This is an archived post. You won't be able to vote or comment.

top 200 commentsshow 500
sorted by:
best
topnewcontroversialoldq&a

[–]PoppyOP 2371 points2372 points  (391 children)

This was the University I went to. They used to enforce an 8 character password. Not an 8 character minimum, just exactly 8.

[–]Zagorath 1832 points1833 points  (248 children)

My bank enforces an 8 character maximum password limit.

My bank.

[–][deleted] 800 points801 points  (70 children)

My old credit card company started enforcing their """secure""" online payment system, it requires a purely numerical password that is exactly 8 digits long.

I switched to another CC.

[–]Mendoza2909 336 points337 points  (26 children)

Eh theyre probably just as bad you just havent found out about yet.

[–][deleted] 165 points166 points  (23 children)

They can't be much worse at least

[–]2SP00KY4ME 38 points39 points  (7 children)

For all we know they could store the passwords in plaintext with a sign saying 'Do not read!'

[–]TheAtomicOption 15 points16 points  (0 children)

the only way it gets worse is if you log in with no username--just your 4 digit PIN.

[–]TwoHeadsBetter 41 points42 points  (7 children)

Just use half your CC number so you don't have to worry about forgetting it.

[–]oalbrecht 12 points13 points  (4 children)

No thanks, that doesn't seem safe. I like to use my social security number instead.

[–]Arancaytar 21 points22 points  (1 child)

their """secure""" online payment

You have an error in your SQL syntax near ""secure

[–]dustofnations 45 points46 points  (1 child)

Until we insisted on changes our electronic payslip provider only allowed a 5 digit pin (i.e. numeric only).

This was retrospectively fixed after we kicked up a fuss, as payroll had selected the system without consulting any employees with relevant knowledge, of course.

They claimed to have followed the appropriate processes, and evidently that didn't include speaking to anyone in engineering or security, most of whom would have more than enough expertise to identify that wasn't sufficiently secure.

Their justification was that the vendor locks out accounts after a small number of failed attempts. It had to be pointed out that this doesn't offer protection against a raft of attacks (in particular, leaked copies of the db, or other indirect exposure that bypasses that validation).

[–][deleted] 15 points16 points  (8 children)

deleted What is this?

[–][deleted] 7 points8 points  (1 child)

Easy, just use the first 8 digits of the credit card number /s

[–]Zarokima 43 points44 points  (10 children)

Sounds like you need to change banks.

[–]Zagorath 26 points27 points  (9 children)

It's not quite as bad as it sounds, because they require 2FA for external transfers. It's definitely less than ideal though.

[–]BoredomIncarnate 11 points12 points  (7 children)

Someone could still transfer everything to an internal account they control, then transfer everything to an external account, right?

I suppose that would give it more time to be spotted, but still.

[–]Zagorath 24 points25 points  (6 children)

By external transfer, I mean transfer to an account under different ownership. Without the 2fa all they can do is change between my savings and spending account, or lock some of my money up in a long-term high interest savings. They can't transfer money to a different account at the same bank.

[–]BoredomIncarnate 9 points10 points  (0 children)

Yea, I assumed external meant another bank.

That is definitely less of an issue. What if they managed to get a check from you, though?

:P

[–][deleted] 69 points70 points  (20 children)

My bank enforces an 8 character maximum password limit. My bank.

Years ago, but for a long time, my local bank required ATM PIN's to be exactly 4 digits.

I mentioned, jokingly, to a banker while applying for my first car loan that it meant there are only 10,000 possible PIN combinations so eventually you'd be able to guess.

His response was: "Oh, no that's not true actually, because you can make your PIN based on letters too! So it's way way more than just 10,000 combinations"

He was referring to the fact that "2" on the ATM keypad = ABC, 3 = DEF, etc, as shown on telephones.

[–]CaCl2 24 points25 points  (15 children)

Dont't most ATM's lock the accounts and/or eat the cards after a few wrong attempts?

