What are some of the most unhinged (good or bad) password requirements/rules you've seen?
submitted by zlatiah@lemmy.world
Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.
Not name-and-shaming, but the best one I've seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password...
Not so much password requirements as just a completely *removed* implementation:
To access payment stubs in a data center (not us) that I worked at, the user account was our public email address and the password was a personal code, sorta like SSN, but that code could be easily looked up as it was public info.
I showed the director of HR, who authorized this her own payment stub as evidence that this was baaaaadddd
So she asked me to check that system for more issues
Turns out it stored passwords in blank (wtf) and would authenticate with two queries. First query would check if the username (email) exists. Second query would check if the password exists. If both exists, you're in! So i could login to any account with MY password...
This is a tip of a very big iceberg there
This has to be the best one here. The sheer lack of understanding of how to authenticate an account by the dev.
Sounds like the initial part of password testing, and then they either forgot to complete it, or someone came along to fix the later parts, commented them out for testing and never got around to fixing/uncommenting. Surprising how often things that 'work' are set aside and no one is in charge of reviewing.
Passwords that must contain a special character, but only from a list of three special characters.
Passwords that must be changed every 3 months.
Absurdly narrow length requirements, im 80% sure I saw one that required 8-16 characters.
All dictionary words were banned from being in a password regardless of length, so passphrases weren't allowed.
I've definitely had one that was 8-12 characters before...
I redid one of mine yesterday; 3-months, exactly 8 characters, must use a symbol from the three approved ones (#$@).
I hate it, I wish they’d abandon that system or change the encryption requirement to match our other systems that use our physical badges.
Edit: it’s really dumb around the holidays, too. We’re off for Thanksgiving, Christmas and New Years so I really only got a few weeks out of that last one.
It's always quote unquote fun finding out what words are and are not in their dictionary. I got by using a bunch of nerd words, but apparently Aragorn is not allowed.
That password is already used by johnp. Please choose another password.
was not uncommon.
My community colleges:
Passwords must be 12 characters long, contain at least one uppercase letter, one lowercase letter, a number, and a special character; it must also be changed every 30 days. There was also some sort of alogarithm that checked if your new password is too similar to any previous password you had used, and rejected it if it was too close.
Hilariously, if you had a link to the page the password was supposed to limit access to, you could bypass the password page entirely. As such, I never changed my password.
The oddest I've ever encountered: EXACTLY 15 characters long. No more, no fewer. 15.
Honorable mention: Various online accounts where I used my password manager to generate a long, secure password, which the website accepted without warning or error. I was then locked out because their user management system could not handle such long passwords (had to create a second account with a much shorter password to find that out) 🤣
A university I worked at had a similar policy to the first one.
They wanted a single username and sign on across all IT systems but also had some really old legacy systems that didn't support long passwords.
So they'd force everyone to use passwords that were exactly as long as the maximum legacy password length.
For me, the worst system is the Microsoft authenticator which locks me out my account for five minutes if my fingerprint doesn't match the first time I try.
The first one is absurd. The second one is straight up messed up.
Not allowing you to paste a password, so you have to type it manually every time.
I’ve noticed this with ACH routing forms on many financial websites. You can’t copy the routing number nor account number—no—thou shalt key in by hand instead.
Never understood the logic here, do the developers *want* you to make a mistake?
The'logic' behind it is that if you copy/paste, then the confirmation box is basically useless. If you copied the wrong account of just part of it, your for sure going to paste in the exact same thing without really checking. Not that it's a good reason, but at least there's some logic
Well if you’re going to hijack my paste command just hide the confirmation box ¯_(ツ)_/¯
Most password managers will have an auto type (not auto fill, that is different) so you can still automate your login.
My old bank required you to have a password 12 characters long exactly, and to login you have to give the characters in specific places.
I would ask you what are the 4th, 7th, and 11th letters of your password.
Anyone want to guess why that aren't my bank anymore?
