Hacker News new | past | comments | ask | show | jobs | submit login

I had a password for an old school system (which I wrote) that was "any 21 characters where the 21st character is a 'z'". People would watch me type it (mashing 20 keys then the 'z') and be amazed I could remember a password that long.





I have a similar anecdote. I had a password that was 14 characters long, for a school system too. One day I mistyped it and it still worked. I was puzzled and discovered that it actually took only the first 8 characters into account. From that day, whenever someone was around, I typed the first 8 characters as fast as I could (pretty fast as it was something I typed in quite often) and then I continued to type random stuff like crazy for a few seconds then hit enter and loved to see how people face when they saw it working like if what I typed actually was my exact password.

I discovered that's the way my banking app actually worked until only a few updates ago. The password was originally limited to 8 characters (why this was the case for an online bank password is beyond me) but the app would allow you to enter more characters into the password input. It only accepted the first 8 characters though so anything you entered after those was ignored. I discoveres this when I mistyped my password adding an extra.character at the end and hitting submit without thinking and was amazed and kind of worried to find it still worked.

I’ve had the goddamn Citibank _require_ that I use a password 6 or 7 characters long on one of their systems. This year (2019).

What system is this? I had used a 20+ character password on their website using my password manager to enter it every time. One day they said the password was wrong, which was unlikely since the password manager was entering it. I ended up doing a password reset and set it to something shorter like 15 characters, and then it worked. I don't know if they truncate or not, but they've definitely allowed much longer passwords than 6 or 7 characters. I've hit this issue with their website more than once so I know they've fixed it and re-broken it a few times in the past.

I think it was the one for showing you the pin of a corporate credit card.

Another bank I had around 3 years ago used only the 5 first characters, and these 5 first had to be numbers.

I guess anyone can just hack a password in like 1 second on a phone or something?


When I was living in Puerto Rico for work, the local credit union I was using had this same problem. Although the tooltip and messaging on the page said 8-16 chars, only the first 8 were used, and from my testing it had to be case insensitive.

I promptly updated my direct deposit with my employer and used my more secure off-island bank as the destination for the majority of my pay, and had only the minimum required to avoid fees and act as spending money put in that acct.


This was the case for Vanguard for a long time... also, it wasn't case sensitive. I'm not sure when it changed, but I think it was in the last couple years.

It's more fun when they limit you to X characters (no special characters!) while choosing the password but let you input any number of characters when logging in, and failing you when you typed too many.

Hey that's actually a neat idea! You could expand upon that system by having it only check the 2nd, 5th, 10th, Nth etc. characters.

So people could type in different gobbledegook each time between the characters that matter.

To further defeat keyloggers, shoulder snoopers etc., let each valid character be an option from a set of two or more characters.

So, if my password is: Any 8 characters, but 2nd character must be A/B/C/x/y/z, and the 6th must be !/@/# then I could type:

    9A4jc@23

    #C(@$!as

    oxo!c#-1
or any other valid combinations to get in.

How more secure would something like that* generally be compared to static passwords?

* (Of course this is a simplified example for illustration. In practice you'd use more characters/options.)


> How more secure would something like that generally be compared to static passwords?

It's not secure at all. If someone knows the rules of the system, the entropy on that is tiny, because it's basically a 2 letter password with only 6/3 options.

The only security would be from the obscurity of the attacker not knowing the password rules.


> because it's basically a 2 letter password with only 6/3 options.

That was obviously an oversimplified example to explain the rules.

In practice you could make it as obscure as you want, while keeping it easy for you to remember.

Like the sentences I just typed here. No limit on the number of characters. I could enter different long sentences each time, as long as the characters at specific positions match certain sets.


There is no way that "use a (proper) subset of the characters for bits of entropy" is going to beat "use all the characters for bits of entropy". Almost by definition, the second is going to have more entropy.

You're not getting anywhere, because people trying to guess your password don't have to guess your scheme. All you're doing is making it easier for them. There is no sense in which you are making it harder.

In the optimum case, you'd require them to get the right characters in the slots you're counting, but to not use the wrong characters in the slots you're not counting, thus demonstrating that they actually know the scheme in question and aren't just getting lucky. There would be exactly one character you'd accept in the slot you're counting, and there would be exactly one character they could use to indicate they understand your pattern in the slots you're not counting. This maximizes the chance they have proved to be in possession of your password, rather than just getting lucky because you didn't count their misses. This is, of course, simply using a password normally.


That's just the same thing as a password, though. Even a short password is still just ensuring that specific characters are in specific positions. The only situation where this would be useful is against people with physical or viewable access to the password being typed.

> In practice you could make it as obscure as you want,

If only that made it as secure as you want.

https://en.wikipedia.org/wiki/Security_through_obscurity


And they would almost certainly know the password rules, because anyone making an account would have to be told the rules in order to understand what was happening.

Unless the rules were unique and hidden for each user!

    User1: 1,3,7,10,12,15
    User2: 2,3,5,8,10,13
I think we’re on to something big.

It's complicated enough for people to remember 8 character long passwords, good luck with an additional level of complexity.

Each user could provide their own rules.

If I had a key logger on your system, I'd just try;

    9A4jc@23
Bam. Access granted.

If you had a keylogger, it wouldn't really matter how good your authentication scheme is…

Keyloggers aren’t very useful when authentication uses TOTPs from a hardware token.

TOTPs from a hardware tokens aren't very useful if system doesn't support TOTP as an auth backend.

But if each of those is a valid password, how does it defeat keyloggers or shoulder snoopers in any way? They just have to type in the same password.

Now, if the rules were totally secret, you could make it such that each time you used a password, it was no longer valid. That would defeat the keylogger, while still allowing you to remember your 3 special characters. But of course you can't ever assume your rules are secret (security by obscurity and all that).


> You could expand upon that system by having it only check the 2nd, 5th, 10th, Nth etc. characters

A bank I use does something like this. On account creation you give it a long key string and on subsequent log-in it asks for three different characters (e.g. the 4th, 3rd and 9th characters) from the string.


You can "impress" people this way still, just by surreptitiously typing Ctrl-u to clear what you've typed so far.

I'm guilty of that. I tend to mistype my passwords a lot, since I try to keep them pretty complicated, but since I usually realize quickly enough to imperceptibly hit Ctrl-U and retype in a smooth motion, I just let onlookers believe that my password is very, very long.

You password is "the21stcharacterisa'z"

Such a funny idea. I’d would have loved to see people’s faces when you typed it in.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: