Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.
Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…
Not so much password requirements as just a completely removed implementation:
To access payment stubs in a data center (not us) that I worked at, the user account was our public email address and the password was a personal code, sorta like SSN, but that code could be easily looked up as it was public info.
I showed the director of HR, who authorized this her own payment stub as evidence that this was baaaaadddd
So she asked me to check that system for more issues
Turns out it stored passwords in blank (wtf) and would authenticate with two queries. First query would check if the username (email) exists. Second query would check if the password exists. If both exists, you’re in! So i could login to any account with MY password…
This is a tip of a very big iceberg there
This has to be the best one here. The sheer lack of understanding of how to authenticate an account by the dev.
Sounds like the initial part of password testing, and then they either forgot to complete it, or someone came along to fix the later parts, commented them out for testing and never got around to fixing/uncommenting. Surprising how often things that ‘work’ are set aside and no one is in charge of reviewing.
Passwords that must contain a special character, but only from a list of three special characters.
Passwords that must be changed every 3 months.
Absurdly narrow length requirements, im 80% sure I saw one that required 8-16 characters.
All dictionary words were banned from being in a password regardless of length, so passphrases weren’t allowed.
It’s always quote unquote fun finding out what words are and are not in their dictionary. I got by using a bunch of nerd words, but apparently Aragorn is not allowed.
My community colleges:
Passwords must be 12 characters long, contain at least one uppercase letter, one lowercase letter, a number, and a special character; it must also be changed every 30 days. There was also some sort of alogarithm that checked if your new password is too similar to any previous password you had used, and rejected it if it was too close.
Hilariously, if you had a link to the page the password was supposed to limit access to, you could bypass the password page entirely. As such, I never changed my password.
- There was the multi user operating system in the 1990s that required every user to have a unique password. We were young and innocent then and used common English words. Upon changing your password, it would check your new password against all other users. An error like
That password is already used by johnp. Please choose another password.was not uncommon.
- When I started using a password manager, I got keen and changed my passwords to 64 random characters. My bank would change this to uppercase, delete special characters, and save the first 8 characters of what was left. So when I logged in, it would compare the 64 character password I entered to the converted 8 character password that they saved, and find that they were different. (I found this out when I rang and complained, and they told me my password over the phone … 😱). They don’t do that any more.
Not allowing you to paste a password, so you have to type it manually every time.
I’ve noticed this with ACH routing forms on many financial websites. You can’t copy the routing number nor account number—no—thou shalt key in by hand instead.
Never understood the logic here, do the developers want you to make a mistake?
The’logic’ behind it is that if you copy/paste, then the confirmation box is basically useless. If you copied the wrong account of just part of it, your for sure going to paste in the exact same thing without really checking. Not that it’s a good reason, but at least there’s some logic
Well if you’re going to hijack my paste command just hide the confirmation box ¯_(ツ)_/¯
Probably the silliest thing I have run into was some game. It asked you to set two passwords. You needed both to login. The second password couldn’t be changed. This is why it was secure, see. (…What.)
When I created my account and set the second password, I couldn’t log on the second time. Because I had entered a 20 character second password. It was accepted and verified during the account creation just fine. On the second login, it only accepted 16 characters. (It let you enter 20 characters but said it was too long.) Trying to enter first 16 characters of the second password didn’t work, of course.
I then contacted the support, and they did manage to reset the second password anyway. (What is this even)
Stupid bank app doesn’t allow password managers… and if you hit the enter button to login you get an error message informing you that you need to mouse click on the button.
Extremely limited password length. I think it was around 6 or 8 characters. Exactly! So every password was the same length.
No other requirements. The best part? It was a bank. But not a customer facing service.
My bank had a limit of six characters, for the customer facing login. Oops.
Banks are amazingly bad at digital security. I once was in a bank (where my wife had an account) where they used first generation wireless keyboards. The ones that did not encrypt anything and could be received to a distance of up to 10m, more if you had a better antenna. I told them about the security issues, but they did not understand. I went to the newspaper agent and bought the newest edition of a computer magazine that had detailed descriptions of how to eavesdrop on those keyboards, returned to the bank, and handed them the article. Which featured exactly their keyboard model as the title photo. I told them “If you don’t understand this, it’s fine, but then give it to the person responsible for your IT and security, they should know how to deal with this.”
Next time we were there, they still had the insecure keyboards. Yes, the IT department had told them that they should replace them with wired ones, but they rejected it, because the wireless ones were sooo convenient. Our next move was to close my wifes’ account there.
My work was using some MS-based account system, but I don’t know if this was stock or something they modified. When you had to change your password, it would tell you if your new password didn’t meet the password requirements, as usual. What it wouldn’t tell you was what those requirements were…
So yeah, the requirements the system won’t tell you about would have to be the worst one i came across…
My favorite is a major credit card company with case-insensitive passwords. They also only allow a small handful of special characters, so the total possible character space is roughly 42 characters. Needless to say, I chose to use a password that was the maximum allowed length (which was sadly also only 32 characters).
If it was a fully random password that’s still plenty of entropy.
Wikipedia’s minimum password length is 1 character
One special character.
Seems logic right? Until you get that it is one and one only. Took me some time.
Bug report time
I add to make a password last fall that had the requirement “numerals or special characters”. A password with both numerals and special characters wouldn’t work.
Anything that requires regular password resets. It’s fine if it’s changed on the site and in the user’s vault automatically, but if a user has to type in their password with any sort of regularity, it’s a recipe for disaster to require regular changes.
People write predictable or formulaic passwords, or just end up resetting their password more often than necessary because they forgot it (making them more susceptible to phishing).
I memorized a handful of randomly generated passwords in high school (around 2005) and never looked back.
These days I use a password manager, but for semi-low security stuff (on my LAN) I use one, for my Apple account a long combination of three. And that’s it! The password manager is where it’s at.
Just one of my passwords was leaked in data breach (from back when I was younger and recycled passwords) so that one’s out, but otherwise I’m doing pretty well with the memorized randomly generated passwords.
There was an episode of Elementary where they were able to find the victims password on a post-it note, because the company requires a new password every month and he didn’t want to remember a new one that often.
Very common
It’s the worst when they do that and have difficult restrictions on passwords.
One place I worked at had limits like “no more than two letters back-to-back”, “no more than two numbers back-to-back and no sequential numbers”.
The rules were available on the password reset screen.
The minimum was only something like 8 characters, so I have to wonder how many people had a1b2c3d? for a password.
Feed those rules to a password cracker and it’d be able to get in easily.
To their credit, I think they did support passwords that were maybe 64 characters long. But after they introduced those weird requirements (probably because some VIPs had stupid passwords like their names + birth year?), I just started hitting the character minimum because I’d have to manually type it in at least once.
[offtopic?]
Debbie’s password is “PlutoGoofyMickeyMinnieDaffyBugsThorLosAngles”
She was told that the password needed seven characters and a capital.
Except Sacramento is the capital of California, Debbie gonna struggle
Los Angeles is considered the Movie Capital of the World.
Checkmate, liberal!
Well, they certainly managed to get her to make a strong password.
What a strange choice to have 6 cartoon characters and a Norse god.
