Hacker Newsnew | comments | show | ask | jobs | submit login

Yeah, at my last job, someone implemented a password strength checking feature that would actually reject stronger passwords. It required:

1. At least 3 out of the 4 categories uppercase, lowercase, digit, special character

2. No character could be repeated more than two times

3. No sequence of 3 or more increasing or decreasing letters or numbers could be present (and not even consecutive: "ta/Tbs#cz" would be rejected because it contains "abc").

4. No English words or names could be present.

5. It must be at least 8 characters

There may have been other restrictions too, I don't recall the exact details.

This meant that perfectly reasonable passphrases (like "correct horse battery staple") would be rejected. Even if you tried to come up with a good password that met the rule, you might fail by accident because "89cRbcThe*)" has the word "The" in it. You would generally have to come up with a password, then whittle it down slowly until you passed all of the rules, usually making it weaker in the process.




They must have really dedicated customers. That, or their users are required to use their system under the pain of multi-year imprisonment. I see no other way why would anyone agree to suffer through this.

-----


So... were ANY passwords created? I could see the success rate on this at like 1%.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: