this post was submitted on 25 Aug 2024
12 points (92.9% liked)

Cybersecurity - Memes

3247 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 2 years ago
MODERATORS
Sam1232188@lemmy.world
neurohost@lemmy.world
Alphadef@programming.dev
CannaVet@lemmy.world
12
Obscure password requirements (feddit.org)
submitted 11 months ago by cron@feddit.org to c/cybersecuritymemes@lemmy.world
35 comments fedilink hide all child comments
 

What is your favourite password rule?

you are viewing a single comment's thread
view the rest of the comments
[–] DemBoSain@midwest.social 1 points 11 months ago (1 children)

I just had to make a password for a hotel.

8 to 20 characters Uppercase Lowercase Digits OR special characters.

The capitalized OR is important. You can have either numbers in the password, or special characters, BUT NOT BOTH.

Took me 8 tries.

  • First one was too long.
  • Second and third used both numbers and characters, but I thought the characters were TOO special.
  • 4 through 6 used both numbers and special characters.
  • Seventh password used just letters and numbers, and it was accepted.
  • Eighth try I used just letters and keyboard characters, and that was accepted too.
[–] Sewer_King@lemmy.world 1 points 11 months ago (2 children)

The best part to me is that they include all of these rules to increase the security, but then set a maximum length of the password, which from my understanding is the easiest way to add complexity/security to a password.

[–] RecluseRamble@lemmy.dbzer0.com 1 points 11 months ago (1 children)

The actual funny (or sad) thing about this: even without a length limit all they do is make the password less secure because every constraint just reduces the possible password space.

As someone who generates every password with a password manager those sites are a pain in the ass because you have to somehow get these constraints into the generator.

[–] fadedmaster@sh.itjust.works 1 points 11 months ago

Keepass deals with this fairly well. It remembers the restrictions from the previous password.

[–] felbane@lemmy.world 0 points 11 months ago (1 children)

Maximum length is the biggest red flag to me and was the catalyst for me making the effort to switch to unique passwords per-account years ago. There's just so, so many shitty homerolled security systems out there... and data breaches seem to be a perennial problem these days.

There's just no excuse for limiting the length if you're doing security correctly (other than perhaps a large upper limit just to protect against someone DOSing the backend with a bunch of 100MB strings; 512 characters seems reasonable).

By setting an upper limit, you're basically saying one or more of these things:

  • We store your password in plaintext
  • We store a hash but our hashing function has an unnecessarily arbitrarily limited input size
  • The person/team implementing the backend has no idea what they're doing and/or just copy pasted login code from stack overflow
  • We tried to get away with minimal password requirements but some middle manager wouldn't rubber stamp it without arbitrary_list_of_bs
[–] pixeltree@lemmy.blahaj.zone 2 points 11 months ago

My senior project for uni was replacing the professor's friend's website. We had a meeting to gather requirements, have him demo the site as different kinds of users, etc. Dude said "Hold on a sec" and went to a page with all accounts and their passwords listed. Was like, dude, the hell