95
byogdc
6y

Password is not case sensitive, but requires at least two uppercase and two lowercase letters

Comments
  • 21
    Why would you have so many rules for a password? Doesn't it make brute forcing it very easy?
  • 11
    @Kirito-kun
    The rules are fine except ONE specific: "must no be longer than 8 characters". That's just fucking idiotic!
    I know some sites where it's set to max 128, max 50, max 75... whatever.
    In those ranges it's OKAY but these specific limitations (max 8, max 15...) are shitty.
  • 5
    Case insensitive password?
    Did that mean they stock their password as clear text ??
  • 7
    @Irithyll There are more problems:

    "Not case sensitive" clashes with "must include 2 each of uppercase and lowercase characters."

    "Can not include more than 7 numbers and 6 special characters" clash with "at least 4 alphabetic characters" (see above character requirements) and "max length of 8 characters."

    "Must not include a common word or commonly used sequence of characters" provides a convenient mechanism to reject a lot of otherwise viable passwords without explanation. The system would need to explain the reason the password was rejected to prevent user confusion, but that would make a custom attack easier to build, as you can programmatically build a list of things not to try in the password cracking attempt by using your dictionary to find what the system rejects, simplifying the effort involved in cracking a password.
  • 2
    @powerfulparadox on that comment about rejecting just about anything, half the time the passwords I came up with wouldn't work, so I used the auto password generator on the site and even half of those didn't even work. It was just broken all around
  • 0
    @byogdc Is the place using this system necessary for you or can you use an alternative with a sane password system?
  • 1
    @powerfulparadox this password system was at my old job, so I don't have to use it anymore ;P
  • 6
    They in a couple of years:
    "Password must be exactly hunter2"
  • 0
    hmmmm...
  • 4
    For all the security you lose by having that many password restrictions they might as well just tell you what your password is and use the same one for everybody. Save hackers the five minutes it would take to brute force.
  • 1
    @powerfulparadox
    Dafuq. Was wondering where y'all get the "case sensitive" thing. The first rule 😂

    And didn't saw the restrictions for symbols and so on.

    @majortom327
    Well... plain text would be more secure than hashes as long as noone is able to access the database (except admins~) ... but that's impossible 😂
Add Comment