

Texas Attorney General Password Rules - valuegram
http://portal.cs.oag.state.tx.us/OAGStaticContent/portal/login/help/Login.htm

======
88e282102ae2e5b
They're not necessarily storing passwords in the clear (though the Texas
Secretary of State does[1], so it wouldn't surprise me).

For example, when updating a password on Facebook, they check to see if your
new password is similar to your previous one by creating several variants of
the new password, hashing them, and seeing if the hash matches any of your old
password hashes.

[1] [http://plaintextoffenders.com/post/68152196480/sos-state-
tx-...](http://plaintextoffenders.com/post/68152196480/sos-state-tx-us-
government-website-businesses)

~~~
Brandon0
Do you have a source on the Facebook statement? I would be interested in
hearing how they create the variants.

~~~
88e282102ae2e5b
Ostensibly this is from a FB engineer, in retrospect I realize I don't know
how to verify that: [http://security.stackexchange.com/questions/53481/does-
faceb...](http://security.stackexchange.com/questions/53481/does-facebook-
store-plain-text-passwords#comment84577_53483)

------
cpncrunch
Unfortunately these asinine password requirements occur quite often. It's
basically an indication that the site itself has poor security, and they're
requiring a strong password to mitigate that risk. Also, if they are storing
the password in plain-text, then it doesn't really matter how many fucking
special characters your users have in their passwords :)

Also, users will just write down the password.

~~~
StefanKarpinski
Writing down passwords isn't necessarily bad [1].

[1]
[https://www.schneier.com/blog/archives/2005/06/write_down_yo...](https://www.schneier.com/blog/archives/2005/06/write_down_your.html)

------
cheald
It's kind of a fun working out how many passwords that is.

So letters + numbers + 3 special characters. Our first and last positions
can't be special characters, and we can't have the same letters concurrently,
so we're in the ballpark of:

62^2 * 64^6 = 264,157,668,573,184 passwords

However, passwords _must_ contain a letter, number, and special character.
This means that we can eliminate the entire letters + numbers set, the numbers
+ specials set, and the letters + specials set:

(62^2 * 64^6) - (62 * 61^7) - (10^2 * 12^6) - (52^2 * 54^6) =
2,261,873,997,098 - Did I get that math right?

That's still a decently large space, but it's small enough to be attackable
even if the passwords are hashed.

~~~
namlem
Two trillion? That's pitiful. That could be cracked even if it's hashed with a
slow algorithm.

~~~
Shivetya
assuming you have unrestricted access to the user information, which to me
usually means I already have unfettered access to your system, why would I
need passwords?

Do many systems allow nearly unlimited attempts? Is this common on some
platforms? For all except the most locked down users; single task; it pretty
much is three strikes your out, call to fix your access.

------
thyrsus
They're storing passwords in the clear, otherwise they wouldn't be able to
enforce the "cannot be too similar" rule.

~~~
waqf
Not necessarily — if you require the user to type in "old password" and "new
password" when they change their password then you have both passwords in
cleartext at once and can check for similarity.

You wouldn't be able to enforce "cannot be similar to the previous 8
passwords" like that, but they don't.

------
byoung2
The EXACTLY 8 characters worries me, because it suggests that they are storing
the password in plaintext in an 8 character column.

~~~
titusjohnson
Probably stored in 9, 8-character columns, labeled "last_password_1",
"last_password_2", etc, given #10.

~~~
steve_g
One 72 character column. Why make it complicated!

------
IvyMike
> If you have user ID or password problems, use the following address (place
> in the “To” field) to send an e-mail requesting assistance:
> websec.adminp@cs.oag.state.tx.us

This poor guy.

