Worst password requirements you've seen
source link: https://lobste.rs/s/voevrr/worst_password_requirements_you_ve_seen
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Worst password requirements you've seen
Just came across this abomination from Chase Payments that borders on a (computationally difficult) SAT instance.
Must be 8-32 characters long
Must include at least one UPPERCASE, one lowercase and one number
Must not have special characters or punctuation
Must be different than your previous 24 passwords
Must not include your Email ID partly or fully
Must not include your First Name or Last Name
Must not include more than 2 identical characters
Must not include more than 2 consecutive characters
Must not use the name of the financial institution (JPM, MORGAN, JPMORGAN, CHASE, JPMORGANCHASE, JPMC)
I used a Python REPL to tweak my password only to discover eventually that the 32 character length limit was a lie and they needed a 24 character password (or I missed a requirement).
Surely there isn’t anything worse?
-
Some of the comments here reminded me of a popular Stack Exchange post.
Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use.
-
Thanks for the laugh!
-
-
One of my banks does this - with just numbers!
Numbers only Minimum 7 numbers Maximum 20 numbers Can’t have same number three times in a row (e.g. 111) Can’t have four ascending or descending numbers (e.g. 1234 or 4321) Can’t have the same number appear more than five times. Can’t have pairs next to each other if the second pair is one number higher (e.g. 1122) Can’t be the same as your previous eight access codes -
-
Recently I had to set up a password for a bank and the password had to have at least one “special character”. The front end and backend disagreed on what special characters were allowed, however, and so I’d get a green check mark in the UI and then an error upon submission.
Had to trial-and-error my way through that one.
-
-
Banks from I have seen (at least where I live) follow password practices that seem archaic. I guess it is because they had to sink their knees in the realm of online security early on and haven’t moved on from that. My bank for example does not allow pasting the username or password making the usage of a password manager a bit tricky. rofi-pass uses xdotool which helps me work around this.
-
-
My bank doesn’t allow copy/paste on inputs. I guess I better make sure my password is short and easy to type!
Digging through their code, there’s hacks to support IE4 and NN4. But a userscript was all that was needed to strip their event handlers to bring back paste functionality.
-
My bank’s password requirements for their “internet password” is laughable; 8 characters max., only lowercase alphanumeric characters. It gave me so many headaches to figure out which characters they actually accepted because they didn’t have any hints on what are the actual requirements…
-
It’s always the financial institutions*. An 8 character max is truly incredible. I don’t know much about storing passwords, but that kind of maximum makes me rather suspicious that they might be storing plaintext passwords…
That reminds me that I’ve had to enter my password for Fidelity over the phone using T9 codes (i.e. the chars “abcABC” all map to 2) and mapping all special characters to *. I know that they could be hashing the “simplified form” and storing it alongside my regular password when they receive it, but it certainly made me suspicious that they, too, were storing my password in plaintext. Of course they also have some archaic 16 character limit.
* which ironically are the ones for which I want the strongest password!
-
-
I feel like given how common “identity theft” is (people successfully tricking banks into thinking they’re you so the bank will authorize sending them money, which through linguistic judo turns a theft from the bank into a theft from you personally) this blog post isn’t really that strong of an argument. Especially the part about how the bank will pay for any “unauthorized transfers”. Good luck with that. Doubt the bank has ever paid out, and not because their security is that good.
-
-
BBVA maximum is 6. Whenever you need to do something on the phone with them, they’ll ask for a couple of characters in random positions, but because the operators error once, I know they can see the whole password the whole time.
-
-
-
You know, I had assumed it meant “2 consecutive identical characters,” but I’m not sure.
I also wasn’t sure of the restrictions enforced by “Must not include your Email ID partly or fully,” but it did allow me to register an account with the characters contained in my email so I would guess their “partly” means a consecutive substring of nontrivial length (say, greater than 3).
-
-
At one point in time Paypal seemed to have a password length of max 20 chars, but if you went over it when changing your password it wouldn’t tell you about it, it would just silently not change your password. Fortunately they seem to have fixed it now.
-
PayPal still circularly requires you to be authenticated to get support about authencitation. I didn’t log in for years because I dislike their service, and they pulled the rug on Google Voice as 2FA so I couldn’t get into my account without providing my real phone number. Needless to say, I DM’d the band and we got them set up on Stripe as an alternative payment option (though Stripe has requirements for a physical address, so I guess it sucks to be homeless).
-
-
The dumbest rules are usually not on the passwords, they’re on the reset path. Some places give you security questions that you can’t change and all of which ask about things that a large subset of users post the answers to on Facebook. I had an astonishing experience with PNC bank doing a password reset for Internet banking:
They first started asking for the current balance. That was what I was trying to look up with Internet banking, so I couldn’t tell them. Having identified that this is what I wanted to know, they told me that this is a low security thing and so I could just do basic verification. They asked me my full name and address (possibly date of birth?) and then told me the current balance. I then cheekily said that now I knew the current balance, so I’d like to do the password reset. The person on the phone seriously told me that I couldn’t tell them things that they had told me and so transferred me to another helpdesk operative, who started again. 10 minutes after the start of the process, I had full control over the bank account, without needing to know anything that wasn’t either public or easy to steal. If someone leaked their mailing list then an attacker could easily take control of most of their accounts. If you have an account with them, make sure you shred your statements before throwing them away: they contain more than enough information for an account takeover.
-
I had a credit union membership in the USA, and I wanted to transfer any remaining funds and close it, since I hadn’t been there in years and have no plans to return.
They don’t use hardware 2fa/digital ID as here, but they use a third-party website that somehow digs up a lot of info about you, and asks you questions about it.
Some questions, like “which of these cars have you owned?”, were easy for me (never owned a car). Other questions were about addresses and zip codes, which I had forgotten, and I had to find every place I lived on google maps to get them (luckily I remember the rough city shapes and how to find my way around).
I’m glad they do it like that so I didn’t have to go there in person or anything, but I felt like I was hacking myself.
-
-
Just found this website in case you want to suffer a bit more :)
https://dumbpasswordrules.com/ -
Anyone care for something that’s simpler and worse? :-D
I do not know how it got to this, I know it was related to someone misunderstanding rainbow tables at some point in the past but it had been so long ago that I couldn’t get to anyone who remembered.
One of the managers figured that those unwashed employee masses kept abusing the password rules – like, Sarah couldn’t set her password to ‘mittens’ so it was just set to ‘M1ttens_’ instead, which was just as weak. So they decided to enforce a strong password scheme.
Said password scheme was
NNNN#AAAAwhere theApart was a series of alphanumeric characters and theNpart was a number, and the#was a literal “#”. Everyone got one when they were hired and it changed every 90 days. However, the validation hook was buggy: you couldn’t ever change theAAAApart, it rejected anything you provided. If it ran out of reasons (“at least one lowerspace character”, “no duplicate characters”) it just said “error”. Everyone just incremented theNNNN.What validation hook, you ask. Does
1234#KYaDlook like a strong password by modern standards? Right. You changed the password via some web application thing that included an ActiveX control. That’s how old it was (and amazingly enough it continued to work on Windows 10, albeit only with Internet Explorer). -
Having to change it every 3 months for my work domain account, while not allowed to set a PIN on my laptop. So now my work pass everywhere is the easiest thing I can remember and I just increment a digit every time.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK