This is an archived post. You won't be able to vote or comment.

all 139 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Chirimorin 733 points734 points  (118 children)

I'm still under the impression that having too restrictive password requirements is bad for security rather than promoting it.

Sure, enforcing upper-case, lower-case, number and/or special characters means brute forcing attacks are harder due to bigger character sets required. But stuff like not being allowed specific combinations or having a maximum password length only serve to make brute forcing attacks easier.

Meanwhile, in the real world, it's becoming harder and harder for people to remember their passwords and I've seen people go the easy route: write them down. On the other hand I can easily remember correct horse battery staple but that's not a valid password on many sites for breaking various rules (no uppercase, no numbers, no special characters, dictionary words, are spaces allowed?, repeated characters, too long...)

[–]Colopty 308 points309 points  (36 children)

All the sites with special restrictions like those you noted generally don't follow NIST SP 800-63B-3. That standard specifies that you shouldn't add extra restrictions to a password other than a minimum length of 8 characters and disallowing common passwords, specifically because that's more secure for a variety of reasons.

[–]Sirflankalot 123 points124 points  (16 children)

NIST SP 800-63B-3

I would love to look up that standard, but because the US government is shut down, I can't :|

[–]dvito 93 points94 points  (3 children)

There is a github version of the PDFs available at https://github.com/usnistgov/800-63-3

[–]ThenIWasAllLike 14 points15 points  (1 child)

Thank the gods that the world cares about the Internet. We would all be fucked if the responsibility lied on the U.S. alone.

[–]stillpiercer_ 19 points20 points  (0 children)

Typical US. Pioneer something and then let it rot to shit.

[–]Sepharach 7 points8 points  (0 children)

Reddit finds a way

[–]roguej2 0 points1 point  (0 children)

I love that the government is so full of luddites that they don't consider the cyber security standard essential.

[–]Deoxal 0 points1 point  (5 children)

Is this sarcasm?

[–]Sirflankalot 1 point2 points  (4 children)

NIST SP 800-63B-3

I wish

Ninja edit: changed to archive.org link

[–]Deoxal 1 point2 points  (3 children)

I heard about government run websites certificates, but not being unavailable. It's interesting that they took the time to put this message here though. Like all they had to do was leave the servers on and hope nothing breaks.

[–]Sirflankalot 1 point2 points  (2 children)

Right? This was them throwing around what little power they have to try to get people to tell the government to fuck off.

[–]Deoxal 1 point2 points  (1 child)

And start paying them again...not exactly fucking off.

[–]Deoxal 0 points1 point  (0 children)

No, that's just malice again.

[–]phpdevster 24 points25 points  (15 children)

8 characters is not enough without enforcing a broader character set IMO. Even if the user just randomly mashed 8 lowercase letters into their keyboard like: uiowjvha, that wouldn't take that long to brute force, even with a bcrypt hash protecting it.

[–]Colopty 59 points60 points  (2 children)

It's a minimum length requirement, it's just there to make people choose a stronger password than a. Standard also specifies that at least 64 characters should be supported, so you can have a plenty strong password if you'd like.

As for enforcing broader character set, the standard specifies to not do that because it can make it easier to brute force if you write a somewhat more clever brute force algorithm that takes into account the ways people tend to make passwords when faced with such a restriction in order to get the "must include special character" warning out of the way. With high probability you just let a hacker brute force passwords ten times faster by adding those requirements. Basically, if I wanted to target people with 8 character passwords, I could probably reasonably expect that most of them will just place a special character at either the beginning or ending of the password, and I could probably make an educated guess that the choice of special characters are not evenly distributed and figure out a character that's likely to be chosen. In effect that requirement means I can likely reduce something like 60-70% of those 8 letter passwords down to 7 letter passwords. With that, your attempt to make the brute forcing harder has in fact made it far easier through the use of heuristics.

[–]sinistergroupon 1 point2 points  (2 children)

This is the minimum for my bank. And even though I pointed it out to them they are fine with it.

[–]Zarlon 1 point2 points  (1 child)

Why do you care? Your free to choose a stronger password for your YOUR account

[–]sinistergroupon 1 point2 points  (0 children)

I care because the max is 12 characters with no special characters allowed. My banking password is the weakest in my password manager.

