Used a new site this morning that required me to set a password. I base64-encoded some /dev/random and got the rather satisfyingly random string “AXpDlvgBLvUYpPDm”. But the site wouldn’t take it because it is “too simple”.
To help me improve, it provided some “Great Password Examples” including “.Susan53.” and “.DoctorH0use.” What, no “correct horse battery staple”?
Michael K Johnson November 11, 2013 06:31
Another identically-sized password was rejected because it was “too long”.
Isn’t “password too long” generally considered the sign that the password is being stored in a database in cleartext?
Michael K Johnson November 11, 2013 06:37
A third identically-sized password was accepted. Now I find that the site is built on Java applets. On a site that hosts private data protected by law. Or, I guess, “protected”?
Cristian Gafton November 11, 2013 07:16
When I get a “password too long” error back, sometimes I call the sites’ web support assistance and tell them they I don’t feel safe with the short passwords they’re forcing me to use. Just to screw with them.
Sadly, a whole bunch of banks and credit card providers have not gotten the memo that limiting password lengths is a bad idea.
Michael K Johnson November 11, 2013 09:03
+Edward Morbius They need to work on the UI for their data restoration service!
H. Peter Anvin November 11, 2013 10:51
The tests they use are almost uniformly how many classes of characters you use. Very daft. Fedora has a somewhat sane policy of requiring different lengths based on the number, of character classes.
Of course, determining the underlying entropy of a short string is almost an impossible task.
H. Peter Anvin November 11, 2013 14:33
Incidentally, ranpwd(1) got rejected from util-linux because Red Hat’s security people thought that what it output wasn’t “passwords”
Imported from Google+ — content and formatting may not be reliable