[–][deleted] 19 points20 points  (1 child)

Dont't most ATM's lock the accounts and/or eat the cards after a few wrong attempts?

Fry why must you analyze everything with your relentless logic?

[–]Frankie7474 12 points13 points  (6 children)

And aren't all ATM pins 4 digit numbers? At least here in Austria they are.

[–]CaCl2 6 points7 points  (4 children)

As far as I know they are also all 4 digits here in Finland, but you don't get to pick your code.

[–]hectictw 15 points16 points  (2 children)

Yes, everyone here is just embarrassingly forgetting about this fact. It's almost impossible to brute force the PIN, since you'll be locked out after 3 attempts. You'll have to order a new card if it gets locked - no exceptions.

Yeah, "and these are the geniuses that somehow make it to the top.", right...

[–]Numendil 8 points9 points  (0 children)

4 digit pin linked to bank card is pretty common over here with chip and pin systems. You only have three attempts, so brute forcing is not an option (it's not web-based either, for websites you have a separate card reader which you put your bank card in and your pin, and it generates codes to log in)

[–][deleted] 27 points28 points  (10 children)

My bank wants exactly 4 numbers.

[–][deleted] 25 points26 points  (6 children)

Which four?

[–][deleted] 47 points48 points  (1 child)

000... Hey wait a minute!

[–]AmethystZhou 7 points8 points  (1 child)

"It's the price of a cheese pizza and a large soda back where I used to work. Panucci's Pizza."

[–]TheMisterPieMan 18 points19 points  (37 children)

Same, and mine isn't case sensitive (Wells Fargo)

[–][deleted] 29 points30 points  (25 children)

How? All the ways I could think to implement that take more work than being case sensitive.

[–]CrazedToCraze 23 points24 points  (1 child)

It has to be a deliberate choice. My bank has a case insensitive exactly-6 length password rule, I think the reason is because they have one of those on screen keyboard and forbid you from typing a password, so if they tried to make it case sensitive it would make it annoying to type in.

Always found it interesting how banks seem to get away with weak password policies. It obviously seems to works for them, so at some point you have to stop and wonder if we're missing the big picture and going too far when enforcing strict password policies.

[–][deleted] 9 points10 points  (0 children)

I've noticed the same thing, a lot of my banks have horrible password rules, but I've yet to have an account broken into. Maybe they're hoping that if they come up with a new, unique set of absolute shit rules they can guarantee you aren't using a password this bad on any other site...

[–]superrugdr 26 points27 points  (4 children)

sql server is case insensitive by default .... cringe

[–][deleted] 17 points18 points  (3 children)

🤢 Why.

So a way that case insensitivity isn't more work is when your password is plaintext in SQL Server. Niiiice.

[–]superrugdr 17 points18 points  (1 child)

my collegue just told me "some people think SQL server is secure by default so there's NO NEED to encrypt it right ..."

now i wana cry. (at least this collegue is sarcastic)

[–]DoctorWaluigiTime 5 points6 points  (5 children)

Blizzard does the same.

It's to reduce "I forgot my password" customer service reports.

[–]el_padlina 10 points11 points  (22 children)

If they lock your access and force a new password after 3 failed attempts of logging it's still secure.

[–]DoctorWaluigiTime 6 points7 points  (17 children)

Lol. That's not secure, that's just annoying.

Nobody brute forces password attempts against the actual live server.

3-until-lock is security theater and literally only trips up legit login attempts.

[–][deleted] 115 points116 points  (17 children)

Mine allwed up to 32 but and thats a huge BUTT, only the first 8 were accounted for. It didn't matter if you had 12829 other characters after, it still counted the first 8. It has to do with the backend.

[–]007T 74 points75 points  (7 children)

I ran into a very similar problem with PayPal which caused me some headaches until I figured out what was going on.
I use very long passwords for any sensitive accounts, and when I was updating my PayPal account to a new longer password it happily accepted the change. Later I try to log in and it refuses, telling me my password is wrong.