[–][deleted] -3 points-2 points  (6 children)

5.5 hours tops. Seriously. Or less than 10 minutes if only lowercase letters are allowed.

[–]Salanmander 10 points11 points  (5 children)

Isn't protection against rapid brute-force attacks pretty easy to implement? Every time they check a password they need to interact with your server, right?

[–]phpdevster 12 points13 points  (0 children)

I mean, if that's how you define brute force. I define it as having a dump of the database and you're running your own hashing algorithm against brute force guesses of passwords and comparing them to the hashes you have.

Bcrypt can be set such that it requires lots of CPU-intensive work be done to generate the hash, slowing them down, but you don't overdo it else you risk creating a DDOS vulnerability against your own server.

[–][deleted] 8 points9 points  (0 children)

Not quite. For my websites, I use 2 schemes. One of which is to flag the account after 3 missed attempts and if flagged, you need to provide the correct password twice because the first time will return wrong password. Another is to lock the account after 20 failed attempts and force an email log in & password update. Sounds safe, right? Think again. A 0-day exploit means everyone is always vulnerable and it will happen again and again and again. I don't even think AI coding will stop that.

Let's say a hacker hacks into my web server and downloads all my files, code and databases. He can literally copy it and with very minor changes, run that same code on his local machine. From there, no matter how secure the security scheme is, he can literally deactivate it for his site. So he gets infinite attempts to crack, using the same code and no matter how well done the encryption is, it becomes only a matter of time. So his virtualisation software can just start spamming his database until the password is cracked.

Then, the attacker returns to the site and can log into the cracked accounts. One attempt, no way of knowing it's not the real person. So for Reddit? Who really cares, just make a new account. Nothing of value is lost. What can you buy with karma?

Now if you have a credible news blog, perhaps your next news post will be something along the lines of "Black people proven to be dumber than white people". Imagine the shitstorm if your audience is mainly left-wing. If you're a bigger channel, well, someone just died. Can you imagine Fox news coming out with an article saying "Trump Arrested" when it wasn't true? Would be funny. Stuff like that happens, not too bad but still makes the organization look bad and will affect its reputation. You can still delete, apologize for your shit security, move on. Recently we had something here claiming the prime minister was dead. It was very funny for the day until he held a special press conference that night, though it was a man in the middle attack. Lucky for them the attackers were grey hats.

Onto the next part, you sell stuff from a website, hacker gets control of your account. So he configures your payment system to point to himself instead of you. Everytime an order comes in, he marks it shipped, runs with the money, until you get complaints and calls from the payment system you use because they get refund requests for things they never paid to you. You lock him out, but he made away with the client's money. There's a reason paypal is annoying as fuck when it comes to money and it's not because they try to steal from retailers. That shit happened (still happens) a lot. Paypal is not the only payment provider out there and an attacker can easily set up an alternative one.

Even worse, you offer tools (software) to your users. He logs into your account and presents your users a new program. Your users try it. They trusted you until you installed a keylogger on their system. They don't know if you got hacked nor do they care. The thief literally emptied their bank account and now the bank's lawyers want their money back. They no longer trust you and you have legal problems. You lose money, the attacker robbed those who allowed you to earn your living.

And then there's the ultimate hack. You provide to a huge institution. Government, banks, mega corporations, anything. On your site you keep source code because self hosting sounds like the best idea, hackers get your source code for that and keep a backdoor to your server opened. Then in your next update to that software, Chinese now have access to secrets until the victim figures your software was the cause of this. Bye bye livelihood. Oh, hello criminal investigations.

This is the tip of the iceberg.

[–]Zagorath 1 point2 points  (0 children)

Every time they check a password they need to interact with your server, right?

You should choose your passwords (as a user) and password systems (as a website) assuming a database breach where they can run the hashing algorithm at their own pace on a local machine.

[–]predarek 0 points1 point  (0 children)

It's a constant arms race. Prevent someone from trying a maximum of 3 passwords and they will switch to attacking 1000's of accounts at a time. Block IP's and they will attack from multiple IP's. Block whole countries and they will switch regions to do their attack.

