Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
@Jifuna,
Well, whoever gets these booklets knows, how long the passwords are, and what characters-classes are used, which reduces the effort of creating wordlists for cracking them.
Also frequent password changes inevitably lead to sticky notes, where people write their passwords down, cause they can't remember them anymore. -
@metamourge knowing just the length won't make anything easier.
If upper and lowercase is forced together with numbers and special characters, that is just the default. The combinations are practically impossible to compose a list for. And they should have a maximum number of failed login attempts anyway, so it doesn't het bruteforced. -
@forkbomber well in my experience, they should doesn't mean they would. Haha
-
@forkbomber are you sure the length is not valuable information to an attacker? Surely, even if x=20 you would only have to check strings of length 20 or 21 and not everything from 1 to, say, 32? What if x=2?
Related Rants
This never gets old...
The company that I currently work for has a strict clean-desk policy. So strict, there's even have a little booklet that they have about 1000 copies of lying around the office everywhere. In the booklet is a playful description (with cartoons!) of what can go wrong when sensitive information is lying around, or shared with outsiders through careless talk, etcetera. Employees are encouraged to take a copy of the booklet home.
Also in the booklet is a description of the importance of having a good password. It mentions the required minimum (x) and maximum (x+1) length of passwords, mandatory character classes, and how often the passwords have to be changed.
rant
clean desk
security fail
you're doing it wrong