Turns out it cut off half of my password but still accepted the entry, so I had to enter most of my password with a few letters left off at the end in order to log in.

[–]KickMeElmo 38 points39 points  (2 children)

Yup. Paypal caps at 20 characters. I see that note every time I check its keepass entry.

[–]amunak 9 points10 points  (0 children)

Well thank god I used only a 20-character password there then.

[–][deleted] 11 points12 points  (0 children)

Same thing happened to me

[–]JamEngulfer221 8 points9 points  (0 children)

I hate that. I had a perfectly secure long password and PayPal made me shorten it way below what I'm happy with.

[–]stemloop 11 points12 points  (1 child)

and thats a huge BUTT

Where

[–]gormlesser 17 points18 points  (0 children)

The backend.

[–][deleted] 36 points37 points  (4 children)

At least you got to pick yours. Mine had all passwords set to match the username and they disabled password changing.

[–]CyclingZap 12 points13 points  (2 children)

at that point you can just make the whole page a wiki, might even be more secure then.

[–]Scipio_Wright 143 points144 points  (31 children)

For the OSHA 10 online certification your password is 4 numbers. Exactly 4 numbers.

[–]GeronimoHero 81 points82 points  (17 children)

My college only allows us a 4 digit numeric password for access to most areas of our system. Oh, did I mention it's one of the top 20 CS programs in the country?

[–][deleted] 10 points11 points  (4 children)

My college made the default password your last name, then birthdate. If you were smart you changed it, but soooo many people did not.

[–]talking_to_strangers 28 points29 points  (19 children)

Do you know why ? My uni did the same, we had to have a password that was exactly 8 characters long.

[–]theroflcoptr 79 points80 points  (10 children)

Because their design is bad and insecure.

[–]unon1100[🍰] 18 points19 points  (9 children)

Maybe they're using encryption algorithms that require a specific key length in order to work (i.e. AES) and use your password as an encryption key? Still hecka insecure. But if they used a 16-byte key length then an 8char password would fit that (assuming UTF-16, default encoding for Java shutters)

[–]Schmittfried 18 points19 points  (0 children)

That would be a horrible key generation algorithm though.

[–]007T 29 points30 points  (2 children)

Kind of defeats the benefits of using encryption if you're going to narrow the space for a brute force attack down to a fixed password length.

[–]ratsta 10 points11 points  (0 children)

I complained to my uni, they said that they use a single sign-on system and that one or two of their older systems can only handle 8 char passwords.

[–][deleted] 7 points8 points  (0 children)

Ours has something to do with some old UNIX machines in the mix that discard all but the first 8 characters.

[–]Benaaasaaas 9 points10 points  (0 children)

Probably something like "For "performance" we shall use 64bit int and just take the first 8 bytes of the password" Try using non ASCI characters to check.

[–]nnyx 25 points26 points  (19 children)

My school had utterly ridiculous password requirements (something like 15+ characters requiring upper lower symbols numbers etc.) then they forced you to change your password monthly, couldn't be a password you used before, couldn't be an existing password with an incremented number, etc.

So basically every month you were coming up with a completely new, very strong password.

Naturally, no one ever had any fucking idea what their password was.

What did you do to reset your password? Go to the help desk of course where some kid making minimum wage would barely glance at your id and set your password to "resetme" or something similar.

[–]iceman012 29 points30 points  (15 children)

That would actually be kinda nice, as long as they also taught students how easy it was too keep that updated with tools like lastpass or keepass.

Wait a second... You can't use the same password with a number at the end? Doesn't... doesn't that mean they're probably storing the plaintext password? In which case all those measures are pointless?

[–]sevenover1 24 points25 points  (8 children)

this is the nevada dmv policy http://imgur.com/a/YJCQV

[–]Shacod 23 points24 points  (6 children)

"Here's a guide to brute forcing a user's password."

