
Welcome to password creation hell - CarolineW
https://www.devonhomechoice.com/customer-login
======
osteele
On the plus side: The web site not only has a text size selector – there also
is a “Text Only” link that does exactly what it says, _and_ reveals a “Colour
Scheme” menu: Black on white, black on cream, white on blue, yellow on black.

Some dev has been having fun with this while all the product people are away.
As a creator of useless side projects, I can relate.

~~~
HarryHirsch
You'd think that this is to conform to accessibility regulations, this is a
British site, and the British are very strict on that front. Nothing wrong
with high-contrast schemes especially when you have cataracts.

------
peterwwillis
> _Please do not use the browser back button, only use the Back button at the
> bottom of the page._

This amazes me a lot more than a ridiculous password scheme. You can always
come up with a justification for a stupid password scheme. But there's no
justification for "I don't know how sessions work" after 20 years of web
development history. It was the #1 most frequent developer mistake _IN 1999._

[https://www.nngroup.com/articles/the-top-ten-web-design-
mist...](https://www.nngroup.com/articles/the-top-ten-web-design-mistakes-
of-1999/)

------
justin_oaks
I wrote a program to check how many 9 digit numbers met the criteria. The
answer I got was 897,674,400.

I used the following Java code, which may be flawed, to count:

    
    
        public static void main(String[] args) throws Exception{
          int count=0;
          int[] digitCount=new int[10];
    
          mainLoop:
          for(int i=0; i<=999999999; i++){
              Arrays.fill(digitCount,0);
              digitCount[i / 1          %10]++;
              digitCount[i / 10         %10]++;
              digitCount[i / 100        %10]++;
              digitCount[i / 1000       %10]++;
              digitCount[i / 10000      %10]++;
              digitCount[i / 100000     %10]++;
              digitCount[i / 1000000    %10]++;
              digitCount[i / 10000000   %10]++;
              digitCount[i / 100000000  %10]++;
    
              
              int differentNumbers=0;
              for(int index=0; index<10; index++){
                  if(digitCount[index]>3){
                      continue mainLoop;
                  }
                  if(digitCount[index]>0){
                      differentNumbers++;
                  }
              }
              if(differentNumbers>4){
                  count++;
              }
          }
          System.out.println("count: "+count);
        }

~~~
schoen
Good call on the leading zeroes. I was trying to write a Python program to do
the same and I would have implicitly ignored leading zeroes, which _should_ be
considered here because a password could be, for example, 000123456.

------
notacoward
There is a silver lining here. It practically eliminates the possibility of
reusing a password from another site ... because nobody else is stupid enough
to have rules like these. At least when somebody cracks your password here it
won't do them any good anywhere else.

~~~
snug
Not if my password is 123456789

~~~
wrycoder
We're sorry, that password is already in use.

~~~
eat_veggies
We're sorry, user "wrycoder" is already using that password.

------
eam
I also hate ADP's password requirements:

> Your password must be 8 to 20 characters and may include upper or lowercase
> letters (A-Z and a-z), numbers (0-9), spaces (except at the beginning or
> end), and special characters. You must use at least one letter and one
> number. You cannot use the same character in four or more consecutive
> positions (for example, AAAa is valid, but AAAA is not valid) and you cannot
> use four or more sequential characters, in ascending or descending order, in
> a row (for example, ABCD and 4321 are not allowed).

It almost feels like a riddle...

Because I have to choose a complicated password that I can't remember, every
single time I go back (maybe twice a month) I pretty much have to use the
password reset functionality and make another non-memorable password. Even
setting up the password takes some thinking as you can read the requirements
that you have to conform with. Ugh. It's pretty annoying.

~~~
peterwwillis
This brings up one of many interesting paradoxes of browsers. They can save
passwords by default, but they won't generate strong passwords for you by
default. (If your browser has a password generator you have to manually enable
it)

~~~
bdibs
Safari on MacOS will suggest/generate fairly strong passwords as soon as
you're on a password field:

[https://i.gyazo.com/92fc8a49323dffbd22ff34c2ccbea0b0.png](https://i.gyazo.com/92fc8a49323dffbd22ff34c2ccbea0b0.png)

------
taftster
> "Your new password must contain 9 numbers, and include at least 4 different
> numbers but cannot include the same number more than three times."

Talk about reduction of password entropy.

