2501 on 2017-03-11 00:02:22
https://www.ncsc.gov.uk/guidance/...
Permalink - Score: 2
.
Oh, don't get me started on this
By WorknMan on 2017-03-11 02:12:43
I have like 12 eff'ing passwords at work, and some of them have different rule requirements, and a restriction that they must be changed every 30 days, and you can never reuse the same one. I am not a goddamn savant, people. The only thing that brings my piss to a boil more is spam, and when the f-lock key resets every time I reboot.

Edited 2017-03-11 02:13 UTC
Permalink - Score: 5
.
RE: Oh, don't get me started on this
By Alfman on 2017-03-11 03:31:21
WorknMan,

> I have like 12 eff'ing passwords at work, and some of them have different rule requirements, and a restriction that they must be changed every 30 days, and you can never reuse the same one. I am not a goddamn savant, people.

+1

Given the number of systems I work on, I've given up trying to remember them. It was getting to the point where I was forced to get the passwords reset.

The worst case of this I've ever dealt was with one particular nightmare client. In order to connect to the corporate network over VPN, we needed a username, password AND a keyfob, but the account automatically expired after 24h. So we'd need to call in every morning to activate new personal credentials for the day. The VPN automatically disconnected every single god damn hour so we'd need to repeat the password/keyfob process, and in the meantime we'd loose all our active connections.

You'd think this was for some top secret operation, but no it was just some probes and a server on an isolated network with benign temperature data on it. The whole thing was overzealous IT policy. I complained strongly to absolutely no avail. Then they complained about the bill, what the hell do they expect, there's no way for contractors to work efficiently under their IT policy! I wonder if they fixed it or there's still some poor SOB pounding his head into the wall every day.

I'm sure everyone has experienced terrible policies at some point in their carrier :(

Edited 2017-03-11 03:33 UTC
Permalink - Score: 2
.
Implementation details
By Undomiel on 2017-03-11 03:43:15
Can't agree with this part more!
It's a bit of an implementation detail, but make sure maximum password length is reasonable as well.
I've had several sites that silently truncate my saved password, but don't truncate my entered password so I kept having to reset my password until I could deduce that they were silently cutting off the end of it. And then there's that QuickBook's database that would randomly corrupt on long admin passwords. Which they still haven't fixed in the 2016 version. At least I was able to get one other developer to fix their problems with long passwords, though that was like pulling teeth to prove it to them.
Permalink - Score: 1
.
Better yet....
By grat on 2017-03-11 04:10:44
Read this, which uses less profanity, and is appropriate for passing along to management:

https://nakedsecurity.sophos.com/...
Permalink - Score: 2
.
RE: Oh, don't get me started on this
By Brendan on 2017-03-11 06:26:43
Hi,

> I have like 12 eff'ing passwords at work, and some of them have different rule requirements, and a restriction
that they must be changed every 30 days, and you can
never reuse the same one.


It's not "secure" unless it's so hard for users to remember their password/s that they're forced to write them on yellow sticky notes and stick them to the edge of the monitor. ;-)

- Brendan
Permalink - Score: 8
.
Minimum password age
By timosa on 2017-03-11 07:13:55
The biggest passwords related headache is the minimum password age rule. I have never understood how it would increase security.

Edited 2017-03-11 07:14 UTC
Permalink - Score: 1
.
you can also get info from here
By saadrasheed779 on 2017-03-11 16:44:25
easy way to protect your password visit here
http://www.unblockedhappywheels....

Edited 2017-03-11 16:45 UTC
Permalink - Score: 0
.
Comment by Wayne
By waynej on 2017-03-11 18:50:36
I think we all agree that passwords are a bit of a pain in the arse with all these rules we're forced to follow. Why not make the actual cracking more difficult by increasing the time between login attempts? After the first attempt you must wait two seconds before your next attempt, then four seconds, 8 seconds ... As we all know the waiting time would become very large, very quickly.

Surely this would be easy to implement and very effective.
Permalink - Score: 3
.
RE: Comment by Wayne
By daedalus on 2017-03-11 20:17:18
Yep, I've always wondered about that too. Trivial to implement, and would effectively stop brute force attacks dead without inconveniencing the average user - most people will only try 4 or 5 passwords at most before they ring support.
Permalink - Score: 2

Read Comments 1-10 -- 11-20 -- 21-30 -- 31-38

No new comments are allowed for stories older than 10 days.
This story is now archived.

.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?