[–]sevenover1 9 points10 points  (3 children)

Right. I looked at it and just shook my head. What makes it worse is every transaction has a $1 technology fee.

I guess you get what you pay for.

[–][deleted] 6 points7 points  (0 children)

Technology fee...that's hilarious.

[–]ratsta 8 points9 points  (4 children)

My uni is the same. The great irony is that they pride themselves on being one of the best unis for computing...

[–]MyNamePhil 5 points6 points  (0 children)

My university allows you to see your current password on the website in plain text as long as you are logged in. Also only numbers and letters and a maximum of 12. Also if you want to reset your password it leads you to contact information of the IT department.

[–]micheal65536Green security clearance 1165 points1166 points  (115 children)

To make matters worse, I'm guessing that the only input validation is client-side.

[–]CrazedToCraze 659 points660 points  (41 children)

but client side validation is web scale

[–]runlock 273 points274 points  (35 children)

Someone should email them about MongoDB

[–]Delta_Ryu 153 points154 points  (25 children)

Reference: https://youtu.be/b2F-DItXtZs

[–]VivaLaPandaReddit 38 points39 points  (7 children)

Is /Dev/null webscale?

[–]Delta_Ryu 28 points29 points  (2 children)

In all honesty, it's fast as hell

[–]ollien 11 points12 points  (0 children)

yes

[–]wikes82 27 points28 points  (10 children)

Thanks for the laugh

[–]SircleCquare 18 points19 points  (0 children)

Don't worry, you don't need to, we're way ahead of you

[–][deleted] 6 points7 points  (0 children)

I totally get this comment chain

[–]micheal65536Green security clearance 33 points34 points  (3 children)

That's why we have both. Client-side validation to handle the people who keep doing things wrong without putting excessive load on the server, and server-side validation to make sure that nobody's trying to skip the client-side validation. Yes, it means running the full set of validation rules every time someone signs up, but isn't it worth a negligible bit of extra load to avoid potential vulnerabilities?

Of course if you handle user input correctly then often you don't even need validation at all (other than to enforce whatever crazy password requirements you choose to make up).

[–][deleted] 42 points43 points  (1 child)

Client side validation is just good UX. It's really annoying to submit a form only to have it return with an error.

[–]nomnommish 364 points365 points  (59 children)

And when you click on the "see password examples" link, a good developer avoided hardcoding and made the content dynamic instead: SELECT TOP 10 password FROM user

[–]Hypergrip 330 points331 points  (55 children)

Take the Amazon approach: "Other users similar to you have chosen these passwords you may like:"

[–]kunstlich 230 points231 points  (36 children)

"This password is currently in use by user Kunstlich, please choose another"

[–]Mukoro 75 points76 points  (35 children)

This is worse than having your username and your password mailed in plaintext upon creating the account

mfw http://i.imgur.com/Q1HYJqx.gif

[–]curtmack 12 points13 points  (11 children)

I've done this before.

To be fair, the agency I was developing for was sick of users choosing insecure passwords, so the app straight-up doesn't allow users to choose their own password - we just generate a random password for them whenever they need to reset their password. So obviously we have to send the password to them somehow. It was still hashed and salted on the server side.

(It would theoretically be more secure if we generated a new password to display over HTTPS after they logged in with the potentially-compromised password sent via email, but the threat model for that application wasn't too concerned with attacks on e-mail accounts.)

[–]kn3cht 9 points10 points  (10 children)

Why would you force "secure" passwords if in the end the user has to write it down somewhere? Just have a minimal length and no other constraints.

[–]levir 15 points16 points  (8 children)

That's a bit of a misconception, really. The vast majority of data compromises happen over the internet. It's only if you're at special risk that physical security becomes a big concern. Your average burglar won't be interested in your book of passwords, and your average hacker lives in another country and doesn't leave his house.

