On the plus side: The web site not only has a text size selector – there also is a “Text Only” link that does exactly what it says, and reveals a “Colour Scheme” menu: Black on white, black on cream, white on blue, yellow on black.
Some dev has been having fun with this while all the product people are away. As a creator of useless side projects, I can relate.
You'd think that this is to conform to accessibility regulations, this is a British site, and the British are very strict on that front. Nothing wrong with high-contrast schemes especially when you have cataracts.
> Please do not use the browser back button, only use the Back button at the bottom of the page.
This amazes me a lot more than a ridiculous password scheme. You can always come up with a justification for a stupid password scheme. But there's no justification for "I don't know how sessions work" after 20 years of web development history. It was the #1 most frequent developer mistake IN 1999.
Good call on the leading zeroes. I was trying to write a Python program to do the same and I would have implicitly ignored leading zeroes, which should be considered here because a password could be, for example, 000123456.
The analytic solution also isn't particularly difficult, just tedious to work through by hand.
There's 10 valid ways to choose the first digit. You either repeat that digit one or zero times. If once, there are 8 ways to do this, and then you have the same sub-problem except with 9 remaining characters to use and 7 remaining places to fill. If none, there's one way to do it, and then you have the same problem except with 9 remaining characters to use and 8 remaining places to fill.
There is a silver lining here. It practically eliminates the possibility of reusing a password from another site ... because nobody else is stupid enough to have rules like these. At least when somebody cracks your password here it won't do them any good anywhere else.
> Your password must be 8 to 20 characters and may include upper or lowercase letters (A-Z and a-z), numbers (0-9), spaces (except at the beginning or end), and special characters. You must use at least one letter and one number. You cannot use the same character in four or more consecutive positions (for example, AAAa is valid, but AAAA is not valid) and you cannot use four or more sequential characters, in ascending or descending order, in a row (for example, ABCD and 4321 are not allowed).
It almost feels like a riddle...
Because I have to choose a complicated password that I can't remember, every single time I go back (maybe twice a month) I pretty much have to use the password reset functionality and make another non-memorable password. Even setting up the password takes some thinking as you can read the requirements that you have to conform with. Ugh. It's pretty annoying.
This brings up one of many interesting paradoxes of browsers. They can save passwords by default, but they won't generate strong passwords for you by default. (If your browser has a password generator you have to manually enable it)
Chrome generates strong passwords for you. I only wish there was a simple pass/fail test js function websites could use to tell chrome whether or not the auto generated password fits their ridiculous rules.
password rules have gone a bit absurd in my environment where they are considering doubling the twenty character requirement which already leads to people doing cut and paste. another option has been people storing them on their phones
with cloud computing a security company recently has shown us if they can find a hole to get the files where systems store such information they can reverse most. there is a dearth of knowledge out there how each platform stores such data and finding an in is incredibly easy at the majority of companies
To change your Internet Banking password, please enter your current password and then enter your new password to confirm.
Password requirements:
Must be between 6 and 8 characters and can contain letters, numbers or both
Will be case sensitive so check your caps lock
Can't contain special characters (eg. $%&#) or spaces
Can't be your Customer ID
Can't contain consecutive numbers (eg. 123456)
Shouldn't contain part of your name, date of birth, drivers licence or anything that would be in your wallet
Just reminded me of the new rules set by my University. I had a really hard time coming up with one.
Password needs a minimum of 10 digits.
Low and upper characters, at least 2 numbers
and could include special characters. These
chars are not allowed: ! & ' ` $ % ; § ~ ^ @
\ € ä ö ü ß. It will be checked against last
two former passwords and it couldn't be
include 3 or more identical characters.
Theres not many spacial characters left. Also this is a german University and äöüß are not allowed.
Another PSA: SMS and email are both less secure channels than your average https login. My doctor doesn't trust these channels to communicate my test results, so I guess don't use this for anything more sensitive than that.
I can't wait until NIST finalizes their new password rules. I wonder how many companies are forced into these inane password rules because of compliance requirements
I wish I were clever enough to do a back-of-the-napkin calculation quickly; maybe someone else can do it. What are the number of possibilities given the constraints above, and some reasonable assumptions of human behavior:
- At least 2 to 4 numbers will be reference to a specific year, such as the user's birth year or the current year, e.g. 17, 1965, 2017.
- As many as 3 to 4 numbers will be a predictable pattern, such as an incremented sequence or repetition of numbers not likely to be a birth year or of `2017`, e.g. `1234`, `987`, `1010`
Why is everyone assuming this means the password must only contain 9 numbers? I mean, it's very likely, but it's ambiguous enough that I was wondering if they accept other characters and want 9 numbers as well.
Why don't websites say something like this:
Your password must be 6 or more characters long. Any character goes. If you use a weak password and your account gets hacked, it's your fault.
And then maybe have a brief explanation of what makes a password weak, but let the user decide if they want to get hacked or not.
pfff. the Satan of that hell needs to be fired. I could do WAY better:
"
Your password must conform to the following rules:
- It must be exactly 6 characters
- The first character must be @ or #
- The second character must be a digit except 0.
- The third character must be a lowercase, uncommon letter. Uncommon letters are q, x and z.
- The fourth character may be any uppercase vowel, with the exception of U. Y is not considered a vowel.
- The fifth character must be a lowercase letter differing from the third character.
- The sixth character must be an underscore (_).
Your password must be changed after every third log-in. You may not use any of your previous ten passwords nor any password you have used in the past 180 days.
Some dev has been having fun with this while all the product people are away. As a creator of useless side projects, I can relate.