
Password Rules - valuegram
http://portal.cs.oag.state.tx.us/OAGStaticContent/portal/login/help/ChangePassword.htm
======
haberman
Also: quit the "security questions" thing. I can't count the number of times
I've been locked out of my account because I couldn't remember the precise
answer I gave to a security question.

I bought a house last month, and the biggest thorn in my side throughout all
of the financial arrangements was security questions (I'm not even joking).
Here's a Facebook status update I posted (I had already been complaining about
security questions a bunch):

"Just got challenged with a security question, which was "Thank you for your
loan application." Wtf, that is not a question. And I've never filled out any
security questions for this website, so I have no idea what it's expecting me
to enter.

"I swear, security questions are out to get me."

~~~
nextstep
Plus, you should never answer security questions honestly. Your favorite pet
or the street you grew up on or your mother's maiden name are all not secret
information. Many of my friends and family know the answers to all of these.
So, when faced with a security question, I try to pick a random (but false)
security answer, which I then write down in an encrypted file. This is a
terrible solution, but it feels foolish to answer the questions honestly.

~~~
FaceKicker
Security questions are usually just used to decide whether to send you an
email with a password reset link (or more annoyingly, a new password), aren't
they? I've never seen a system where being able to answer the security
question(s) is equivalent to knowing your password. Anyone who knows my
mother's maiden name probably also knows my email address and could more
easily spam me directly than using a website to send me password reset links.

~~~
skymt
In 2008 Sarah Palin's Yahoo! Mail account was broken into simply by looking up
the answers to the security questions.

------
healsdata
Of those ten rules, nearly half of them hurt password strength. The others
make it harder for users to remember their passwords which will lead them to
frustration and, ultimately, bad passwords.

Austin#1 is a perfectly valid password according to those rules. zxcvbn says
it'd take 2.508 seconds to crack that.

------
homosaur
WOW. I was expecting something dumb but this is next level dumb. You're
basically forcing a 7 character password since I already know one of them is
one of those three special characters. Then you've just given me like 5 more
rules that limit what the password can be.

Any password cracking service would crack this in hours. IT people should
understand the basics about security before they are allowed to set policy.

~~~
ot
> You're basically forcing a 7 character password since I already know one of
> them is one of those three special characters.

Not exactly, because you don't know where the special character is. If the
allowed characters are k, the number of 8-character passwords would be k^8.
With this rule, even assuming that only one special character is used the
number becomes 7^k * (3 * 8) = 7^k * 24, so if k ~= 60 the entropy is reduced
by roughly 1 bit.

Still, it is an incredibly stupid rule.

~~~
jaybill
I'm pretty sure the password guesser I wrote to give me passwords on terminals
in Fallout 3 would easily give me these passwords.

~~~
hahainternet
I don't know whether this is cool or sad. Fallout 3 passwords were trivially
easy to infer from a single guess. They took extra time to reduce the
ambiguity and make it easy once you understood the principle.

Were you running a mod?

~~~
jaybill
I think it's probably more on the side of "sad", considering the way I did it.
No mods. I wrote a little android app that you could put the words and number
of correct letters each try into and it would shorten the list each time you
did.

After a while I figured out "the trick" and could do them in my head and
didn't need the program anymore. It was a fun little programming exercise,
though.

------
NelsonMinar
Everyone's making fun of this, and it is dumb. But really this is just an
example about how passwords are a stupid form of authentication. Not just this
site, all passworded sites. We really need something better.

I favor OpenID or something like it. Single strong form of authentication,
delegate login authority from that to non-critical sites like Hacker News.
OpenID has enough of a bad reputation now it's probably a non-starter.
BrowserID has some promise: <https://browserid.org/>

~~~
steve-howard
I don't know that passwords are all bad. For an alternative approach to
complex rules, see:

<http://xkcd.com/936/>

The last time I changed a password for a service I set it to a phrase that I
can easily remember but which no human or current machine will easily guess.
I'd say that the only good rule is "Make it at least 9 characters" (which is
at least long enough to disallow "password").

~~~
unimpressive
Character minimums hurt your entropy too. Stripping the entire search space up
to nine characters isn't really a good idea.

In my opinion it'd be better to just find a list of the top 10K passwords and
disallow them.

One out of 50 people use one of the top 20 passwords. [0]

I'd bet that over half of passwords used are in the top ten thousand.

[0]: <http://xato.net/passwords/how-i-collect-passwords>

~~~
jerf
"Character minimums hurt your entropy too."