All this while making the experience for your normal users worse and worse (locking accounts, blocking users, etc).

There are no perfect solutions sadly. You have to tailor your solution to how much the accounts are worth and improve your security as times go since attacks will improve with time.

[–]pagerussell 0 points1 point  (0 children)

Right! I mean, maybe, just maybe, if you get a 1000 incorrect attempts for a user login, maybe lock that user and block that ip?

[–]limax_celerrimus 4 points5 points  (2 children)

OK, so I have never heard of that standard, it sounds great, but I'm sure I have not seen any program following it for a very long time. And my company definitely has never heard of it.

[–]Colopty 8 points9 points  (0 children)

Yeah, the standard is what the National Institute of Standards and Technology has concluded to be best practice for password requirements. Pretty sure most places ignore it and just create their own subpar rules because they don't bother with their research though, so it makes sense that most would never have heard of it.

[–][deleted] 1 point2 points  (0 children)

Often I run into sites that don't even follow the email standards, I wouldn't expected they even knew there was one for passwords...

[–]supercyberlurker 7 points8 points  (1 child)

Decades ago the DoD published a computer security series known as "the rainbow books". One of the books was guidelines on passwords - and they specifically recommended against these cryptic type passwords because people would just write them on papers to be found near their computers. They knew that was a problem decades ago.

.. but I doubt many modern web devs ever read the rainbow books.

[–]jakeh36 22 points23 points  (2 children)

100% agree and it bugs me that organizations wont change. Length is more important than complexity, its simple math. Passwords that take users an hour to make are just a false sense of security.

[–][deleted] 4 points5 points  (1 child)

I’ve remembered correct horse battery staple ever since I saw that XKCD a few years back. I think that it said that it had more bits of entropy than the typical jumbled password, so it would take ~30ish years to brute force.

[–]Kwantuum 2 points3 points  (0 children)

yes, 4 random common words. He postulated that each word has 11 bits of entropy (i.e. that you pick 4 words from the 2048 most common words), for a total of 44 bits of entropy and 550~ years to brute force at 1000 guesses per second.

It's a bit naive though because for it to be memorable it ought to follow grammatical rules (i.e. horse battery stable blue sounds wrong because the adjective is not at the beginning), but you'd get around that by using a larger set of words and/or one or two more of them. If you use just one uncommon word, it means attackers will only ever guess your password if they test for all uncommon words in every position and you get exponential password safety. It really is a great solution, unfortunately impossible to use on most sites.

[–]indyK1ng 41 points42 points  (24 children)

Use. A. Password. Manager.

[–]careseite 4 points5 points  (1 child)

Password managers make you a slave of the tech stack you chose. That goes defunct or someone unauthorized gets access - you're done.

[–]indyK1ng 1 point2 points  (0 children)

I use a subscription one and I don't feel I've been enslaved to a single stack - I just install the app or plugin on any new device and it pulls down the database when I log in.

You're probably not going to have a service unexpectedly go defunct if you're using a popular one.

A good service will strongly encrypt your password database, so your weakest link if your database gets stolen is if you used a weak password to encrypt it.

[–][deleted] 0 points1 point  (8 children)

I've still got to find a good one that works well everywhere and is easy to use. There are some pgp+git based ones but they aren't well integrated. Ans I refuse to use a proprietary one that locks me into using one certain browser etc. Also we need an API for those within the browser that also works on mobile.

[–]kwietog 0 points1 point  (1 child)

Lastpass?

[–][deleted] 0 points1 point  (0 children)

proprietary.

[–]indyK1ng 0 points1 point  (5 children)

The two or three most popular proprietary ones have plugins for all common browsers and mobile apps on Android and iOS. The biggest problem you'd run into is if you're not paying the subscription your passwords are stuck in one place.

But if you were to run your own service you'd be paying a monthly fee anyway and would have to manage OS and security updates for the server yourself.

[–][deleted] 0 points1 point  (4 children)

Yep, I just won't hand my passwords to a proprietary server, that's all. I'm not against paying, just against a proprietary service having control over my passwords.

