[ale] OT: password gripe

Richard Bronosky Richard at Bronosky.com
Thu Dec 31 08:21:26 EST 2009


What you are complaining about is companies not allowing strong
passwords. I agree, that is crazy. The internet standard is to hash a
users password with their name (unique to the user) and a salt (unique
to the site) and store only the hash making password recovery
impossible, only password reset. So, the only reason to not accept
punctuation in a password is a) if your hashing algorythm can't handle
it, or b) if your language/framework can't be trusted to protect
against code injection. In most cases I would bet that b is in play
and MSFT is in the application layer.

The other side of the coin is companies who come up with insane
strength requirements. Of all of the best measures they put in place
to force users to create good passwords, they have no power over the
quality of your email password. And pwning someones email gives you
the power to reset any password.

On 12/31/09, Geoffrey <lists at serioustechnology.com> wrote:
> <rant>
> I do my best to create good passwords.  I'm continuing to find various
> companies that I do business with, restricting the character set for
> passwords and/or length.  This drives me nuts because all my passwords
> contain a combination of alphanumeric and punctuation AND long.  I'm
> continuing to find companies who do not permit punctuation in a
> password.  I just don't get it?  Do they not understand that they are
> reducing the security of a password by restricting the character set?
>
> I called support for one company and they told me it was an 'internet
> standard.'  I told them they were full of crap.
>
> What am I missing here?  Can anyone give me a good reason for such a
> policy????
> </rant>
>
> --
> Until later, Geoffrey
>
> "I predict future happiness for America if they can prevent
> the government from wasting the labors of the people under
> the pretense of taking care of them."
> - Thomas Jefferson
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

-- 
Sent from my mobile device

.!# RichardBronosky #!.


More information about the Ale mailing list