Not really. If X is the number of characters your password can be made up of,
there are 8^X possible passwords that are 8 characters long, and 8^X-1
possible passwords that are less than 8 characters long. Even here, right on
the border, you've only lost 1 bit of entropy (half banned, half allowed), and
you win big the moment someone makes it even one character longer than the
minimum who wouldn't have otherwise.

~~~
lindenr
If X is the number of different characters your password can contain then the
total number of possible passwords exactly 8 characters long is X^8.

The number of passwords that are _less_ than 8 characters long is X + X^2 +
... + X^7 which is significantly less than X^8 for large X.

So your point is even more valid.

------
DeepDuh
This reminds me of an anecdote from "The Codebook" from Simon Singh (highly
recommended book btw.).

One of the reasons, why the British could crack the Enigma code, was that
German officers introduced rules on how to use the system. For the Enigma
machines they had to choose three out of five cylinders in different
positions. The officers thought it would be more secure if they impose a rule
"never use the same cylinder in the same position the next day".

------
x1
Yeah. As someone who prefers passwords in the 12-24 character length I get
really annoyed when a site comes back and tells me my password isn't good
enough because it doesn't follow various rules. Oh you really think someone is
going to brute force $MILKAndDailyCheeseRe because it doesn't have a number in
it?

~~~
darkarmani
Even worse is when they limit to 12 characters, but don't enforce it in the
UI. I couldn't login once because the bank website _truncated_ my password
silently to 12 characters. On a whim, i tried the first 12 characters and i
was able to login.

------
fiatmoney
Ironically, each of these restrictions reduces the space of possible passwords
for a brute-force attack, which is already pretty small given the inane
8-characters-exactly requirement.

~~~
astangl
I have pointed this out to people before too. It doesn't seem to deter their
slavish adherence to what they declare to be "best practices", which seems to
correspond to something they read in some magazine or blog.

------
njloof
After coming up with a password that obeys all those rules, I recommend
writing it down on a yellow sticky note and putting it on your monitor.

~~~
droithomme
Which I have seen at secure facilities, as we all have, I think.

~~~
RandallBrown
If it's a secure facility, it's probably pretty safe.

------
xbryanx
I've worked with rules like this, and it's even worse when it's some domain
password used across multiple crappy systems. Often a 3rd party system that
has integrated with this password doesn't accept the $, or has to be 7
characters or something. So the IT folks tell you to follow the rules, but if
you use the accounting system, make sure not to put $ in there. #facepalm

------
jonamato
The sub-password "similarity" rules (#8) mean that it is incredibly unlikely
that the system is storing the password history hashed, and basically
impossible that they're storing it salted. What could possibly go wrong?

~~~
raldi
You don't need unhashed password storage to enforce similarity rules.
Presumably, the user has to type in their current password when they set a new
password. When processing that request, you have all the information you need
to do the similarity check.

~~~
petitmiam
What about the 7 passwords prior?

~~~
charliesome
I believe the 7 passwords prior aren't checked for similarity, only equality.

------
jaybill
I get annoyed when I can't use spaces, because my general password strategy is
to click my link bar shortcut to Random Wikipedia Page, pick five or six words
and use that as my password. Easy to remember, hard to guess, even harder to
brute force. Thanks XKCD!

I use Keepass to store passwords for the various things I use, and even though
my hive is stored on a web server (uses SSL and requires a password, of
course) for convenience, it has a well chosen, rotated password and a key file
that I carry on a USB stick with my keys. I keep a backup of the key file in a
safe physical location.

No two passwords are the same and none is less than 16 characters. One nice
thing about Keepass is that you can also store URLs and other arbitrary
information in the hive. Should anything ever happen to me, my wife will
automatically receive instructions on how to locate and access the hive.
(automatic email, dead man switch) Keepass also lets you set reminders so you
can regularly change passwords.

~~~
epistasis
This is a terrible way to choose passwords, and in no way equivalent to the
XKCD method. It's not equivalent because additional length in your password is
very predictable rather than random.

To brute force your password, all somebody has to do is choose a starting word
in Wikipedia and some number of consecutive words. This is log2(size of
Wikipedia) + log2(entropy of your "5 or 6" distribution). This is less than 32
bits of entropy, or about a six character password in a 64 character alphabet,
i.e. it's trivial to brute force this password if you have the hash.

~~~
jaybill
I didn't say I picked _consecutive_ words. You'd be right otherwise, though.

~~~
epistasis
Why are spaces important then?

~~~
jaybill
For word breaks? Why are they _not_ important?