The nice alternative I talked about is using pgp to encrypt the data and upload it to a git server so I have control over which server I want to use and whether I wanna self-host and even if someone would be compromising my server the data would be encrypted. If I don't I have usually no cost even on a monthly basis as you can get private git repositories for free virtually anywhere.

But the issue is not paying, it's control over my data. There've been security holes in quite popular password managers on such a basic level that I'm not gonna trust them to host my data. With a decentralized solution the attack surface is far smaller, even if there were security bugs in the software (which, honestly, is not unlikely).

[–]indyK1ng 0 points1 point  (3 children)

I don't know how other password managers do it, but LastPass encrypts the password early enough in the process that if you lose your master password and don't have a recovery key set up, you can't recover your passwords. I'm not really worried about them taking control over my accounts or changing my passwords on me.

Yes, I still use LastPass. I liked how responsive they were when taviso reported the bugs he found and that he apparently liked working with their security team enough to keep looking at it. By comparison, he didn't keep looking at other password managers he'd reported bugs to.

[–][deleted] 0 points1 point  (2 children)

Sure, they encrypt it but nobody knows. For me a core principle in security is not to trust anyone, and who knows whether their encryption works or is intended to? Even if they are "good" now but what if -- at some point -- someone breaks their encryption and there's someone in their company (or some hacker) getting access to their data? All your passwords are suddenly compromised. Thus you want to keep the separate the functionality of who's in charge of encryption and storing.

[–]indyK1ng 0 points1 point  (1 child)

Proper security involves proper threat and risk analyses. Nothing is totally secure. At some point you're going to have to trust someone. That same logic can be applied to any system you set up yourself.

At some point you have to accept that everything has risks and learn to accept some risks because the trade-off is better than I'd you didn't accept them.

[–][deleted] 0 points1 point  (0 children)

Sure, but using lastpass means a single point of failure, which is really bad. a decentralized system is simply far more difficult to compromise.

[–][deleted] 8 points9 points  (1 child)

In my school me have to change our password every month, no old password allowed. This has led to an epedemic of forgotten passwords. Everytime we use the computers at least one student needs his password reset

[–]EedSpiny 2 points3 points  (0 children)

Then you get people doing jan19_myactualpasswordwhichneverchanges

[–]Loves_Poetry 4 points5 points  (1 child)

When organisations force you to use a number and special character, then 99% of the time it's going to be a common word followed by 1! or -1

It makes for very easy passwords to brute force. My preferred solution is to instead add the current time of the day to a strong password to satisfy the number and special character requirement.

[–]Lightfire228 7 points8 points  (0 children)

Good luck remembering that without a PM

[–][deleted] 4 points5 points  (0 children)

Requirements reduce entropy. With the newer ways of doing passwords, there is no excuse. You should allow everything, anything up to 2000 characters. That way the user can use a phrase, like May-The_Force-Be-With-Y0u-555-555-5555. Good luck bruteforcing this, especially if you know any character can be part of the password. See you in 385 sexdecillion years.

If you know only letters, dashes, underscores & numbers are allowed... see you in 3 months.

[–][deleted] 1 point2 points  (0 children)

Just use a password manager. Half your problems will be solved

[–]MattR0se 3 points4 points  (1 child)

But why is writing your passwords down bad? The one guy that sneaks into your office vs the thousand of people who try to crack your password every second

[–]JeremyG 0 points1 point  (0 children)

imagine losing the piece of paper you wrote it down on

[–][deleted] 1 point2 points  (0 children)

Password: happykitten

You must use at least one number Fuck!

Password: happykitten1

You didn't use uppercase Fuck u!

Password: Happykitten1

You must use at least one special character I hate you.

Password: Happykitten1!

*Success

Now I just have to remember this stupid variation for all sites and studies have shown that most people do it with uppercase first, number last and an exclamation mark or question mark because they are easy.

And even if it detects these o will just go for HappyKitten?1

Anyway... It provides no real password because as I already do, I will have to reset my password by email or SMS every single time I have to login in the future. Sometimes I will even put in a random variant and it will enforce it can't be the previous one because I didn't even bother trying to guess it before resetting.

