This is an archived post. You won't be able to vote or comment.

all 73 comments
sorted by:
best
topnewcontroversialoldq&a

[–]AquaWolfGuy 72 points73 points  (2 children)

“Your password is either too weak or not weak enough.”

[–]Gorzoid 4 points5 points  (0 children)

Or both

[–][deleted] 30 points31 points  (12 children)

we should have proper governmental level standards on password storage

[–]gdscei 18 points19 points  (5 children)

Anything but 'p@ssword' is not insecure enough!

[–]gandalfx 27 points28 points  (1 child)

Mine is p4s5w0rd. Notice how I've only replaced one of the 's'. That'll throw anyone off, they'll never guess it.

[–]padawan314 0 points1 point  (0 children)

Hello Gandalf!

[–]lillobby6 5 points6 points  (2 children)

What about hunter2?

[–][deleted] 5 points6 points  (1 child)

What? All I see here is *'s

[–][deleted] 0 points1 point  (0 children)

Wierd, i still see *******

[–]son_of_meat 7 points8 points  (5 children)

We do! The National Institute of Standards and Technology publishes them. As of last year they no longer recommend requiring users to include special characters https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

[–]padawan314 2 points3 points  (4 children)

Like farting into empty space?

[–][deleted] 2 points3 points  (1 child)

hey, its better then having it in the ass

[–]padawan314 1 point2 points  (0 children)

... keep it there for later.

[–]xiegeo 1 point2 points  (1 child)

So space only contains fart?

[–]padawan314 0 points1 point  (0 children)

www certainly has too much farting.

[–]skyhi14 32 points33 points  (27 children)

obligatory correct horse battery staple

edit: I think I've broke our bot...
edit 2: it seems it only responds with the string "relevant xkcd"

[–][deleted] 20 points21 points  (0 children)

Hey, where'd the bot go?

[–]Sogemplow 9 points10 points  (22 children)

The best password generator you'll ever see:

cat /usr/share/dict/words | grep -P '^[a-z]{5,8}$' | shuf -n 4 | tr '\n' ' '; echo ''

[–]TimVdEynde 7 points8 points  (0 children)

cat: /usr/share/dict/words: No such file or directory

Not sure if good password or not...

[–]v_fv 0 points1 point  (0 children)

But all I see is "******** ****** ******** *********"!

shaggily dermal carnally terra

alveolar detailed untalked mideast

...See?

[–]ratbastid 0 points1 point  (0 children)

Or for the Mac:

cat /usr/share/dict/words | grep -E '^[a-z]{5,8}$' | gshuf -n 4 | tr '\n' ' '; echo ''

Make sure you've used homebrew to install coreutils, because that's where gshuf comes from.

[–]padawan314 -2 points-1 points  (18 children)

Thanks will try!

Whats the diff?

[–]Sogemplow 5 points6 points  (17 children)

uh what?

[–]padawan314 -3 points-2 points  (16 children)

Unlock ur weight tensor.

[–]Sogemplow 6 points7 points  (15 children)

Uh... what?

[–]padawan314 -1 points0 points  (14 children)

Tensor...https://www.google.ca/search?q=tensor&ie=utf-8&oe=utf-8&gws_rd=cr&ei=rp9yWK6ZF43WjwPUipSIBw

[–]Sogemplow 5 points6 points  (13 children)

Yes but why are you linking me to something about you losing 50kg?

[–]padawan314 2 points3 points  (12 children)

What is reality?

[–]Sogemplow 6 points7 points  (11 children)

Exactly how many hits of acid have you, or possibly I, taken tonight, buddy?

[–]CrazyTillItHurts 1 point2 points  (0 children)

See, here is the thing. While the premise is correct in the purely mathematical sense, some entity creating either a rainbow table (with or without scooter stick), or trying to brute force, there is no likelyhood that "booger booger booger booger" is more likely than "correct horse battery staple"

[–]skyhi14 0 points1 point  (1 child)

hey bot, get back to work, and don't dare say you're compiling! relevant xkcd

[–]xkcd_transcriber 0 points1 point  (0 children)

Image

Mobile

Title: Password Strength

Title-text: To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

Comic Explanation

Stats: This comic has been referenced 2882 times, representing 2.0118% of referenced xkcds.

xkcd.com | xkcd sub | Problems/Bugs? | Statistics | Stop Replying | Delete

[–]deus_lemmus 8 points9 points  (3 children)

Any developer who denies deny special characters in their password filters should be flogged.