Oh yeah, mine has that as one of the options, but they've beefed it up a little. You also have to enter your date of birth and then they send a text to a pre-arranged number with a further 6-digit PIN that also has to be used.
E and U and 2
Stupid bank app doesn't allow password managers... and if you hit the enter button to login you get an error message informing you that you need to mouse click on the button.
>
The person responsible for that specific behavior is a psychopath.
Here's how to improve it:
Make you have to mouse click the button. However, it has to be a right click. Specifically, a right double-click.
DOUBLE RIGHT-CLICK THE BUTTON?!? ARE YOU MAD?!?
There are more things in Heaven and Hell then are dreamt of in your philosophy. This one specifically is from Hell.
I wonder if blind folk could even use that website then.
My work was using some MS-based account system, but I don't know if this was stock or something they modified. When you had to change your password, it would tell you if your new password didn't meet the password requirements, as usual. What it wouldn't tell you was what those requirements were...
So yeah, the requirements the system won't tell you about would have to be the worst one i came across...
By far the worst is the costa rican national bank:
I was reading along like, that's dumb but at least I could craft something in my password man-... Oh.. oh no..
Probably the silliest thing I have run into was some game. It asked you to set *two* passwords. You needed both to login. The second password *couldn't be changed*. This is why it was secure, see. (...What.)
When I created my account and set the second password, I couldn't log on the *second time.* Because I had entered a 20 character second password. It was accepted and verified during the account creation just fine. On the second login, it only accepted 16 characters. (It let you *enter* 20 characters but said it was too long.) Trying to enter first 16 characters of the second password didn't work, of course.
I then contacted the support, and they did manage to reset the second password anyway. (What is this even)
The Catholic Church is doing great with its two popes.
A company I used to work for is big enough that everyone reading this has heard of it. They had this wonderful security nightmare going on:
When you were hired, the company would issue your user credential with a standard password that was "CompanyName1" and require you to immediately change it at first logon. Everyone knew this password because everyone got it when they were hired.
Password policy required everyone to reset their password every 60 days. Not the worst ever but still pretty aggressive. And with the rise of all the mobile devices connecting with your corp account it was getting to be a worse and worse experience.
Can you guess yet how these two policies are linked in my story?
Well, some of the C-Suite executives didn't have time for any of these security shenanigans. So they would have their executive support person log into an administrative console and reset the exec's password every 59 days to the same value that it currently had, thereby bypassing the password re-use filter.
That value they were continuously setting was... "CompanyName1"
I know of at least two executives that were doing this while I worked there.
When I was in middle and high school the school district would always do this at the beginning of the school year.
One year my best friend moved away so in the following years I discovered his account still existed. If I was in the mood to hack (dumb stuff like forging email with their horrible SMTP server for example) I’d just find another computer I wasn’t just using and log in using the default password.
I had a wi-fi device a few years ago that would require a password up to 12 characters, but that requirement wasn’t explicitly written anywhere. The device would gladly accept a 13-character password, for example, but you would never be able to log in again (factory-resetting was the only way to undo).
More recently I purchased a Lennox HVAC system that came with their proprietary thermostat (an Android tablet with a wall mount). During the Christmas break I got myself a new wi-fi router and had to reconfigure all my wireless devices. After 2 days, the Lennox thermostat was the last device to join the new wi-fi network… and it failed because their password could have any character EXCEPT the asterisk — and my new password had an asterisk. I didn’t like the idea of redoing all my other devices AGAIN just because of this idiotic password rule, so I ended up creating a new SSID just for the thermostat. I named it LENNOXSUCKS.
Not sure if it falls under the same category, but the way Activision handles (handled? I haven't used them since) passwords was atrocious! I had to reset my password to get back into my account, I used a random diceware password, it accepted it. However! The client on both Windows and Xbox wouldn't let you input a password longer than I believe 20 characters. So while you can set a 25 character password, you can go fuck yourself if you actually wanna log in...
12 characters, upper/lower/special requirement, and no more than two occurrences of the same character together. That's FedEx.