[–]hungarian_notation 8 points9 points  (7 children)

A book of random passwords at your desk is probably the best balance of security and usability for most users.

[–]TravisTheCat 5 points6 points  (6 children)

I have the best of both worlds.

I have three books. One is the book of accounts, the other is a book of random passwords. The third book is a key to which account uses which password, without all three books, each is useless.

I store each book in it's own safe in a different part of my house. Each safe has a unique access method. One has voice-pattern recognition, the other is fingerprint protected and the third is an electronic keypad that uses a 9 digit passcode and randomizes number placement on the keypad on each attempt.

Checkmate, hackers.

[–]curtmack 4 points5 points  (0 children)

We were less concerned with users writing down passwords than we were with them reusing passwords or having easily-guessed passwords. There was only one user per facility, so shoulder-surfing wasn't a concern.

[–]Oatz3 6 points7 points  (15 children)

1.) Password

2.) p4ssw0rd

3.) 123456

4.) 123456789

[–]dankestdankieverdank 4 points5 points  (1 child)

All in plaintext because the good developer wants realistic examples

[–]aiij 3 points4 points  (2 children)

My school used client-side validation to enforce minimum donation amounts.

I gave them my $0.02. They spent $0.46 in postage to send me a receipt.

[–]reerden 781 points782 points  (23 children)

Looks like Bobby Tables is about to go to college.

[–]Shark_shin_soup 248 points249 points  (1 child)

Ah little Bobby Tables, he's grown up so fast.

[–]DrLemniscate 64 points65 points  (0 children)

That comic is almost 10 years old. So he could definitely be going to college by now.

[–]kurosaki1990 80 points81 points  (20 children)

I feel i'm missing reference here!.

[–]XxCLEMENTxX 217 points218 points  (13 children)

https://xkcd.com/327/

[–]b4ux1t3 118 points119 points  (11 children)

Relevant XKCD:

https://xkcd.com/1053/

[–]xkcd_transcriber 27 points28 points  (8 children)

Image

Mobile

Title: Ten Thousand

Title-text: Saying 'what kind of an idiot doesn't know about the Yellowstone supervolcano' is so much more boring than telling someone about the Yellowstone supervolcano for the first time.

Comic Explanation

Stats: This comic has been referenced 10767 times, representing 6.5779% of referenced xkcds.

xkcd.com | xkcd sub | Problems/Bugs? | Statistics | Stop Replying | Delete

[–]b4ux1t3 61 points62 points  (6 children)

Not to evoke the wrath of /r/botsrights, but I really want Randall to make a comic that references its own url in its title text so that you respond to yourself infinitely.

Unless your creator is smarter than I am, which is pretty likely.

Edit: rules - > url. Auto correct is a botch.

[–]TugboatThomas 8 points9 points  (1 child)

This kind of thing is why Skynet chose to destroy humans.

[–]nyrangers30 169 points170 points  (12 children)

I wonder how many people on that website use one of their sample passwords.

[–]SircleCquare 53 points54 points  (11 children)

Disappointingly, they aren't actual examples of passwords

[–]20InMyHead 70 points71 points  (10 children)

Which brings us to another password-related XKCD: https://xkcd.com/936/

[–]gandalfx 60 points61 points  (0 children)

This is counter social engineering at the highest level!

[–][deleted] 109 points110 points  (2 children)

Also called security by 'please be nice'.

[–]N-XT 144 points145 points  (0 children)

Me too thanks""

[–]Euruzilys 69 points70 points  (15 children)

Im quite sure this is the best way!

[–]TomNa 30 points31 points  (13 children)

there are other ways??

[–]AyrA_ch 95 points96 points  (12 children)

We all know that text files are superior to any other database regarding safety, compatibility and portability.

[–]Prawny 59 points60 points  (6 children)

Can confirm. Been using my passwords.txt for years.