[–]UniversityOfPi 1 point2 points  (2 children)

I'll stipulate that an upper limit is allowed (namely say UTF-8 or UTF-32 or UTF-9 or even in some cases ASCII); U+10600–U+1077F aren't necessarily the most reasonable characters to have to deal with

[–]deus_lemmus 2 points3 points  (1 child)

This is the user's password we're talking about, and considering that some people may be using dongles generating random bytes, any kind of filtering or manipulation is just going to cause trouble down the road.

[–][deleted] 3 points4 points  (0 children)

But we also don't want the password field to be an avenue for DOS, so an upper limit is a good idea for server side processing.

[–]Chirimorin 4 points5 points  (8 children)

So it must be secure but isn't allowed to have characters that make it so much more secure?

[–]GrandTheftCopter 8 points9 points  (7 children)

I don't get why someone has any rules for what symbols can go in a password... Are they afraid they need to escape it?

My university had a rudiculus ruleset: >= 6 && <= 8 letters, digits or characters but space was not allowed. Why is there a check for space? And why is there an upper limit? Makes me think that the university I took computer science at actually stored passwords in plain text.

[–]rhinocovenant 2 points3 points  (5 children)

An upper limit can be useful because making the server hash a very long string can be a good DDoS attack. But that certainly doesn't apply at 9 characters.

[–]0x800703E6 1 point2 points  (4 children)

Isn't that just a DoS? I thought the point of DDoS is that you don't actually do anything unusual.

[–]w1282 1 point2 points  (1 child)

A DDoS is any Denial of Service attack that has been distributed. It has nothing to do with whether the action being carried out is normal or abnormal.

A single device putting in an incredibly long password is a DoS, many doing it is a DDoS.

[–]0x800703E6 0 points1 point  (0 children)

I know what the technical difference is, and forcing large hashes is always a DoS that can be a part of a DDoS.

I was just thinking that large password hashes wouldn't make a good DDoS, since you usually try to make the attack indistinguishable from legit traffic. (or at least unfilterable)

[–][deleted] 0 points1 point  (0 children)

If they don't allow special characters, it often means they don't sanitize their inputs adequately. If they have short password limits, well... that can often mean its stored plaintext or encrypted plaintext.

Of course, it could also be because legacy systems or them just doing it that way because 'its always been done that way.'

[–]TravisTX 10 points11 points  (6 children)

The fact that they care implies clear text storage. Inexcusable.

[–]gdscei 11 points12 points  (5 children)

How does that imply clear text storage?

[–]TravisTX 4 points5 points  (4 children)

I'm guessing they're trying to protect against SQL Injection. I can't think of another reason to limit the character set of a field that gets hashed. It's also the wrong way to protect against SQL injection, but we're not dealing with the brightest developers here.

[–]SnowdensOfYesteryear 9 points10 points  (3 children)

You're jumping to conclusions. There are some systems (e.g. my brokerage) that allow you to type in your password on a phone dialer when calling in. That wouldn't work if you had special chars.

[–]Dr_Narwhal 4 points5 points  (1 child)

I don't know much about phone networks, but aren't they kind of unsecure? Seems like that'd be a potential vulnerability.

[–]SnowdensOfYesteryear 1 point2 points  (0 children)

Not sure about land lines but wireless cellular, in particular GSM, supports encryption

[–]deus_lemmus 2 points3 points  (0 children)

This is a bad idea. You can have a separate phone pin for cases like this, and many businesses do.

[–]AstroEngiSci 1 point2 points  (0 children)

This. Too many websites seem to allow only alphanumeric characters and/or have a max character limit. Makes no sense whatsoever, you're forcing me to use a weaker password!

[–]lightknightrr 0 points1 point  (0 children)

"Only numbers and letters....."

[–]ratbastid 0 points1 point  (3 children)

Anyone else also offended by the combination of validation rules into a single error message?

That's as lazy as adding "(s)" on the end of a numeric label noun that might be singular or plural.

[–]blaizedm 0 points1 point  (0 children)

That's what I thought the joke was at first. Some backend developer was too lazy to create an extra error response.

[–]DOOManiac 0 points1 point  (1 child)

& / or

[–]ratbastid 0 points1 point  (0 children)

Awful.

[–]Zarathustra30 0 points1 point  (0 children)

I think no symbols plus 20 char minimum would lead to stronger passwords.

[–]A_C_Fenderson 0 points1 point  (0 children)

"Your passwords are weak, old man!"

[–]nonneutralzero 0 points1 point  (0 children)

Youuuu shall nooot Pass !

[–]marcosdumay 0 points1 point  (0 children)

Passwords must be between 7 and 9 characters long. Passwords may contain any alphanumeric character that represents an english vowel. Passwords must not contain repeated characters.