[sf-lug] passwords - trying to pick good ones, difficulties, and users, and vendors/websites
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Sat Jan 23 21:03:00 PST 2010
So, ... set up a nice secure password - made sure to use HTTPS,
indicates it has to be 6 to 14 characters, and contain at least
one letter and one digit, so I used:
nEc3Twj(ayq<Qq
Vendor then immediately emails (as part of the registration) the
password, without using encryption. Bleh.
Okay, so let's see if I update the password and the vendor hopefully
won't also email the updated password. Being sure to use HTTPS again.
I try:
kXvM*T<Pgb^9[W
but it won't let me use that, it gives me:
Password is Invalid. Must be 6-14 characters and contain at least one
letter and one number.
Well, ... it is and does, so what aren't they telling me, and how much
weaker/stupider do I have to make the password for it to be accepted?
And we wonder why typical users get frustrated and pick weak passwords
like:
a00000
which, by the way, the site tells me for that weak password,
"Password OK."
(but no, I didn't click "Submit" on that weak of a password).
So I try:
mOr0xb%IR8LTPI
and I log out and try to log in again to make sure it works.
The login doesn't work - nor does it work with the prior password I set.
Buggers - the password change input likely mangles or truncates the
password in a manner different than the login authentication.
So, ... I go through the password reset thingy - emails me a weaker password
in the clear, and I use that and try again ...
another attempt, I finally get one that's suitably strong to my
liking, is accepted, and also works when I log out and back in to
confirm they got it right.
And we wonder why users often pick weak passwords - even if they might
be somewhat inclined to pick/use better - potentially much better
ones.
And yes, I'm going to check if they have some suitable contact or the
like to let them know about their password security and validation issues.
More information about the sf-lug
mailing list