[ale] OT: password gripe
Björn Gustafsson
bg-ale at bjorng.net
Thu Dec 31 09:07:11 EST 2009
There are also arbitrary system limits. Notably AS/400 requires a
password with 7 or 8 characters and only accepts digits and letters
(and maybe underscore), *and* it can't start or end with a number.
You can tell if someone is using that as a back-end by their password
restrictions.
On Thu, Dec 31, 2009 at 8:21 AM, Richard Bronosky <Richard at bronosky.com> wrote:
> What you are complaining about is companies not allowing strong
> passwords. I agree, that is crazy. The internet standard is to hash a
> users password with their name (unique to the user) and a salt (unique
> to the site) and store only the hash making password recovery
> impossible, only password reset. So, the only reason to not accept
> punctuation in a password is a) if your hashing algorythm can't handle
> it, or b) if your language/framework can't be trusted to protect
> against code injection. In most cases I would bet that b is in play
> and MSFT is in the application layer.
>
> The other side of the coin is companies who come up with insane
> strength requirements. Of all of the best measures they put in place
> to force users to create good passwords, they have no power over the
> quality of your email password. And pwning someones email gives you
> the power to reset any password.
>
> On 12/31/09, Geoffrey <lists at serioustechnology.com> wrote:
>> <rant>
>> I do my best to create good passwords. I'm continuing to find various
>> companies that I do business with, restricting the character set for
>> passwords and/or length. This drives me nuts because all my passwords
>> contain a combination of alphanumeric and punctuation AND long. I'm
>> continuing to find companies who do not permit punctuation in a
>> password. I just don't get it? Do they not understand that they are
>> reducing the security of a password by restricting the character set?
>>
>> I called support for one company and they told me it was an 'internet
>> standard.' I told them they were full of crap.
>>
>> What am I missing here? Can anyone give me a good reason for such a
>> policy????
>> </rant>
>>
>> --
>> Until later, Geoffrey
--
Björn Gustafsson
More information about the Ale
mailing list