~~~
mjevans
I wonder how many passwords contain strings of 123 or 111222333?

~~~
Coincoin
Just download a dictionary of known passwords, it's fascinating. You should
see a lot of common words and names followed by 123 or 69.

------
NamTaf
My bank is almost as awful:

To change your Internet Banking password, please enter your current password
and then enter your new password to confirm.

Password requirements:

    
    
        Must be between 6 and 8 characters and can contain letters, numbers or both
        Will be case sensitive so check your caps lock
        Can't contain special characters (eg. $%&#) or spaces
        Can't be your Customer ID
        Can't contain consecutive numbers (eg. 123456)
        Shouldn't contain part of your name, date of birth, drivers licence or anything that would be in your wallet

------
dawnerd
Oh please add it here: [https://github.com/duffn/dumb-password-
rules](https://github.com/duffn/dumb-password-rules)

------
Zhenya
This seems to _significantly_ narrow down the possibilities of passwords - why
would they do this?

~~~
justin_oaks
One word: incompetence

~~~
stretchwithme
Doh! You guessed my password.

------
tmrmn
Just reminded me of the new rules set by my University. I had a really hard
time coming up with one.

    
    
       Password needs a minimum of 10 digits.
       Low and upper characters, at least 2 numbers 
       and could include special characters. These 
       chars are not allowed: ! & ' ` $ % ; § ~ ^ @ 
       \ € ä ö ü ß. It will be checked against last 
       two former passwords and it couldn't be 
       include 3 or more identical characters.
    

Theres not many spacial characters left. Also this is a german University and
äöüß are not allowed.

------
pcorey
PSA: Passwordless authentication is a valid and easy-to-implement
authentication technique: [http://www.east5th.co/blog/2017/04/24/passwordless-
authentic...](http://www.east5th.co/blog/2017/04/24/passwordless-
authentication-with-phoenix-tokens/)
[https://auth0.com/passwordless](https://auth0.com/passwordless)

~~~
c22
Another PSA: SMS and email are both less secure channels than your average
https login. My doctor doesn't trust these channels to communicate my test
results, so I guess don't use this for anything more sensitive than that.

------
twunde
I can't wait until NIST finalizes their new password rules. I wonder how many
companies are forced into these inane password rules because of compliance
requirements

~~~
DanBC
Here's current UK government level advice about passwords:

[https://www.ncsc.gov.uk/guidance/password-guidance-
simplifyi...](https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-
your-approach)

------
daurnimator
Quoting password requirements here for discussion:

> Your new password must contain 9 numbers, and include at least 4 different
> numbers but cannot include the same number more than three times.

> To create a new password you will need to confirm some basic personal
> details (name, date of birth and National Insurance number).

> These must match the details recorded on your Devon Home Choice application.

~~~
danso
I wish I were clever enough to do a back-of-the-napkin calculation quickly;
maybe someone else can do it. What are the number of possibilities given the
constraints above, and some reasonable assumptions of human behavior:

\- At least 2 to 4 numbers will be reference to a specific year, such as the
user's birth year or the current year, e.g. 17, 1965, 2017.

\- As many as 3 to 4 numbers will be a predictable pattern, such as an
incremented sequence or repetition of numbers not likely to be a birth year or
of `2017`, e.g. `1234`, `987`, `1010`

------
BenjiWiebe
Why don't websites say something like this: Your password must be 6 or more
characters long. Any character goes. If you use a weak password and your
account gets hacked, it's your fault.

And then maybe have a brief explanation of what makes a password weak, but let
the user decide if they want to get hacked or not.

------
pat2man
Someone posted this solution on Reddit months ago:
[https://www.reddit.com/r/identifythisfont/comments/53zcom/ap...](https://www.reddit.com/r/identifythisfont/comments/53zcom/apple_homekit_font/)

------
normalocity
Yeah - guessing after reading that, nearly everyone's password is 123456789

If you can figure out what they use for user IDs (emails, or perhaps another
9-digit number), you'll own all these user accounts.

This is what happens when cleverness meets ignorance of security.

------
logicallee
pfff. the Satan of that hell needs to be fired. I could do WAY better:

"

Your password must conform to the following rules:

\- It must be exactly 6 characters

\- The first character must be @ or #

\- The second character must be a digit except 0.

\- The third character must be a lowercase, uncommon letter. Uncommon letters
are q, x and z.

\- The fourth character may be any uppercase vowel, with the exception of U. Y
is not considered a vowel.

\- The fifth character must be a lowercase letter differing from the third
character.

\- The sixth character must be an underscore (_).

Your password must be changed after every third log-in. You may not use any of
your previous ten passwords nor any password you have used in the past 180
days.

------
hughes
Find and ridicule many other examples here: [http://password-
shaming.tumblr.com/](http://password-shaming.tumblr.com/)

------
bcg1
Would love to see the creative functions y'all can come up with to validate
this...

~~~
sgehly

      function isPasswordValid(pass){
          //There's no way in hell they figured it out.
          return false;
      }

------
kedwards
9 digits. I wonder what fraction of these passwords are SSNs

~~~
resf
Since Devon is in the UK, presumably very few.

------
NamTaf
At least it's served via HTTPS?

