Username or EmailPassword
Of the many, many, many bad things about passwords, you know what the worst is? Password rules.
I have like 12 eff'ing passwords at work, and some of them have different rule requirements, and a restriction that they must be changed every 30 days, and you can never reuse the same one. I am not a goddamn savant, people. The only thing that brings my piss to a boil more is spam, and when the f-lock key resets every time I reboot. Edited 2017-03-11 02:13 UTC
Temperature data leads to climate change proof. Climate change proof leads to regulation. Regulation leads to the dark side AKA lower profits. That can not be allowed!
Seriously though, their policy is absurd. It would be hard not to ask if they're joking. At least there's some solace in knowing you aren't the only one, by a long shot, who has had to deal with that kind of nonsense.
add to the fun situations where you sometimes need different keyboard layout and that causes login failures and account locks, because you forgot to switch to your native layout.
Can't agree with this part more!
It's a bit of an implementation detail, but make sure maximum password length is reasonable as well.
I've had several sites that silently truncate my saved password, but don't truncate my entered password so I kept having to reset my password until I could deduce that they were silently cutting off the end of it. And then there's that QuickBook's database that would randomly corrupt on long admin passwords. Which they still haven't fixed in the 2016 version. At least I was able to get one other developer to fix their problems with long passwords, though that was like pulling teeth to prove it to them.
Read this, which uses less profanity, and is appropriate for passing along to management:
The biggest passwords related headache is the minimum password age rule. I have never understood how it would increase security. Edited 2017-03-11 07:14 UTC
easy way to protect your password visit here
http://www.unblockedhappywheels.com/ Edited 2017-03-11 16:45 UTC
I think we all agree that passwords are a bit of a pain in the arse with all these rules we're forced to follow. Why not make the actual cracking more difficult by increasing the time between login attempts? After the first attempt you must wait two seconds before your next attempt, then four seconds, 8 seconds ... As we all know the waiting time would become very large, very quickly.
Surely this would be easy to implement and very effective.
Yep, I've always wondered about that too. Trivial to implement, and would effectively stop brute force attacks dead without inconveniencing the average user - most people will only try 4 or 5 passwords at most before they ring support.
Thanks for the response. I'd always wondered why it wasn't implement widely, but that makes sense. Cheers.
Why would '18atcskd2w' and '3rjs1la7qe' be among the 25 most used passwords? I'm presuming this is for the English-speaking world (as 'qwertyuiop' is among them but, for example, 'azertyuiop' isn't), but I don't get what those are corruptions of or stand for.
Correct title should be:
"Passwords are Bullshit"
They are. Everyone needs to jump on the U2F bandwagon. Screw passwords to hell and back. USB dongle you insert, *boom* secure authent-freaking-cation.
Bill Shooter of Bul,
Yeah, stupidity often blocks the march of superior concepts. If I were a God King of technology, I would decree that it not be terrible and it would not.
Hey, guess what!
U2F is still password based. It's a public-key challenge-response mechanism, but the private key is still a password, and in fact, most password systems are technically almost public-key systems anyway (the hashed password that gets stored is essentially a public key). The only difference is that it's physical hardware remembering it not a person, and user authorization is through a physical hardware button instead of a software button.
U2F by itself is better than traditional passwords, but it's also designed to be part of an authentication system, not an authentication system itself. It has a number of issues, namely that it requires hardware that's pretty easily lost or destroyed, and that it requires the user to functionally trust what amounts to a black-box (no good authentication system should require this).
Nice in theory except... do you want to be the one to keep replacing everyone's lost USB key, especially considering how often they lose something so important as their house keys? I can only imagine the nightmare that would be for any IT department. It's bad enough with smart cards already.
So, everyone and his brother agrees that passwords are bad.
Yet - replacements (for passwords) aren't coming anytime soon.
Because everyone has their own (different) idea about a replacement?
Why are we so freaking obsessed with passwords? This isn't the decade of DOS or TOPS-20. There's this magic thing called a space, and with it, we could even have passphrases or sentences. Much, much harder to crack and much easier to remember. Yet no, it has to be one long string of uninterrupted jibberish that no one could possibly remember.
And before anyone suggests it, a password manager is not a solution. Hiding ultra-complex passwords behind one that isn't quite so complex is stupid, especially when one considers that now, the attackers only need to get one password to rule them all. The whole system is out of control, and the solutions are so simple! A phrase, coupled with an escalating lockout timer with a finite limit before the account is hard-locked, would quickly bring this problem under control.
I actually do use a passphrase for my SSH and GPG keys -- it's a section from a song, and I bookmarked the page where the lyrics were so I could copy and paste them. But at one point those services started using dialog boxes for pin entry (even where SSH was invoked from a command-line utility such as Git) which don't accept copy and paste, and manually typing the lyrics wasn't possible as I couldn't see them, so I couldn't tell where I'd made mistakes. In the end I used ssh-add so I could still copy and paste it into the terminal, but pass phrases as opposed to words are more error prone for the user.