Re: Stupid password requirements

Way back when I was in HS the school district came hunting me down.
The idiots used a php script to allow students to check their grades.
Ok, cool, no problem. They used it in cooperation with sql commands to pull info from their AS400 system via a mysql server. Any guesses what happened? That is right no input sanitization, just for the fun of it I set my password to "DROP * FROM stuid;".
Oops, my bad. Anyway they tried to bring me up on State charges but it fell through when I brought up their IT policies and guidelines concerning system integration and security procedures. It states: "All system integrations must be throughly tested for security flaws such as but not limited to: SQL Injections, JavaScript Injections, and Cookie Injections prior to going live."

Re: Stupid password requirements

For work I have to maintain a couple hundred logins, which expire at differing rates and all follow slightly different guidelines depending on the platform or application.

Some of them are really particular to death like: "Must include at least two uppercase letters in the first three characters, one symbol in the first four, two lowercase letters in the first six and two numbers." Which to me I find almost more negligent than 6-8 alphanumerics, because the help screen tells you basically exactly what pattern to set your cracker to..


The bank I used to go with until a buyout and various other idiocy had a question on their FAQ along the lines of "Why can't I use certain words like 'drop' in my password?" I nearly laughed myself to death and then closed my account with them.

Re: Stupid password requirements

Bruce is wrong. It's not dumb. It's CRIMINAL. I've banked with a specific institution for many years, and been reasonably happy with them. My password for online banking is difficult enough, and long enough, that even shoulder surfing is not much of a risk. I recently added a credit card from that bank (as a replacement for one I wasn't happy with). Whoa! Stop the horses!

I was changing personal information (I do this every so often), and logged into the bank's web site to change things. Sure, no problem. I then noticed a small note that said that the credit card info had to be changed on a different site. Okayyyyyyy... I click on the link, and it says I can't change anything, because I came to the site from the banking site, and that I need a local login. That's where the scary stuff starts.

It was real easy to set up an account that accessed that card. The password (unlike my nice bank password) was restricted to alphanumeric, and the underscore, and between 6 and 8 characters. After I did, when I got to the place to change information, it had a statement that I wasn't allowed to do so, and to call this number. That seemed good to me (considering I'd just set up the account), so I called. Oh, lord, India. My favorite. They kept offering to just change things for me, and I kept saying I wanted to know why I couldn't, and that I didn't want them to do it for me. The short story is that they had nothing but incorrect answers. The long story is that the online account just had to exist for a week.

Still, the ease of creation was dismaying, and the password limitations make it very likely that I will kill the online account (now that I've made the changes), or perhaps log in and change the password to random characters, at random times.

I'm also composing a lengthy and annoyed letter (yes, paper, not email) to the bank, insisting that the credit card handling web site is insecure, and should instead be folded into their regular banking site, which is not.

Thanks for reminding me.

Re: Stupid password requirements

i often blame the plague of reused code and programmer laziness. forms and web apps often have sanitized inputs for every field (at least some people who wrote apps at some point in the life cycle tried to stop code injections) but this is carried towards madness with regard to passwords.

i agree with bascule... lift your ban on punctuation and the high-end ASCII set, people!