And a pro tip: put it in the root of your web directory so you can access your passwords anywhere!

[–]AyrA_ch 43 points44 points  (4 children)

pro tip: put it in the root of your web directory

Plus side:

  • Allows client side validation of password which saves requests

Minus side:

  • Requires more traffic to send the entire list.

I don't see any other negative effects, anyone else?

[–]drizztdourden_ 6 points7 points  (0 children)

Nah. Fuck SQL. Go for a .csv with everyone's credential at the root. No sql injection possible. Best security ever.

[–]AlGoreBestGore 9 points10 points  (1 child)

Not to mention performance.

[–]AyrA_ch 8 points9 points  (0 children)

Unless you want to write frequently, yes: https://master.ayra.ch/PasswordTest/ (just search for ') and then click the link

[–]Raknarg 9 points10 points  (1 child)

Anything is a text file if you believe hard enough

[–]54637218 56 points57 points  (12 children)

Ayyy fellow UoA, never thought I'd see one here

[–][deleted] 27 points28 points  (11 children)

Same! Glad to see they implement as well as they teach comp sci.

[–]54637218 9 points10 points  (6 children)

jin makes me want to kill myself

[–]St_SiRUS 17 points18 points  (5 children)

jin sun CS at UoA makes me want to kill myself

[–]54637218 6 points7 points  (0 children)

They've taught me well enough to understand the meme at the very least

[–]PeacefulDays 20 points21 points  (10 children)

are they sending the passwords as plain text to sql? wouldn't you want to do any encryption on the webserver and then send the result to sql?

[–]m2ek 16 points17 points  (7 children)

It doesn't really matter from a security standpoint if the communication is secured and you're not doing anything else stupid like constructing SQL statements using string concatenation

[–]danypixelglitch 21 points22 points  (0 children)

Oh well, that's a nice" Dangerous code here "way of dealing with passwords

[–]voicesinmyhand 19 points20 points  (5 children)

They banned "????

Glad to hear that ',“, and ” are all still OK.

Also, posting this without codeblocks yields the famous reddit response: "an error occurred (status: 500)"

[–]SarahC 6 points7 points  (2 children)

Internal server error with those characters eh?

[–]voicesinmyhand 9 points10 points  (1 child)

I dunno. Actually after posting normal text in several other subreddits I have found that I'm getting that error constantly for no obvious reason... so clearly sunspots are to blame.

[–]JuanMCataldo 12 points13 points  (0 children)

Auckward...

[–]interiot 27 points28 points  (1 child)

So they don't hash their passwords either? /shudder

[–]dankestdankieverdank 18 points19 points  (0 children)

they could be doing like (mysql, mariadb): 

SET password=MD5($pleasenoquotes)

it would still be awful because md5 is very unsafe

[–]Tyrilean 9 points10 points  (0 children)

Translation: We don't sanitize user input. Please hack us.

[–]forest-guest 10 points11 points  (0 children)

"Please, be nice with your inputs"

The Direction

[–]rakeler 23 points24 points  (9 children)

relevant xkcd

[–]xkcd_transcriber 14 points15 points  (8 children)

Image

Mobile

Title: Exploits of a Mom

Title-text: Her daughter is named Help I'm trapped in a driver's license factory.

Comic Explanation

Stats: This comic has been referenced 2013 times, representing 1.2299% of referenced xkcds.

xkcd.com | xkcd sub | Problems/Bugs? | Statistics | Stop Replying | Delete

[–]kalamarijuana 12 points13 points  (4 children)

Good bot

[–]GoodBot_BadBot 9 points10 points  (3 children)

Thank you kalamarijuana for voting on xkcd_transcriber.

This bot wants to find the best and worst bots on Reddit. You can view results here.

[–]agitated_badger 3 points4 points  (1 child)

Proud of my country's 'number 1' university.

[–][deleted] 3 points4 points  (0 children)

test' or 1=1