------
sunwooz
If you had to create a list(or non-list) of requirements a password must pass
what would it be? (Ex. Case sensitivity, length, cannot be the same as
username etc etc) The bare minimum with the least frustration for the user? I
was very surprised by the news-piece that blizzard was using case-insensitive
passwords and that got me thinking...

~~~
seats
What if we started saying 'passphrase' instead of 'password' and made the
minimum be 4 words and 18+ characters.

It wouldn't be overwhelming to new users if they had examples of what a
memorable passphrase is. You'd likely need to disallow specifically using the
example passphrase but other than that, I'd be curious to see how well non-
technical users respond to an interface asking them for a phrase.

~~~
rwallace
We also need to get rid of the stupid habit of blanking out the password on
the screen as it's typed, which imposes a time penalty exponential in the
password length, or at least make it optional and disabled by default.

~~~
FuzzyDunlop
Re: this. Just have an option to 'display password' on the field itself
somewhere, like you get when entering your WiFi password, or passwords on your
phone.

Re: GP. Attackers would just switch to brute-forcing with common phrases. Song
lyrics, expressions, etc. Then your passphrase rules will change to
accommodate that, and be even more confusing. "The quick brown fox jumps over
the lazy dog" and other long, memorable phrases, will be as insecure as
"password123".

[http://arstechnica.com/business/2012/03/passphrases-only-
mar...](http://arstechnica.com/business/2012/03/passphrases-only-marginally-
more-secure-than-passwords-because-of-poor-choices/)

~~~
seats
Really interesting article and absolutely a fair point, but from the article
itself, pass phrases are still better. Just not a cure all. The title ("...
only marginally better ...") does not match the body ("... vast improvement
...")

>> The "30 bits of security" means the chances of a single guess cracking a
four-word passphrase would be one in 230. What's more, the two-word phrases
cracked in the study provided just 220.8 (or 20,656/0.0113) bits of security.
Another way of expressing the same finding is that a dictionary of slightly
less than 21,000 phrases is enough to guess the login credentials that
slightly more than 1 percent of people in the real world will use.

To be sure, that's a vast improvement over the security of normal passwords.
Analyses of compromised passwords leaked onto the 'Net, including a corpus of
32 million plaintext codes dumped following the 2009 hack of online games
provider RockYou, show that it's trivial to crack a sizable proportion of
real-world codes. A dictionary of just two of the most common passwords—123456
and 12345 respectively—typically guess 1 percent of login credentials.

------
unimpressive
Of course this is totally ridiculous, and shoots their entropy with a shotgun.
But my heart goes out to whoever was logging into the child support page at
the texas attorney general website.

That sucks.

~~~
valuegram
I was the one who posted this. It's the same login used to report new hires to
the attorney general... Luckily no child support issues here.

------
jiggy2011
Is there any reasoning at all behind the thinking that requires passwords such
as this? These sorts of rules are so commonplace that there must be some
reasoning for it?

~~~
kijin
To begin with, preventing SQL injection when passwords are stored in plain
text without any escaping. (CHAR(8) field. No special characters allowed.)

~~~
jiggy2011
That's an utterly horrible reason but I take the point.

I imagine many sites implementing these policies (some banks etc) are hashing
their passwords properly and sanitizing SQL though!

------
pbreit
Stupid password rules is probably the leading source of consternation for this
internets user.

Has anyone ever analysed if password rules help at all? Aren't most
compromises social-based or otherwise accidental? No one breaks in by slamming
millions of login attempts at a server, do they?

~~~
sukuriant
My Diablo 3 account was hacked because my password was 'abcd1234'. This is no
longer the case.

So yes, sometimes. And no, I'm not certain why on earth I set that as my
password...

~~~
pbreit
Are you sure it was brute-forced? And the website owner had nothing in place
to see that it was getting hit with brute-force password attack?

------
Achshar
Banking passwords are always fun. Mine has to be changed every 30 days, cannot
be same as last 3, must contain at least one number, special character,
capital, lowercase. I essentially end up where i have to store password in
plain text (!) in a password protected file. ridiculous but there is no way
around it. People really have go understand that such things don't help at
all, they increase user frustration if anything.

I have never understood the number/uppercase requirement, if someone somehow
put a key logger it won't matter or if some one is using brute force, it wont
matter either.

~~~
Tichy
Well the "not the same as last 3" rule is easy to circumvent: Just add a
number at the end, password1, password2, password3...

~~~
darkarmani
So schemes notice the incrementing value, so I ended up doing !,@,#,... which
is equivalent to 1,2,3...

The bonus is that I could still track how many quarters I worked for that
place before leaving (lasted into the 6 quarter).

------
16s
There needs to be an ISO standard for passwords. Things like this are
ridiculous.

~~~
asciident
What I want to know is whether there is a subset of passwords that will be
valid against almost all password rules. Like if I make a password that has 12
characters, one symbol and one number, will that fit in 99.9% of cases?

