← Back to context

Comment by OSButler

10 years ago

A client once had an issue where his account got compromised and everything pointed to having his actual login details leaked. His password was something like his username plus an assortment of random characters. It turned out that the system his account was on basically ignored everything after the 8th character, so that you were able to login with the username as the password.

Also, during the early days of inline password generators, there were cases where the suggested password was incompatible with the associated system.

50 comments

OSButler

Reply
masklinn  10 years ago

There's a lot of crap out there: http://www.troyhunt.com/2011/01/whos-who-of-bad-password-pra...

It's common when there's a web interface bridging directly into a legacy mainframe system built in the 70s.

That's how you see things like "your password can't contain Q or Z" (it was originally a rotary phone-dial interface and ancient US phones didn't have Q or Z[0] — to say nothing of special characters, this means the system may also map letters (case-insensitively) to numbers grouped by 3… think your password is "fido"? it's actually encoded as 3436)

> Also, during the early days of inline password generators, there were cases where the suggested password was incompatible with the associated system.

That still happens to this day. There are still a ton of password forms out there which only accept very short alphanumeric-only passwords.

[0] https://upload.wikimedia.org/wikipedia/commons/7/7b/Rotarydi...

  • Klathmon  10 years ago

    I enjoy seeding a random password generator with a bunch of non-ascii characters [1]. Often it fails telling me that I'm using unsupported characters, other times the form just doesn't return (or returns with a 5xx error), and even worse sometimes it lets me create the account but I can't login because they did something weird with those characters. I'd say less than 70% of sites let me login with one of these in my password...

    At the very least try to use one of them (generally a simple alt-code works, the first smiley face is just alt+1), it's a pretty good indicator of which sites are mucking with your passwords.

    [1]•◘○◙►◄↕‼¶§▬↨↑↓

    Edit: Turns out HN strips a bunch of them, so my smilies and a bunch of others didn't make the cut!

    • jerf  10 years ago

      The first "smiley face" on ALT-1 is actually the ASCII character SOH "start of heading"; many things that might otherwise accept Unicode will properly filter that out because ASCII control codes are illegal in a wide variety of otherwise-accepting contexts.

      But it is a great QA check on any text field, which should either cleanly reject it in some manner [1] XOR accept it and process it "correctly" for whatever that means locally, but not something in between.

      [1]: A lot of Unicode processing nowadays puts in the Unicode replacement character for unknown characters, but for the ASCII control codes I'd say you've often got a solid security case to say "Someone's just trying to screw with the system, we'll just filter it out entirely" for them. Excepting the ones we still use, basically \r \n \t, there's not much reason to keep them. (Think twice about \v "vertical tab" and think three times about letting \b "backspace"s through. Inconsistent behaviors by various layers of code are scary.)

      1 reply →

    • pavel_lishin  10 years ago

      > Turns out HN strips a bunch of them, so my smilies and a bunch of others didn't make the cut!

      Which is exactly why I'd be wary of such clever password schemes on any account I cared about.

  • gambiting  10 years ago

    Try to create a password at Jet2.com. A Password like: "SuperSecretPassword!" gives you an error "Your password must be at least six characters or more and is case sensitive.". It's idiotic.

    • masklinn  10 years ago

      Oh yes, I'd almost forgotten about the misleading, unhelpful or downright incorrect error messages. It's also fun when account creation and login form don't use the same validation rules, so you can create an account but then you can't log into it.

      2 replies →

  • berberous  10 years ago

    If you call in to your fidelity account, they ask you to type in your username and password with the keypad to authenticate yourself. I haven't given it much thought, so perhaps I'm wrong, but this struck me as probably based on some dicey insecure backend implementation.

    • mcherm  10 years ago

      More likely it is to prevent your having to say your password to the person on the phone. This protects you from a malicious bank employee.

      6 replies →

  • sly010  10 years ago

    > think your password is "fido"? it's actually encoded as 3436)

    A form of hashing... ⸮

  • Angostura  10 years ago

    VirginMedia (large ISP in the UK) won't accept passwords longer than 10 characters. No spaces or special characters allowed, must contain a number, must start with a letter etc.

    • paulbennett  10 years ago

      Additionally, if you contact their customer support via the form they used to provide they ask for your password, which is them presented back to you in plain text when they reply.

