[sf-lug] passwords - trying to pick good ones, difficulties, and users, and vendors/websites

Michael Shiloh michaelshiloh1010 at gmail.com
Sun Jan 24 09:41:54 PST 2010


I would guess it doesn't like certain characters, like perhaps the 
asterisk or the carat.

Michael Paoli wrote:
> So, ... set up a nice secure password - made sure to use HTTPS,
> indicates it has to be 6 to 14 characters, and contain at least
> one letter and one digit, so I used:
> nEc3Twj(ayq<Qq
> 
> Vendor then immediately emails (as part of the registration) the
> password, without using encryption.  Bleh.
> 
> Okay, so let's see if I update the password and the vendor hopefully
> won't also email the updated password.  Being sure to use HTTPS again.
> I try:
> kXvM*T<Pgb^9[W
> but it won't let me use that, it gives me:
> Password is Invalid. Must be 6-14 characters and contain at least one 
> letter and one number.
> Well, ... it is and does, so what aren't they telling me, and how much
> weaker/stupider do I have to make the password for it to be accepted?
> 
> And we wonder why typical users get frustrated and pick weak passwords
> like:
> a00000
> which, by the way, the site tells me for that weak password,
> "Password OK."
> (but no, I didn't click "Submit" on that weak of a password).
> 
> So I try:
> mOr0xb%IR8LTPI
> and I log out and try to log in again to make sure it works.
> The login doesn't work - nor does it work with the prior password I set.
> Buggers - the password change input likely mangles or truncates the
> password in a manner different than the login authentication.
> So, ... I go through the password reset thingy - emails me a weaker 
> password
> in the clear, and I use that and try again ...
> another attempt, I finally get one that's suitably strong to my
> liking, is accepted, and also works when I log out and back in to
> confirm they got it right.
> 
> And we wonder why users often pick weak passwords - even if they might
> be somewhat inclined to pick/use better - potentially much better
> ones.
> 
> And yes, I'm going to check if they have some suitable contact or the
> like to let them know about their password security and validation issues.
> 
> 
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/
> 

-- 
Sent from my ASR-33




More information about the sf-lug mailing list