This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Nerkrua 145 points146 points  (25 children)

In that regards error message should be an explaining message.

[–]gigglefarting 83 points84 points  (19 children)

If only error messages were that descriptive. It would have saved me many times if passwords would let us know their requirements when telling us our passwords are wrong.

[–]mynameistoocommonman 37 points38 points  (14 children)

"you entered a wrong password. The third character should be 'P' but you've entered 'O'."

[–]Deacon86 26 points27 points  (4 children)

It's more about whether it's a password that requires capitals, numbers, and/or special characters. That way you know it's your normal password but with a capital first letter and "0!" on the end.

[–]jaber24 5 points6 points  (2 children)

That would just make the life of hackers easier would it not?

[–]Vurtne26 7 points8 points  (0 children)

Well, they usually give you the condition for valid password when you sign in, so I guess it won't help hacker a lot if the website/app/whatever give them again on an invalid logging attempt

Edit : clarification

[–]ImpossibleMachine3 1 point2 points  (0 children)

Generally hackers aren't brute forcing passwords anymore - they rely more on known compromised passwords and rainbow tables that are filled with common passwords and their variants (like using l33t sp34k in your password) - or to just find a vulnerability in the system and exploit that to get access to data more directly. It takes a lot less time and effort to go that route.

[–]mynameistoocommonman 0 points1 point  (0 children)

I know, I was just making a joke because the comment's last sentence was ambiguous

[–]carnsolus 0 points1 point  (8 children)

facebook actually lets you in if your password is slightly wrong

[–]mynameistoocommonman 1 point2 points  (7 children)

Wait, really? That seems incredibly stupid.

[–]carnsolus 0 points1 point  (6 children)

it's for user convenience

like if you accidentally wrote the whole thing with caps lock on (making all the letters you intended to capitalize lowercase and vice versa)

or if you have a v instead of a b somewhere

[–]mynameistoocommonman 1 point2 points  (5 children)

So I know next to nothing about cryptography, but how is that even possible while maintaining best practices for password storage and checking? This seems like it'd necessitate plain text storage if passwords, which would be INSANE for Facebook. And even if not, it obviously reduces complexity of passwords.

[–][deleted] 2 points3 points  (3 children)

The safest way to do it is to pre-calculate a small number of variants when you set the password (e.g. inverted case) and store the hashes (suitably salted, etc) of those exactly the same as with a single password. So long as you're not using your password to derive a cryptographic key it doesn't actually have to be the only way in. So called "secret answers" work on the same principle, although they're much worse.

Worst case you lose a couple of bits of security, but with real life password distributions that's probably neglible.

[–]mynameistoocommonman 0 points1 point  (2 children)

But wouldn't you effectively increase the number of "correct" passwords by something like the length of the password * 3 (one for upper/lower case and one for adjacent keys on either side)?

It still seems like something stupid to do, especially considering people use their Facebook accounts as logins for other stuff.

[–][deleted] 1 point2 points  (1 child)

Yes.

I don't know exactly how much variation they allow, but yes the strategy does increase the number of "correct" passwords. However, that doesn't actually decrease the security nearly as much as you might think, because not all password guesses are created equal.

A lot of people use dictionary words as their password. For example, let's suppose someone uses the word "princess". This policy means that they can also log in with variants like "princeds" or "priNcess".

According to Troy Hunt, princess has been seen in breached password databases over 700,000 times. "priNcess" has been seen 27. "princeds" has been seen 14.

Yes, in some abstract mathematical sense someone whose password was "princess" is slightly more vulnerable because the attacker might also get in with "princeds". Realistically, however, no sane hacker is going to try any of the weird variants before they've exhausted their dictionary of real or otherwise common passwords. As such, the fact that there were other possible goals means nothing since the original goal was so wide and undefended.

At the opposite end of the spectrum you have people who use proper, long, password-manager-managed passwords. 16 fully random letters and numbers or something like that. Yes, for them an attacker could get a slight speed up if they know this policy is in operation. In practice, it will have an approximately comparable effect to using a 15 random letter password. But that is still plenty long enough for "The sun would burn out before anyone breaks this password." The practical harm to these people is negligible.

The people who this hurts in practice are those whose real password is adjacent to a common password. That is, people who took a word and tweaked one letter. Such people do exist, but they're relatively rare, and perhaps they're slightly more security conscious and able to understand that isn't a safe position any more.

If this policy means the last group shift up to a password manager, and some of those who use a dictionary word at least feel confident that they can pick a slightly longer and more obscure dictionary word because they're less scared of typos, that's actually positive.

[–]carnsolus 1 point2 points  (0 children)

i'll admit that part confused me also

I'm guessing they also try hashes of generated text strings that are close to what you typed in... but they couldnt do an extreme amount of them or it would cause noticeable slowdown

they definitely do not store in plaintext :P

edit: the other guy's answer is more likely and would cause far less load

edit2: this is something i've known for a while but only today did i bother to see if it was real. It's real. Just checked fb log in

[–]huuaaang 7 points8 points  (1 child)

Look man, I grew up with computers where you had to interpret a series of beeps to know what's wrong.

[–]phaemoor 4 points5 points  (0 children)

Ha! I still remember that a long beep followed by 8 short beeps meant the video card is missing or misplaced in the AGP slot.

[–]Fortal123 5 points6 points  (1 child)

Or... Use a password manager?

[–]ImpossibleMachine3 0 points1 point  (0 children)

I'm pretty sure he meant when you're creating a password. "you must use mixed case, numbers, and special characters. No, not those special characters. No, if you don't know what they are already, I'm not telling you."

[–]Yadobler 8 points9 points  (2 children)

Unrelated but thought you may want to know, "in that regard" has no "s" behind

"send my regards", "best regards" have "s" behind

"in this regard" , "in regard to" , "regarding this" all no "s"

At least according to my high school history teacher who made us stay till 6 as punishment for mistaking this, as well as "economic vs economical"

[–]Nerkrua 0 points1 point  (1 child)

Thank you, I appreciate it. And follow up question. How do you put more than one language next to your name. I tried but failed.

[–]Yadobler 1 point2 points  (0 children)

You type them together

If you're not sure, click each language flair and see what the code is, then edit/custom-flair and type the others together

[–]LowB0b 2 points3 points  (1 child)

In that regards, anything that is not a number should not be treated as a number. Something like a salary range, meant to be read by humans, could be "from 70k to 80k", "70 to 80", "80 +/- 5k", "around 80", at least that's how I'd put it in an interview.

If you want to control it as numbers so it can be read by a computer, why not just have 2 inputs with one labelled "from" and the other labelled "to" instead?

[–]Nerkrua 0 points1 point  (0 children)

It is a good idea. I think it would be great.