Overzealous password checkers

Da Orky Man · Aug 18, 2013

I'm sure we've all encountered them. You turn up at a new job, or go to university, or even just sign up to a random forum, and when you get to the password part of the 'create account form' they have a list longer than War and Peace of requirements that your password must oblige by.

Currently, I'm trying to create my email account at the university I shall be attending in a month or so. The password requirements must:

- be between 8 and 14 characters long
- contain at least 5 unique characters
- contain at least one letter
- contain at least one number
- be nothing like a real word in any language

Note that it will also turn down any password that contains and word in any real language, so if you chose 'itbtwtw2' as a password, it turns it down as it contains the word 'it' at the beginning.

SO then, what insanely overzealous password systems have you dealt with?

PS: Just in case anyone else is going there, the university is Aberystwyth. Just thought I'd mention it.

EDIT: Fucking hell, now it's turning down passwords because they are 'Based on an already used password'. This is not easy.

DoPo · Aug 18, 2013

Da Orky Man said:
Currently, I'm trying to create my email account at the university I shall be attending in a month or so. The password requirements must:

- be between 8 and 14 characters long
- contain at least 5 unique characters
- contain at least one letter
- contain at least one number
- be nothing like a real word in any language

Yep, same experience with my Uni - it was absolutely ridiculous. It usually takes at least 10 minutes to change a password and if you're lucky, you'll even remember it afterwards.

Da Orky Man said:
PS: Just in case anyone else is going there, the university is Aberystwyth. Just thought I'd mention it.

Oh...well something you don't know yet is that it even has "no patterns" in the requirements, so when I tried "123" was rejected because it contained a sequence of numbers. And then when I tried "3htrtbsspj4tp" (I think it was that, or similar) it turned out it was based on entry in some obscure list somewhere online.

Da Orky Man said:
Note that it will also turn down any password that contains and word in any real language, so if you chose 'itbtwtw2' as a password, it turns it down as it contains the word 'it' at the beginning.

Yeah, and they do mean ANY - I've accidentally hit words in Spanish, French, Welsh, and few other languages. THEY AREN'T JOKING!

What I found works best is to never have any vowels in the password - replace them with letters or something. You'll be slightly more successful that way.

Da Orky Man said:
SO then, what insanely overzealous password systems have you dealt with?

Can you tell?

Lionsfan · Aug 18, 2013

TopazFusion said:
The place I used to work had password requirements very similar to that.
But the worst thing was, they forced you to change your password every month. And it couldn't be any variation on ANY of your previous passwords. It had to be something completely different each time.

Needless to say, the people who worked there were forever forgetting their passwords, or even worse, writing them down.

Kinda stupid when you think about it, - making it difficult for users, but not actually making it any harder for someone to crack. (Someone post that xkcd comic.)

Ask and you shall receive

OT: I hate hate hate these things with a passion. If I want to make my password, password, just let me. And it'll be my fault if somebody decides to hack into my stuff. Trying to babysit me, and make me choose this complicated password just ends up pissing me off, and I'll make a password like "fuckthisWEBSITE56times".[footnote]Which would probably be a pretty strong password[/footnote]

I've never had insanely overzealous stuff, just the normal 8-20 characters, one number, one capital letter, etc. But I've had several good passwords turned down because the system thought they were "weak". No telling me why they're weak, just that they're "weak"

tippy2k2 · Aug 18, 2013

I have the opposite problem at work.

The password protection system for FHA (government being inefficient? IMPOSSIBLE!?!?!

) is an absolute joke. Six characters and only one number allowed, no special characters. So basically five letters and one number...that's not so bad...

[IT'S BEEN 28 DAYS, YOU MUST CHANGE YOUR PASSWORD]

...seriously? The passwords we can create on this system are an absolute joke and having to change it that often is just plain silly. It gets even trickier at work since we have four different banking systems we have to work on and all of them have different passwords that have to be changed every month.

I get that this is probably some federal regulation thing since it is a bank but there are far far far easier ways to steal customer information then to hack into my computer.

Redingold · Aug 18, 2013

Oh, yeah, the one at my university (Manchester) has silly requirements. Not as bad as yours, but must be above a certain length, must contain a number, must contain a special character, must contain a capital letter.

Clowndoe · Aug 18, 2013

Hehe, makes me miss Uni. Since the password system was 5 letters and 4 numbers minimum, I had to remember penis1111. Thankfully, no one looked at my keyboard while I typed it.

War Penguin · Aug 18, 2013

I'm not gonna lie, it could be worse. It could include a *shudder* capital letter! D:

Seriously, I've typed down so many passwords that I was certain were correct so many goddamn times that were denied, only to later learn that they were case sensitive! They need to warn you about that shit when signing in!

Yopaz · Aug 18, 2013

War Penguin said:
I'm not gonna lie, it could be worse. It could include a *shudder* capital letter! D:

Seriously, I've typed down so many passwords that I was certain were correct so many goddamn times that were denied, only to later learn that they were case sensitive! They need to warn you about that shit when signing in!

Yeah, I agree. We have all the requirements in the OP, except we also need a capital letter (the password can't start with one though) and a symbol.

Add the fact that if I wanted my password to be I love kittens because kittens rock! That would actually be really fucking safe compared to what they actually make us type in and a lot easier to remember too.

Hawk of Battle · Aug 18, 2013

If it has no max number requirements, just use a really long numerical sequence, like pi or 3 different relatives birth years or something. If you have to change them, then use the same sequence backwards, or put a different relative first. Endless mutability, yet still easy to remember.

