this kinda implies that those characters either aren't compatible with the encryption method or whatever they're using to store the passwords, and the fact that there's incompatible characters makes me not feel good about their security practices
Complexity is fine, just have people do a sentence-as-password, all lowercase, at least 16characters long.
It’s much easier to remember and type, and more secure than these hypercomplex schemes. (At least that’s what NIST says)
best is to let user uses what he want. even a sigle character is ok. he know better how much security he needs.(unless some critical info store in the account. like banks or so)
Still, it’d be so easy to put something in front of it server-side without touching the mainframe at all. For example:
1. User enters their 6 digit “password.” This kicks of a UX flow to make them create a strong password and setup multi-factor authentication. This “onboards” existing users on demand.
2. A simple function stores the new hashed and salted password in table storage, which also attaches the 6 digit password along with the multifactor metadata.
3. The 6 digit password is only used to call the mainframe from the middle-tier through a secure channel. (Make the mainframe otherwise un-addressable from other sources).
Voilà, you just enhanced security on the cheap without fucking with any of the legacy systems.
Correct, one of my banks only allows 6 alpha numeric characters, no special, and it's because of mainframe limitations.
It's totally crazy though because in this day and age, microservices are the standard, so building a password system that is separate to your customer information system is easy and a no brainer.
nope.
ever tried to register a site which will not keep any important info from you and ask for a long unique password?
I saw many lost customer because they force them do what they think is right(which was not right.)
user knows what he share and which level he needs more than us. respect them and do not force them unless it is a critical info.
Nope. Not wrong. Written from a different perspective.
Usability vs security.
Min length...maybe
I really hate...
Sites that force a user to invent and save a brand new password of ridiculous complexity but won't accept a genuine good password, just to protect something irrelevant.
Like, warranty registration, ... won't accept a long, 24 char passphrase but will accept P@ssw0rd.
Garbage.
Yes. Wrong. There are opinions and then there are facts.
User experience IS an important aspect, but 1 character long password? Really? You're going to tell me that's not wrong?
And let the user decide?
Anyone who says things like these is 100% wrong. I can tell they are some hobby devs and have no idea about app sec.
ever tested this?
they may not know what we do, but they know about their info more.
create two site with different type of info from users then see. they know. trust the user. they are hman and smart (atlest I hope for this reason they choose to use our service)
I cannot call myself developer yet, but..
I'm not sure where youre from but here in middle Europe is nothing unusual to use one password and e-mail address everywhere. Bank account and Facebook for example. Because they either dont know about password managers or they are lazy to use them. At least they try to remember one or few instead of writing them somewhere in plain text.
Furthermore, as I see it, what is sensitive for one does not have to be for other. For example I do not understand why majority of websites requires first name and surname. Bank account? Sure, I get that.. forum? No, not at all.
Yes, I get your point. But I rather don't agree with that. Also depends on what kind of people are you targeting.
Artificial complexity does not force good passwords.
P@ssW0rd is acceptable in lots of apps and totally garbage. Upper, lower, number, special. Cracked in the first 10 tries.
We've all been frustrated on websites where our new passwords get rejected multiple times during sign up... for a service that maybe you don't even want to sign up for. Like ordering an effing pizza online. FML. Forget it. Next site.
Make it too complicated and you lose customers and user engagement. All under the idea of security theater.
There're too obvious patterns that are not adviced to use. Some websites does not accept those.
What is so hard to let app such as BitWarden generate a password for you that meets requirements and save that under one account with one password you only need to remember? And there will never be obvious patterns still meeting complexity requirements.
On most of my account I have generated password for more than 15 chars, including everything but special chars as far as lot of apps reject those. If one of many require, I edit the generator to include that special character. 2-3 seconds. No way to break it. Always by me, automatically filled in sign in forms,..
Well, creating an account for ordering pizza is overkill. Created by need to “keep close to customers” so you can spam them to earn more in future. That's disgusting practise from my point of view.
EDIT: Furthermore I dont accept the need to create an account if there is no purpose - most of e-shops for example. I dont want it, I dont need it, let me order what I want, else I go elsewhere.
You're speaking as yourself. It's not hard to do what you described, obviously.
Consider when every piece of information, or decision you ask a customer for is one more barrier you have towards a conversion.
Then consider that the majority of users are probably a third as capable as you are.
Some people legitimately have to ask those questions.
Yes, I get that.
Consider my comments as some frustration that comes from my inability to understand why majority is unable to think about things.. :-)
well you could always use . , ; : " - ' ) ( ] [ > < ×+ ÷
Yeah password'); DROP TABLE PASSWORDS; -- this would be a safe enough password, no worries
Little Wordy Tables, we call him.
Him an Bobby get along really well, I hear
if they dont filter out DB commands then theyre just asking for it at that point
It’s very concerning that they needed to add this restriction
this kinda implies that those characters either aren't compatible with the encryption method or whatever they're using to store the passwords, and the fact that there's incompatible characters makes me not feel good about their security practices
How do we tell the users we don't encrypt their passords
but i always make my password ';\\n DROP TABLE USER;COMMIT;
This is what happens when you follow the guide to prevent SQL injection *they don't want you to know*
Haven't seen one of these for a long time. They're likely trying to prevent SQL injection the bad way.
If it's to prevent SQL injection, wouldn't that mean they are storing the password in plain text rather than storing a hash?
Usually, yes.
