Register forum user name Search FAQ

Gammon Forum

Notice: Any messages purporting to come from this site telling you that your password has expired, or that you need to verify your details, confirm your email, resolve issues, making threats, or asking for money, are spam. We do not email users with any such messages. If you have lost your password you can obtain a new one by using the password reset link.

Due to spam on this forum, all posts now need moderator approval.

 Entire forum ➜ Forum ➜ Registering ➜ These Forum Account Password Requirements Are Really Bad

These Forum Account Password Requirements Are Really Bad

It is now over 60 days since the last post. This thread is closed.     Refresh page


Posted by Rabbi   (5 posts)  Bio
Date Fri 11 Oct 2019 01:41 PM (UTC)

Amended on Fri 11 Oct 2019 02:18 PM (UTC) by Rabbi

Message
  • Must be at least 10 characters long.
  • Must contain at least one number, one upper-case letter, one lower-case letter, and one punctuation character.
  • Must not be in a dictionary of the most common 100 passwords (eg. "password" or "letmein")
  • May not consist of more than 6 of the same character in any position (eg. "a1a2a3a4a5a6" would not be allowed).
  • May not contain sequences of 3 or more characters going up or down (eg. "abc", "456", "ZYX", "765").
  • May not contain repeats of 3 or more characters in a row (eg. "aaa" or "666" would not be allowed).
  • May not end with a number (so you can't just add numbers to a word, like "gorilla489")
  • May not contain part of your email address (so if your name is "barbara@gmail.com" the password can't be "barb9642")


I was going to use a pretty low security password on these forums, and those got rejected. That's fine. Then I started moving up in security. I have a pretty complicated password that changes based on where I'm using it, but it happens to end in a number. So I can't use it. I tried some more, and it turns out I literally don't have any passwords I can use on this forum that I'll actually remember. That's fine, we live in the age of password managers.

Next up I smash "guid generator" into google and start grabbing GUIDs to try to use. Whoops, check out this _extremely_ insecure password I tried to use:
8c26cc26-ba34-4ce1-accd-f4bc36b05bca. You see, this extremely insecure password has more than 6 'c's in it. Whoopsa-daisy, I can't believe I almost got my account hacked.

I better try a new one, but once again I almost made another critical security error: f8083678-9931-41dd-bbe9-3bb01f32eac7. Obviously any malicious agent would have known that this password contains the ascending sequence "678".

Of course, these wouldn't have worked anyways, as these GUIDs don't have upper-case letters, once again a testament to their weakness. I ended up finding a generator that would work, and now if I ever lose access to google's password manager I can reset the password I guess. I now feel extremely safe that no one is going to steal my MUSHclient forum account, thank goodness.


Let's take a page from XKCD here: https://imgs.xkcd.com/comics/password_strength.png
Top

The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).

To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.


6,364 views.

It is now over 60 days since the last post. This thread is closed.     Refresh page

Go to topic:           Search the forum


[Go to top] top

Information and images on this site are licensed under the Creative Commons Attribution 3.0 Australia License unless stated otherwise.