Throw in a seemingly random symbol or letter at a point you can remember if need be.

uchytjes · Aug 18, 2013

Eh, I've never had any real problems with any password systems. Maybe its because I've already had a password that fits all the limitations that your password does (which, btw, is absolutely insane.)

vIRL Nightmare · Aug 18, 2013

I feel quite fortunate that I don't have to deal with that at Michigan Tech. What kind of university is it that you're going to? I go to an engineering university and our only requirements is longer than 6 figures with at least one symbol.

Aeshi · Aug 18, 2013

The password restrictions for World of Tanks are real goddamn annoying, since they don't actually TELL you what all the requirements are (only 1 or 2 of them), and the only message it gives is basically "Password not valid"

If you want to see for yourself, just go here [http://worldoftanks.eu/] and try making an account. Good luck!

evilneko · Aug 18, 2013

be nothing like a real word in any language

Hah, nice try. While it sounds all well and good to try and thwart dictionary attacks, this is just completely unreasonable. Even random generators will sometimes hit an actual word in some language, somewhere.

tippy2k2 said:
I have the opposite problem at work.

The password protection system for FHA (government being inefficient? IMPOSSIBLE!?!?! ) is an absolute joke. Six characters and only one number allowed, no special characters. So basically five letters and one number...that's not so bad...

[IT'S BEEN 28 DAYS, YOU MUST CHANGE YOUR PASSWORD]

...seriously? The passwords we can create on this system are an absolute joke and having to change it that often is just plain silly. It gets even trickier at work since we have four different banking systems we have to work on and all of them have different passwords that have to be changed every month.

I get that this is probably some federal regulation thing since it is a bank but there are far far far easier ways to steal customer information then to hack into my computer.

They must have some seriously old legacy code running on the backend there...

TopazFusion said:
Kinda stupid when you think about it, - making it difficult for users, but not actually making it any harder for someone to crack. (Someone post that xkcd comic.)

Sadly, that xkcd comic... is wrong.

[small]Also correct horse battery staple is now in the wordlist of every cracker everywhere.[/small]

I deal with password requirements by using a formula which usually meets the requirements of anything I come across... aside from the OP's "NO DICTIONARY WORDS EVAR!!!" that is...

I also have KeePass.

And some passwords--*gasp*--I write down. I keep them on a card in my wallet. They would be indecipherable to another person, because they wouldn't know what they were for.

gmaverick019_v1legacy · Aug 18, 2013

Lionsfan said:
TopazFusion said:

The place I used to work had password requirements very similar to that.
But the worst thing was, they forced you to change your password every month. And it couldn't be any variation on ANY of your previous passwords. It had to be something completely different each time.

Needless to say, the people who worked there were forever forgetting their passwords, or even worse, writing them down.

Kinda stupid when you think about it, - making it difficult for users, but not actually making it any harder for someone to crack. (Someone post that xkcd comic.)

Click to expand...

Ask and you shall receive

OT: I hate hate hate these things with a passion. If I want to make my password, password, just let me. And it'll be my fault if somebody decides to hack into my stuff. Trying to babysit me, and make me choose this complicated password just ends up pissing me off, and I'll make a password like "fuckthisWEBSITE56times".[footnote]Which would probably be a pretty strong password[/footnote]

I've never had insanely overzealous stuff, just the normal 8-20 characters, one number, one capital letter, etc. But I've had several good passwords turned down because the system thought they were "weak". No telling me why they're weak, just that they're "weak"

ah thank you for posting that. love it everytime i see it.

OT: I hate horseshit like that, you spend more time fumbling with the annoying password rather than having something like "phone fart jelly comb" and it'll be infinitely easier to remember than "GR3@TP@$$W0rD""

The Rogue Wolf · Aug 18, 2013

The purpose of such password restrictions have nothing to do with protecting accounts; they are designed to keep users off of the network as much as possible. Because all IT professionals know that networks would be perfect, eternally-functional constructs if only they could keep those stupid, disgusting, easily-compromised users away from them.

Scarim Coral · Aug 18, 2013

I guess that would be the student load account thing since the password is like twenty letters and numbers! While I did wrote it down but I dread to the coming day when I have to access my accont on it (I will be moving town at some point in the future). Why couldn't it be my phonecall password (when asking personal information on my student loan)? That was way shorter and easier to remember seeing how I was allow to create it!

Da Orky Man · Aug 18, 2013

evilneko said:
be nothing like a real word in any language

Click to expand...

Hah, nice try. While it sounds all well and good to try and thwart dictionary attacks, this is just completely unreasonable. Even random generators will sometimes hit an actual word in some language, somewhere.

About that. I tried using an old router password, 'f1e8ff31'. I can still remember it clearly, and it seems to fulfil all the requirements. Turns out it contains a letter from the Welsh dictionary. Now then, since I happened to have be born and brought up in Wales, and that Aberystwyth is in Wales, I happen to know a fair bit about Welsh, and there are no Welsh words in there.

In Search of Username · Aug 18, 2013

I never understood this. Surely these kind of rules just narrow down the possible passwords that there could be for hackers, and make it difficult for users to remember their passwords because they're never what they want them to be.

Also even if it did help security, who's gonna hack your university account and do your homework for you? ugh

Overzealous password checkers

Da Orky Man

Yeah, that's me

DoPo

"You're not cleared for that."

Lionsfan

I miss my old avatar

tippy2k2

Beloved Tyrant

Redingold

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Clowndoe

New member

War Penguin

Serious Whimsy

Yopaz

Sarcastic overlord

Hawk of Battle

New member

uchytjes

New member

vIRL Nightmare

New member

Aeshi

New member

evilneko

Fall in line!

gmaverick019_v1legacy

New member

The Rogue Wolf

Stealthy Carnivore

Scarim Coral

Jumped the ship

Da Orky Man

Yeah, that's me

In Search of Username

New member