Two other thoughts on the topic:
"Password must contain letters numbers, and at least one of these special characters."
Turns out, half of those special characters weren't allowed 🫠
Extremely limited password length. I think it was around 6 or 8 characters. Exactly! So every password was the same length.
No other requirements. The best part? It was a bank. But not a customer facing service.
Banks are amazingly bad at digital security. I once was in a bank (where my wife had an account) where they used first generation wireless keyboards. The ones that did not encrypt anything and could be received to a distance of up to 10m, more if you had a better antenna. I told them about the security issues, but they did not understand. I went to the newspaper agent and bought the newest edition of a computer magazine that had detailed descriptions of how to eavesdrop on those keyboards, returned to the bank, and handed them the article. Which featured exactly their keyboard model as the title photo. I told them "If you don't understand this, it's fine, but then give it to the person responsible for your IT and security, *they* should know how to deal with this."
Next time we were there, they still had the insecure keyboards. Yes, the IT department had told them that they should replace them with wired ones, but they rejected it, because the wireless ones were sooo convenient. Our next move was to close my wifes' account there.
My bank had a limit of six characters, for the customer facing login. Oops.
Westpac?
Yes 🤭
Haha knew it. Redic parameters
Not sure but I think Schwab did it too.
One special character.
Seems logic right? Until you get that it is one and one only. Took me some time.
Bug report time
I had to log back into an account for an app (I think Taco Bell) that decided to remove passwords entirely without any notice. You typed in your email address, had to open your email account and click a link they sent you, it would open a webpage, which would then have a button to open the app again. If I remember correctly too, it would only work on Chrome, so I had to copy and paste the link since Chrome isn't my default browser that automatically opens from my mobile email.
Besides that, I remember some website required a special character from an extremely small list and wouldn't allow two of the same letter back-to-back.
[offtopic?]
Debbie's password is "PlutoGoofyMickeyMinnieDaffyBugsThorLosAngles"
She was told that the password needed seven characters and a capital.
What a strange choice to have 6 cartoon characters and a Norse god.
Except Sacramento is the capital of California, Debbie gonna struggle
Los Angeles is considered the Movie Capital of the World.
Checkmate, liberal!
Nope, that's Hollywood! Checkmate, sovcit!
Well, they certainly managed to get her to make a strong password.
/c/dadjokes is over there ->
My favorite is a major credit card company with case-insensitive passwords. They also only allow a small handful of special characters, so the total possible character space is roughly 42 characters. Needless to say, I chose to use a password that was the maximum allowed length (which was sadly also only 32 characters).
If it was a fully random password that’s still plenty of entropy.
Except that's not the issue. This clearly reeks of the passwords not being hashed
Worked somewhere that required security clearance that used your national insurance number (UK equivalent to SSN) as your login id. Most people in the UK do not memorise their NI number.
Password had to be uppercase and lowercase letters, numbers, and special characters, I think at least 12? Couldn't have back to back special characters or start or end with numbers. No whole words, either.
So now you have to remember two strings of letters and numbers. Sackable offensive to write either down. I once got a phone call from security because I would miss enter my password after lunch first time around, just once a day, but they rang me up still to see what going on.
Security there was a nightmare, worked with an obviously disabled guy, who forgot to put his disabled badge on his car dashboard and they threatened to ban him from site (which would result in the sack as you couldn't work remotely). The kicker was that they said we know you forgot to put the badge out, so they knew he was disabled as all car registrations are preregistered only way onsite.
Spend enough time talking to HMRC or DWP, and it just happens.
Anything that requires regular password resets. It's fine if it's changed on the site and in the user's vault automatically, but if a user has to type in their password with any sort of regularity, it's a recipe for disaster to require regular changes.
People write predictable or formulaic passwords, or just end up resetting their password more often than necessary because they forgot it (making them more susceptible to phishing).
There was an episode of Elementary where they were able to find the victims password on a post-it note, because the company requires a new password every month and he didn't want to remember a new one that often.
Very common
It's the worst when they do that *and* have difficult restrictions on passwords.