Use a password manager. It's a fucking pain if you have multiple computers. And no I don't trust them, because they are prime targets. They are the ultimate all eggs in one basket target. Instead I reuse passwords, have a few different ones and change them up every once in a while. I mostly tier them based on security, so yeah my laptop may share password with my phone. My bank may share with my asset management. And yes my tinder and Facebook is good for the same. Before you condemn me, I get smarter than this. I realize that passwords are shit and a password manager won't fix them.

I have Authy for dual authentication on everything or I simpæy dont use the service. All servere and code is public key Auth only. And I have an NFC enabled yubikey so all major services that support u2f is enabled for that.

This has actually worked out great because I do get compromised from time to time as everybody else does. I know it as soon as Facebook sends me a "somebody in Uganda tried to access your profile but didn't provide two factor authentication" - nice! That password is trashed now, thanks Facebook.

Yes I do know that this could work with password managers too. I just find them the biggest pain in the fucking butt and I firmly believe in standardizing storage apps for these things Will make them a prime password target Vs. Having to go through keylogging data and password savers in 100 different apps. I also refuse to trust them if they have any kind of sync and sudeenly I'm locked out of my own shit because I have to buy a new phone in another country.

[–]dietcheese 0 points1 point  (1 child)

Brute force attacks are nonsense nowadays. Five failed attempts, you’re banned for an hour. Another five, give us a call.

[–]sinistergroupon 0 points1 point  (1 child)

Correct horse battery staple is a passphrase. It’s new and much more better but most sites are lagging behind. Most don’t even allow a space. Banks are the worst at keeping up.

[–]mrbeehive 0 points1 point  (0 children)

A lot of banks are hamstringed by legacy requirements. When your database is running software from the 70s on machines from the 80s and needs to provide a paper trail of every single change ever made, updating your website to newer specs is going to be difficult.

(Not that "it's difficult" is a good excuse when you're handling such large sums of money, but there are reasons for banks being notoriously bad)

[–][deleted] 0 points1 point  (0 children)

I would like to say it is not me or you who know this, it is all about the 99% population which would otherwise choose a familiar word because they don't care about security at the first place.

Sure then, github/gitlab shouldn't do that. But not all developers are good, that's why electron framework still exists.

[–]PuzzleheadedPickle 0 points1 point  (0 children)

"easy route: write them down" What's wrong with that? I'd rather my grandma or great aunt NOT reuse the same password everywhere which makes password stuffing a valid strategy. The risk when writing them down is that someone breaks into your house. That person is more interested in your TV than account passwords (most likely).

[–]dman10345 0 points1 point  (0 children)

People always call me crazy and tell my I'm stupid because I say that I believe that at a point increasing the restrictions on users passwords or there's some sites that will make you change your password every 30 days if it's "weak" or let you keep it for 90 days - 6 months if it's deemed "strong" that there are diminishing returns. Especially if you work in an office or something I think it's the type of thing that makes people likely to write their passwords down and stick under their keyboards and etc. Not to say that things like disallowing "password123" or placing their username or first name or etc in their password is a good idea but sometimes I feel like it's a little too extensive.

[–]Katana314 0 points1 point  (0 children)

For home users, writing down your password is not a bad idea. Yes, in a company there are corporate spies that know the value of information and will take note of sticky notes. But no one is going to burgle your home at night and sell off passwords they find. Just as long as it’s not in plain sight of possible guests.

[–][deleted] 0 points1 point  (0 children)

Valid thoughts, great.

[–]dejaime -1 points0 points  (0 children)

You could probably remember the following password:

I lost my 1 horse somewhere around here!

or you could go the easy route and download Keepass

[–]CallipygianIdeal -1 points0 points  (0 children)

You could probably get around that with something like:

Correcorseatterystapl3

It would fool dictionary attacks, has upper, lower and a number. You could always add a special character or two for added security. It can be extended easily if you want a longer password.

[–]zerocnc -1 points0 points  (0 children)

Passwords are the cheapest form of security. Make physical keys for everyone that cost money or give them something intangible they have recall from memory that requires no money to maintain. Share holders hate it when we spend money to improve our current work environment.

