|
All my passwords are based on a special secret alphabet that I crafted in my voodoo laboratory. Just saying...
|
|
|
|
|
Just a few weeks ago a new password was rejected because it contained a - (hex 2D). Using an underscore was OK.
So, yes I noticed it (and thought WTF).
Maybe the passwords has to be piped between shell commands, then passed as shell command parameters, HTML/XML encoded and decoded, and finally passed to a SQL query. To avoid escaping all the processing specific reserved characters using processing specific escaping it is just simpler to disallow them.
|
|
|
|
|
You forgot the "signed in triplicate, sent in, sent back, queried, lost, found, subjected to public inquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters" part. Sadly many sites are "managed" just like that.
DURA LEX, SED LEX
GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X
If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver
When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
|
|
|
|
|
+1 for the HHGTTG reference.
- I would love to change the world, but they won’t give me the source code.
|
|
|
|
|
If their website cannot handle unicode passwords, they certainly deserve to have their computer nerd card revoked.
if (Object.DividedByZero == true) { Universe.Implode(); }
Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
|
|
|
|
|
It's easier to crack a$&12Gc# than to crack donalduckwasmyfavcharacterasakidinnewyork.
|
|
|
|
|
Nish Nishant wrote: It's easier to crack donalduckwasmyfavcharacterasakidinnewyork than to crack donalduckwasmyfavcharacterasakidinnewyork!.
FTFY
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Yeah but a day's difference won't affect something that'd take weeks or months of computational power
|
|
|
|
|
In that case, "It's as easy to crack a$&12Gc# as abd12Gc4", so why prevent special characters?
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
I guess they are trying to encourage people to use passwords that are hard to crack but easy to remember, so they don't write it down on a piece of paper and stick it on their screens.
I am not siding with that idea, and would personally not enforce this rule at my work place. Just trying to guess what their thinking was.
|
|
|
|
|
Possibly.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
The only secure password is one you can't remember.
Seriously, don't try to remember all your passwords; use a password manager. Then you'll only need to remember one master password, and protect the password manager storage.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
People who are multi-lingual have an advantage - they can create cryptically complex passwords that they can easily remember by mixing languages.
Example : thendralbaarishseason
I've mixed a tamil word, a hindi word, and an english word there. What's gibberish to most mono-lingual people is a very easy to remember word for me (I speak 4 languages).
|
|
|
|
|
A-Z, lowercase only, no symbols, no digits.
Methinks your password would be easier to crack than you might think.
|
|
|
|
|
dandy72 wrote: A-Z, lowercase only, no symbols, no digits.
Methinks your password would be easier to crack than you might think.
Trivial to introduce a few upper case letters. My point was that it's more complex than had I used English only words for the same length. Also even with lower case, a 25 length string is harder to crack than a 10 char password that uses both cases, numbers, and symbols.
|
|
|
|
|
Nish Nishant wrote: 25 length string is harder to crack than a 10 char password that uses both cases, numbers, and symbols.
Are you sure about that?
A 25-character password * a pool of (26 possible characters) can be brute-forced in 650 tries.
A 10-character password * a pool of (26 upper + 26 lower + 10 digits + ~20 symbols) require 820 tries to be guessed correctly.
Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not?
I'm sure the correct math will come to me after I've made a fool of myself...
|
|
|
|
|
dandy72 wrote:
Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not?
Sorry, your math's not right
A char-set of 26 chars with a length of 25 gives 2.36e+35 permutations.
A char-set of 82 chars with a length of 10 gives 1.37e+19 permutations.
The former is way stronger
|
|
|
|
|
Nish Nishant wrote: Sorry, your math's not right
Hence the disclaimer.
I knew I was way off, and somebody would correct me. Was not disappointed.
|
|
|
|
|
To get back to my original point, what I am trying to convey here is that a longer easier to remember password is often safer than a shorter harder to remember one. That said, it's not all black and white.
|
|
|
|
|
Agreed. Horse-Battery-Staple and all that.
|
|
|
|
|
No, they still stick them to their screens, those that don't come Monday morning, "I can't remember what I used, maybe it was my dogs name .... no, ...., wait, with or without big letters, umm, I'll call support, they were quite quick last week."
Sin tack ear lol
Pressing the "Any" key may be continuate
|
|
|
|
|
When IT policy forces people to change their passwords every 60 days, no wonder they can't remember them
|
|
|
|
|
Ah, security taken to the point of absurdity.
I can see it now....
Next week our company is moving to ten-factor authentication.
Upon login, you will need to provide a password (1). Then you will receive an email with a link to a website(2) which you will provide your telephone number(3). If the telephone number provided is on record, you will receive a passcode(4) via text message. After correctly entering the passcode on the original login splash screen, the system will provide you a unique ten digit key(5) which you will need to complete your authentication process. Do not write down the ten digit key. Go to the bio-metric authentication closet. Enter your ten digit key on the key-pad. The bio-metric closet will open to let you in. Once inside the closet, you will need to use the scanners to provide your fingerprints(6), retina scan(7), plus a blood(8) and stool sample(9). Once you have completed the process and have been successfully authenticated, the system will provide you a unique, one-time-use, 22 character passcode(10) that will allow you to login to your computer. Do not write the passcode down and the passcode will also expire after 120 seconds. If you fail to login to your station before the temporary passcode expires, you will have to repeat the process.
Then the CIO will brag that he has the most secure network in the world.
if (Object.DividedByZero == true) { Universe.Implode(); }
Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
|
|
|
|
|
Because their programmer still needs to grasp that newfangled weirdness called "Unicode" and instead of solving that problem, they shift the problem over to you.
|
|
|
|
|
Not allowing special characters helps a little bit with all of the rules in the linked article. The article is about XSS only. Then there could be SQL injections, command line injections, etc. on top of this.
For maintainability due to XSS, if one developer encodes something in the context of an HTML attribute, and then another developer refactors it and moves the same information into a hidden HTML element or a javascript code block, the second developer better update all of the different encoding rules! This applies to both server and client side code dealing with the data.
XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP[^]
|
|
|
|