One place I worked at had limits like "no more than two letters back-to-back", "no more than two numbers back-to-back and no sequential numbers".
The rules were available on the password reset screen.
The minimum was only something like 8 characters, so I have to wonder how many people had a1b2c3d? for a password.
Feed those rules to a password cracker and it'd be able to get in easily.
To their credit, I think they did support passwords that were maybe 64 characters long. But after they introduced those weird requirements (probably because some VIPs had stupid passwords like their names + birth year?), I just started hitting the character minimum because I'd have to manually type it in at least once.
I memorized a handful of randomly generated passwords in high school (around 2005) and never looked back.
These days I use a password manager, but for semi-low security stuff (on my LAN) I use one, for my Apple account a long combination of three. And that’s it! The password manager is where it’s at.
Just one of my passwords was leaked in data breach (from back when I was younger and recycled passwords) so that one’s out, but otherwise I’m doing pretty well with the memorized randomly generated passwords.
Facebook got caught having a flat text file being send around between employees to make accessing data easier. That text file contained tens of thousands of peoples username and password.
Why? Facebook being facebook I guess
It happens a bit too often that I make an account somewhere with a long, generated password and then when I log in it throws errors at me.
But a few times a website didn't just show me an error, I got the whole crash dump including their encryption approach and versioning
The worst I've ever seen was a site that required passwords to be 4 digits.
Most absurd was from a job I had in college. This was the password to log into an ancient dumb terminal (literally a monochrome black and green display) on a local-only network that only handled our time clock.
Requirements: * 8 characters exactly * You supply the first 4, the system generated the last 4 * I can't remember if it allowed numbers, but there were definitely no special characters and I think it was also case-insensitive
Required to change password every 30 days.
Password needs one special character.
Not at least one. Exactly one.
The most funny one was a professional and rather costly password checking tool.
Besides the usual other rules, it had a rule that the new pw must not be similar to the old one. For similarity, this thing checked each character in it's place.
So you could have the old one:
"MyAssMy$1" and the new one:
"$1MyAssMy" and it was not similar at all :)
thats a fun example and and all, but what situation does "MyAssMy$1" arise from? 😳
From the situation where you suddenly need to make up an example for a lemmy post.
I add to make a password last fall that had the requirement "numerals or special characters". A password with *both* numerals and special characters wouldn't work.
I volunteer at a local high school and the students password is their birthday, because they are given their account at age 5, in kindergarten, and it's something you can reasonably expect a 5 year old to remember. Also, the students are not allowed to change their password unless they get "hacked", which is usually just another student logging into their account and deleting their assignments.
A school I used to work at had a folder with student passwords for various services at the front of the computer lab. If a student forgot their password for a service, they just went and looked in the folder. Maybe they’d even get their mates’ passwords for them while they were at it!
I did try to get the policy changed, and offered to teach staff and students how to use a password manager, but apparently remembering a single password was far too complicated, and it would make it much harder if you needed to log in to someone else’s account.
lmao
The most basic rules commonly required everywhere. When you have such specific rules, it ironically actually makes finding the password through brute force *easier* because you can eliminate a bunch of variables that could have existed without all the rules. I can eliminate any permutation under 8 characters, doesn't contain a number, and doesn't contain a special character.
It will still possibly take a billion years to guess, but it could have been *two* billion without the rules.
Of course, I also find it wild that the metric for how good an encryption or password system is, is just how long it would take to guess every possible combination of input it could be, sequentially. It doesn't account for a brute force attempt that just selects *random* inputs. It could take until the heat death of the universe... It could take 3 seconds. It's up to chance at that point. Not to mention all the easier ways of getting a password. Like gaslighting the person who knows it into giving it up.
It's something like the second law of Thermodynamics. It's probability, not absolute. It's possible all the gas molecules in the room arrange themselves one corner, but it's fantastically unlikely. It's possible to choose the right encryption key to a 256-bit cipher at random the first time, but it's fantastically unlikely.
Max length of something under 18 …
Irks my gears
I hate any password requirement that says "special characters" but has a list of exceptions, like no
. , ! ;
or empty spaces. Just tell the user to make a pass*phrase*, enforce at least one empty space and, dunno, 25 characters minimum, and bam. It's not like hackers try brute force anymore, they just hack insecure DBs full of user data and use that everywhere.What's the difference between a password and a passphrase?
Six numbers only.
Obligatory link to neal.fun password-game
I've encountered a few sites that restricted repeating or sequential characters. Of course told after failing the first creation attempt. Makes things like randomly generated passphrases fun to figure out. Particularly when their idea of "sequential" involves both in alpha/numerical order, but also adjacent spacing on the (assumed?) qwerty keyboard!
Anyone remember the Password Game?
I personally hate character limits. I understand minimum character count, but I can't have more than 15 characters? Bruh
There is such a thing as good unhinged?
I'm going to need an example here...
I needed to get a certificate for digitally submitting my taxes. This, of course, requires me to set a password for it. The tax office' web site lists a number of requirements and rejects any password that does not match those (so it said). So far, so good, the usual stuff, lower and upper case, numbers, special characters, minimum lenght. No surprises there.
For one of the "special characters" I used "ö" (umlaut o), which is a normal character in my language (which is the same as the tax offices, so they should be aware of those). The web site filter happily accepted this password containing the "ö". But the back engine got a severe case of digital diarrhea from it. I had to clear my caches and cookies to completely re-starting the application process.
Another password SNAFU I had many years ago in a place using TN3270 terminals. To those who have never seen such a thing, it is a so-called "smart terminal". It does not send and receive single characters like a telnet or SSH session, but the host sends a mask to the terminal, defining fields that can be filled out, and with a "send" or "function" key (IIRC) you could send the data back. Those fields had fixed lengths, of course. You might guess the problem...
So the login screen had two fields of eight characters each: "Username" and "Password". I entered the credentials I have been given and sent them. The first thing I did was to select "change password". It opened a form with three fields: "old password", "new password", and "repeat new password". Nothing odd about that, but the fields had *twelve* characters. So, not knowing the particulars of that system (I was used to UNIX style terminals back then), I entered a new password that was longer than eight characters. Guess what? I logged out, I tried to log in, I was stuck. I had to ask my admin to reset my password. And had found the first of many, many bugs in that system.
Any service that says I must have a 12 or 14 string password, combined with symbols, numbers and letters.
Do you know why, I have to keep resetting my password, services that have this dumb requirement? Because your fucking requirements are absurd and unnecessary. I don't have the mental capacity to care to remember that long of a password. I have to have a document now of all of the passwords I have so it's not forgotten. I have to have browsers autofill for me because of this shit.
In a perfect world, 6 - 8 string passwords would suffice and lots of emphasis on symbols and numbers at the very least. The longer you try making the characters of a password, the chances of forgetting increases.
Flickr does this. Some of the portals to my apartment portal does this. Portals to some of my medical information does this. It's fucking bullshit. StateFarm does this too.
Write it down
Then you'll memorise it
Using a password manager is a lifesaver for this :) there are open source ones like KeePass and you can sync the encrypted file across devices using Dropbox or similar
For me it’s the opposite - every password is generated, except for those websites that limit me to something unreasonably short like 14 chars. They need to accept longer passwords, so I can use a generated one with default complexity, not have to make up something easy to remember
I wholeheartedly disagree A long password like "this is the best password for email" is near-impossible to brute-force, while being extremely easy to remember. A short password with special characters / numbers / lowercase + capital letters, like "Emai1_Passw0rd!" is far easier to brute-force, and a lot harder to remember (which letters did I capitalize again? Which ones did I swap with numbers? What symbol did I throw in?)
Optimal password requirements are ... nothing. Because every requirement you put in reduces the parameter space an attacker needs to search. Second best is setting a minimum number of characters, because a bunch of people are stupid and will use single-letter passwords if you let them.