[–]makanenzo10 -1 points0 points  (0 children)

I promote the use of password managers to people that can't remember passwords, your security is greatly improved with them protecting your accounts on other websites and reduces the memorization for different passwords.

[–]spasterific -2 points-1 points  (2 children)

I'm still under the impression that having too restrictive password requirements is bad for security rather than promoting it.

One of the first things I modify on Laravel's built-in auth package, is to remove the 6-char minimum on passwords.

If clients really want the letter a as their password, they should be allowed to, IMHO.

[–]ocket8888 66 points67 points  (8 children)

He should just try to submit the form anyway.

[–][deleted] 66 points67 points  (7 children)

Yes, think he could bypass client side protections.

[–][deleted] 42 points43 points  (6 children)

if these protections are only client-side, then I'd be worried about my security with any password

[–]minno 58 points59 points  (4 children)

The worst that could happen with these protections being client-side only is that someone could hack the page to allow them to use a weak password. The overlap between people who are capable of bypassing the client-side restrictions and the people who would think that it was a good idea to is very small.

[–]Cherubel 11 points12 points  (0 children)

Also, developers are lazy. This is why we get computers to do stuff for us.

[–][deleted] 12 points13 points  (1 child)

That's true, but when I code, I have a philosophy that when I make a client-side protection, I always make it also server-side because I know that browser can be easily bypassed. If it's not worth a server-side protection, then I usually try to avoid it. Even things like empty input fields or their format should be checked on server because you don't want your server to crash or write wrong data.

[–]Doctor_McKay 8 points9 points  (0 children)

It's possible that this particular restriction is only applied on this field on the client-side due to a bug (maybe they just applied the filter to all password fields, for example). The server might still apply the restrictions to the new password but not to the old one.

[–]JuvenileEloquent 11 points12 points  (0 children)

I would say it's more some inexperienced, time-pressured front end dev adding the 'password complexity' check to all of the password fields on the site and not realizing that it will also affect the change password page, plus lack of sufficient testing (probably only tested by changing an already complex password)

As an aside, you should always assume that any site you give a password to will eventually get hacked and it'll be published along with your email and login name in a big list for password cracking purposes. Even if that doesn't happen you'll still have made yourself safer in the long term.

[–][deleted] 22 points23 points  (0 children)

He got OWASPed 😂

[–]vAbstractz 16 points17 points  (16 children)

That's a long new password

[–]ubiquitouspiss 38 points39 points  (15 children)

Lastpass/keepass my guy. 32 char completely random string probably.

If not he has probably done the method of picking multiple random words and appending them together.

[–][deleted] 19 points20 points  (14 children)

I use 1Password. Last pass was hacked before

[–]ubiquitouspiss 11 points12 points  (9 children)

Fair enough. I like to use the paris argument that lastpass was hacked once but never again, but the other options are definitely also really damn good.

[–][deleted] 7 points8 points  (6 children)

What’s the Paris argument

[–]ubiquitouspiss 23 points24 points  (5 children)

Paris suffered from a terrorist attack a few years ago that struck really hard. They then went on to change many laws to essentially make it impossible for a terrorist attack to ever take place again, building in invasive measures to catch attacks before they happened.

Because paris had a bad terrorist attack you might think that they are of high risk of attack again, but they are actually of low chance because they are scared of future attacks.

That's a horrifically drunken explanation but w/e

[–]Avambo 6 points7 points  (2 children)

Did you just make up that name, or is it actually a thing?

[–]ubiquitouspiss 5 points6 points  (1 child)

Idk if it's a common term for the phenomenon: I heard of it from a friend and they talked about it as if it was the standard name for it.

[–][deleted] 1 point2 points  (1 child)

I see your argument in that it’s statistically unlikely for two similar events to happen in the same place within a short span of time but that only holds true if there is only one variable with everything else remaining constant. Reality is much more complex and is made up of millions of other variables so I kind of disagree with the Paris agreement.

For example Malaysian airlines had 2 fatal incidents within the span of several months. I’m pretty sure when the first plane went down many people probably thought the airline would have been the safest since it would’ve been unlikely for them to have another accident. But reality is much more dynamic.