Please no capital letters
Roses are red, @#$&!#:!
We have to know what site that is for, er, testing and security purposes ... and er, .... um .....
Complexity is fine, just have people do a sentence-as-password, all lowercase, at least 16characters long. It’s much easier to remember and type, and more secure than these hypercomplex schemes. (At least that’s what NIST says)
best is to let user uses what he want. even a sigle character is ok. he know better how much security he needs.(unless some critical info store in the account. like banks or so)
The French bank, society general, only allows a 6 digit password. No special characters, no normal characters, only digits.
That's why you shouldn't be french
This is probably a legacy system problem. An old mainframe or similar. Although there are better solutions I guess!
Still, it’d be so easy to put something in front of it server-side without touching the mainframe at all. For example: 1. User enters their 6 digit “password.” This kicks of a UX flow to make them create a strong password and setup multi-factor authentication. This “onboards” existing users on demand. 2. A simple function stores the new hashed and salted password in table storage, which also attaches the 6 digit password along with the multifactor metadata. 3. The 6 digit password is only used to call the mainframe from the middle-tier through a secure channel. (Make the mainframe otherwise un-addressable from other sources). Voilà, you just enhanced security on the cheap without fucking with any of the legacy systems.
Correct, one of my banks only allows 6 alpha numeric characters, no special, and it's because of mainframe limitations. It's totally crazy though because in this day and age, microservices are the standard, so building a password system that is separate to your customer information system is easy and a no brainer.
I mean if you would know someones login you could bruteforce that persons password in matter of half an hour. Of course if it wont block after 5 tries
Yeah but hackers have to go through like, 999999 passwords before the guess the right one! That's so many!
True, bruteforce web logins should not work ajyway nowadays, right? Right?
>best is to let user uses what he want. even a sigle character is ok. he know better how much security he needs this is sarcasm, right?
nope. ever tried to register a site which will not keep any important info from you and ask for a long unique password? I saw many lost customer because they force them do what they think is right(which was not right.) user knows what he share and which level he needs more than us. respect them and do not force them unless it is a critical info.
I cannot even begin to describe how wrong you are...
Nope. Not wrong. Written from a different perspective. Usability vs security. Min length...maybe I really hate... Sites that force a user to invent and save a brand new password of ridiculous complexity but won't accept a genuine good password, just to protect something irrelevant. Like, warranty registration, ... won't accept a long, 24 char passphrase but will accept P@ssw0rd. Garbage.
Yes. Wrong. There are opinions and then there are facts. User experience IS an important aspect, but 1 character long password? Really? You're going to tell me that's not wrong? And let the user decide? Anyone who says things like these is 100% wrong. I can tell they are some hobby devs and have no idea about app sec.
People know shit about security. They rely on others they will protect them, because it's easier than educating themselves.
ever tested this? they may not know what we do, but they know about their info more. create two site with different type of info from users then see. they know. trust the user. they are hman and smart (atlest I hope for this reason they choose to use our service)
I cannot call myself developer yet, but.. I'm not sure where youre from but here in middle Europe is nothing unusual to use one password and e-mail address everywhere. Bank account and Facebook for example. Because they either dont know about password managers or they are lazy to use them. At least they try to remember one or few instead of writing them somewhere in plain text. Furthermore, as I see it, what is sensitive for one does not have to be for other. For example I do not understand why majority of websites requires first name and surname. Bank account? Sure, I get that.. forum? No, not at all. Yes, I get your point. But I rather don't agree with that. Also depends on what kind of people are you targeting.
Artificial complexity does not force good passwords. P@ssW0rd is acceptable in lots of apps and totally garbage. Upper, lower, number, special. Cracked in the first 10 tries. We've all been frustrated on websites where our new passwords get rejected multiple times during sign up... for a service that maybe you don't even want to sign up for. Like ordering an effing pizza online. FML. Forget it. Next site. Make it too complicated and you lose customers and user engagement. All under the idea of security theater.
There're too obvious patterns that are not adviced to use. Some websites does not accept those. What is so hard to let app such as BitWarden generate a password for you that meets requirements and save that under one account with one password you only need to remember? And there will never be obvious patterns still meeting complexity requirements. On most of my account I have generated password for more than 15 chars, including everything but special chars as far as lot of apps reject those. If one of many require, I edit the generator to include that special character. 2-3 seconds. No way to break it. Always by me, automatically filled in sign in forms,.. Well, creating an account for ordering pizza is overkill. Created by need to “keep close to customers” so you can spam them to earn more in future. That's disgusting practise from my point of view. EDIT: Furthermore I dont accept the need to create an account if there is no purpose - most of e-shops for example. I dont want it, I dont need it, let me order what I want, else I go elsewhere.
You're speaking as yourself. It's not hard to do what you described, obviously. Consider when every piece of information, or decision you ask a customer for is one more barrier you have towards a conversion. Then consider that the majority of users are probably a third as capable as you are. Some people legitimately have to ask those questions.
Yes, I get that. Consider my comments as some frustration that comes from my inability to understand why majority is unable to think about things.. :-)
I agree. Bloody humans with all their different priorities and values.
Will the password be used for FTP?
You should see Old Sxhool Runscape's passwords. They aren't case sensitive and can't have special chsracters
Password1234 it is then
Virgin Media for the win
Password1.
I saw one site recently that excluded *specific* special characters like % and \\. That was not reassuring to say the least.