      Quoting from a reply I had: "As there's no account password quoted on the form you’ve filled in I'm unable to go in to any account specifics."

      "accountPassword: I'm not giving you my password"

    • SmellyGeekBoy  10 years ago

      Same with the Virgin Atlantic Flying Points site (usernames and passwords). Infuriating thing is the points are worth real money and can be transferred to other users so there is a real incentive to break in.

      I guess it's a problem across the entire Virgin group of companies?

TwoBit  10 years ago

That's how Schwab.com implements passwords. 8 characters max. For life savings brokerage accounts.

  • INTPenis  10 years ago

    Swedbank in Sweden have a feature where you can access an accounts entire balance by generating random CC#'s for online shopping and this service is protected by your social security number, a 6 character password, a-z, 0-9 and no special characters allowed.

    They've had this for at least 6 years now, maybe longer. Early on when I e-mailed them about it they simply stated that it's not their service, in other words; out-sourced.

  • apozem  10 years ago

    One of my neighbors when I was growing up worked in the FBI's cybercrime division. His wife always complained about how he never let her do any of their banking or serious financial transactions online. When I hear stuff like this, I get why.

  • ufmace  10 years ago

    Which makes you think - Schwab is keeping probably billions of dollars safe. I've never heard of a theft from them, including via online account compromise. Meanwhile, many other sites doing better jobs of following security best practices can't keep even email addresses secure.

    Maybe we're the ones doing it wrong, and it's us that should be learning from them?

  • Someone  10 years ago

    If you also can choose your account name, use it as sort-of additional password space.

    I have accounts with several instances where I could give you my password without running much risk of you logging in; even if their phone support would give out my account name, chances are they or you would misspell the line noise that it looks like.

  • ninov  10 years ago

    My bank (German "Sparkasse") only allows passwords with exactly 5 letters or numbers for their online banking. I asked why they're doing this, but didn't get a good response.

    • aurelian15  10 years ago

      When I asked, I got the answer that I could chose an arbitrary 16 character long user name, that the password may contain special characters, that the number of allowed failures for logging in is limited and that any actual money transfers are protected by a TAN. So it may not be that bad, given that the PIN for my EC card has only four numbers.

      Still, I agree that this scheme is somewhat odd and no limitation on the password length would be preferable.

  • bryankaplan  10 years ago

    That used to be true, but Schwab has since removed their character limit. I just updated my password to one having more than sixty characters.

someotheracct7  10 years ago

Would love it if there were some kind of markup standard that password managers could read to determine the site's password rules when generating strong passwords.

I have the problem now with sites that don't tell you their password policy - I'll try several times to generate a password in LastPass and then end up with several entries for the same site, which I now need to inspect to determine which one is the one I don't want to delete. Hugely annoying.

  • tbabb  10 years ago

    I would love it if there were FCC-mandated password handling standards, like a (long) minimum max length, a (wide) mimimum permissible charset, and forbidden plaintext storage. It's arguably an issue of national security.

    (Or some other appropriate regulatory agency).

    • sbierwagen  10 years ago

      Jurisdiction over which agency gets to do "cyber" stuff has been an open question for the last thirty years. You can make good arguments that it should be covered by the FBI, NSA, DHS, ATF, the secret service, etc etc.

      (Yes, the Secret Service! The famous raid on Steve Jackson Games back in 1990 was actually carried out by Secret Service agents, who thought that GURPS Cyberpunk was an actual hacking manual.)

  • Cyberdog  10 years ago

    There sort of is. In HTML5, text-based form elements have a new "pattern" attribute which takes a regular expression that matches valid input, so the browser can do client-side validation without using JavaScript to intercept the form before it's posted and such. Assuming the site developers have bothered to implement it on their site, then theoretically a password manager could use that to determine valid characters for generated passwords (or, at least, invalid ones). I don't know if any of them actually do this, though.

    http://www.w3.org/wiki/HTML/Elements/input/password

  • mikeash  10 years ago

    The thing is, how many sites are going to have developers clued-up enough to incorporate this markup, but not clued-up enough to avoid stupid password policies that break password managers?

    We only run into trouble because sites incorporate silly requirements like "you must have at least one symbol, even if your password is 48 characters long." Fixing that really seems like the better and more attainable goal.