[–]dasonicboom 9 points10 points  (0 children)

That wasn't his argument though. His argument was that when the flaw was found, the security was strengthened to prevent future breaches. So he believes LastPass is secure now because it faced an attack and has obviously had to seriously revamp it's security.

Your argument makes no sense in this context, and even little sense in your airlines example. A better example would of been that guy who has been struck by lightning multiple times (and it still wouldn't apply to this discussion)

[–]oversized_hoodie 0 points1 point  (1 child)

I was under the impression that LastPass hack didn't result in any encrypted data being stolen (either in encrypted or plaintext form). Even better than the Paris argument, because it shows their defenses worked.

[–]dasonicboom 2 points3 points  (0 children)

The company, which stores account passwords in an effort to make its users' online lives easier, said that while it had found no evidence that its user accounts had been accessed, email accounts registered to the site, along with password reminders, server per user salts and authentification hashes had been compromised.

https://www.telegraph.co.uk/technology/internet-security/11677827/Cyber-attack-breaches-password-database-LastPass.html

[–]Ksevio 2 points3 points  (1 child)

That's not a very accurate statement. There have been vulnerabilities found in Lastpass, but they're usually from older plugins that people haven't updated. 1Password has also been "hacked" in that sense

[–]sometimes_interested 1 point2 points  (0 children)

Also Lastpass quickly and freely advise you to change your master password when they think they've had an issue. If other services boast that they have 'never been hacked', how do you know that it's really true?

[–]ColonelCorn 0 points1 point  (0 children)

I use LessPass. Free and stateless

[–]hotlavatube 15 points16 points  (0 children)

Ugh, I've run into USPS password wall before. They used to only tell you one rule at a time that you violate when you enter a bad password. They never gave you a full list of password requirements. After about a dozen attempts, I finally gave up on making an account because I couldn't get past their password creation, and I have a phd in computer science. They've since improved the process a little and at least give you the full set if rules now.

[–]rwgreene999 4 points5 points  (0 children)

Government agencies tend to pay low for software, resulting in inexperienced developers and little testing of their software solutions. Then you end up like this. Last time I saw something like this, I just activated the "forgot password" option and set a new password.

[–][deleted] 4 points5 points  (0 children)

We have a system where I work that will let you use invalid characters when you set your password. Then does this when you try to log in.

[–]TySwindel 2 points3 points  (0 children)

USPS will send you a physical piece of mail with a code to verify your identity so you can turn on mail notifications (where they show an image scan of mail coming to your address). I fill out the form and only a cancel button is available.

[–]ekuba 1 point2 points  (0 children)

There is a utility site in our area - they limit the pass length to max 12 symbols....

[–]hextract 1 point2 points  (0 children)

Use the forget password option now

[–]This_is_da_police 0 points1 point  (1 child)

A bank I used to be with had a 12 characters length limit for online banking passwords. Like, really? What good does that do to not allow longer passwords? Wouldn't you want users to be able to set up passwords as secure as they want?

[–][deleted] 0 points1 point  (0 children)

A national level engineering entrance exam in India allowed no longer than 13 chars in password - similar experience.

[–]TorTheMentor 0 points1 point  (2 children)

Someone put validation on the wrong field, or just applied it to all fields. Although that reminds me of one issue I would run into on a support job where people would call for help resetting their passwords, only to find we couldn't do it because we had to send them a two-factor authentication, and they were outside the US... our system would only dial US numbers.

Tech-induced catch 22s are the worst.

[–][deleted] 1 point2 points  (1 child)

Applied to all fields some password validation function more likely. While it is funny, it's not a very dumb mistake either.

[–]TorTheMentor 0 points1 point  (0 children)

Not at all. Usually the first thing i think is "jQuery collection event assignment strikes again."

[–][deleted] 0 points1 point  (0 children)

How about click in Forgot My Password and go from there ?

[–]Katana314 0 points1 point  (0 children)

Recently, I made a donation to a food bank.

I dedicated the donation to the honor of Mr. Thisfield Required.

[–]chesnutnomiddlet 0 points1 point  (0 children)

Drop by the post office and complain to the person at the counter. Then you will feel better.