------
JWhiteaker
Having overly restrictive password rules like this, combined with requiring a
new password every x months, just leads to more users writing down the
passwords on notes stuck to their monitor.

------
runn1ng
" Characters in the first, second, and third positions cannot be identical. "

Any reason for that? Using pretty similar passwords with minor differences is
how I manage to remember passwords for all those fifty different services I
have to know password for...

------
PezCuckow
This demonstrates what is wrong with what the world expects a password policy
to be, very few of these even increase password cracking complexity. They are
just dumb rules to annoy your users. Sigh!

------
jklp
I always wondered about these arcane rules, where passwords are easy for
computers to hack, but hard for humans to remember.

See obligatory xkcd comic:

<http://xkcd.com/936/>

------
angry-hacker
I wonder how many possible variation of passwords with these rules there can
be... 8 chars, no same letters next to each other etc.. brute force hacking
might be fun..

------
CurtMonash
If a system has sufficiently crazy password rules, I'm sure to forget the
password, and default to the password reset system.

------
neotek
I work for a major bank in Australia and I'd be ecstatic to have requirements
as (comparatively) simple as this.

------
pbreit
Can someone convince me that password requirements add _any_ value to the
matter?

------
goatslacker
Whomever thought this was a good idea needs to be kicked in the groin.

------
philip1209
Need . . . public key . . . access

------
mathattack
If this weren't a US government website, I'd swear it was a hoax!

------
DaNmarner
I bet this has something to do with some mighty Oracle DBA.

------
Margh
Wait, what? This isn't a joke?

------
its_so_on
I swear one day we will see.

"Unfortunately time and again we have come to observe the inability of
employees to follow simple rules during password creation. For example,
despite our warnings, employees often create a password containing more than
one consecutive non-numeral; other employees attempt to createa a password
consisting only of numbers, only of letters, or an insecure mix of numbers and
letters - e.g. 5:1 - with no special characters.

This is unacceptable.

Henceforth, new passwords must be one of the following five possibilities, as
described below:

s$sVC!{IV{wG:|9 (Employees with last name beginning with A-F)

bE#40,$&T@V}266 (Employees with last name beginning with G-L)

U>~7nw*,55{][%H (Employees with last name beginning with M-R)

EL8$v{4#L8482 5 (Employees with last name beginning with S-X)

or

1^_4s"x&T3pB,%% (All other employees).

You may not use a password you have ever used previously. In two weeks, the
new possibilities will be posted to the web site, and you must change your
password immediately to one of the new possibilities.

You have brought this on yourselves, and if you begin to show an ability to
use secure passwords, you may get to pick your own in the future. Until then,
they will be assigned to you.

HR."

~~~
dekz
> The password must be exactly 8 characters long.

This is probably the root cause of bad passwords. In the case of Average Joe,
he is now having to choose something memorable which is 8 characters long.
'PassworD'

~~~
Terretta
Sorry, "PassworD" doesn't validate. You're missing a symbol, and you have a
character repeated. Try "P@s5w0rd" instead. Or, better yet, "abc#1234" as
suggested in the examples.

~~~
dekz
We've moved on to a fictitious setup. I was so disgusted with my bank and
their password policies and authentication measures. They too restrict to 8
characters, but they happen to also offer a SecurID token. This token can be
used in conjunction with the initial authentication. I would happily switch to
any bank where I can know my data is secure. How do we trust them?

~~~
X-Istence
I have a student loan that is limited to 8 character passwords. Thing is, when
you go to set your password the first time it will happily take the password
and use it, good luck getting in though because the next time you go to enter
your password the web form truncates it for you (using JavaScript upon
submitting)!

Then when you go to reset your password they keep telling you that your
password doesn't meet the requirements (the form allows you to type as much as
you want) but doesn't tell you about the 8 character password rule. Then when
you finally get one that works and you are logged in (12345678 is not a secure
password, but apparently that is fine) you go to change your password and this
time they will tell you that 8 characters are all that is allowed, but the web
form is set to only accept 7 characters, so you have to use the Safari
Inspector to change the form to accept 8 characters and submit.

And unfortunately I can't leave them because it is a loan and not just a
checking account. Thing is, even I don't know my password anymore, so it is as
secure as it can be :P

~~~
codeodor
> And unfortunately I can't leave them because it is a loan and not just a
> checking account.

You may be able to refinance the loan through another bank, which would pay
off this one and let you go with someone more reasonable.

~~~
X-Istence
If I could get the same interest rate or lower I would do it, but as of right
now I would get lucky if I could find one that gave me 3x the interest let
alone higher...

------
kbronson
Password Sucks

