What is your favourite password rule?

  • Dem Bosain@midwest.social
    link
    fedilink
    English
    arrow-up
    45
    ·
    4 months ago

    I just had to make a password for a hotel.

    8 to 20 characters Uppercase Lowercase Digits OR special characters.

    The capitalized OR is important. You can have either numbers in the password, or special characters, BUT NOT BOTH.

    Took me 8 tries.

    • First one was too long.
    • Second and third used both numbers and characters, but I thought the characters were TOO special.
    • 4 through 6 used both numbers and special characters.
    • Seventh password used just letters and numbers, and it was accepted.
    • Eighth try I used just letters and keyboard characters, and that was accepted too.
    • Sewer_King@lemmy.world
      link
      fedilink
      English
      arrow-up
      21
      ·
      4 months ago

      The best part to me is that they include all of these rules to increase the security, but then set a maximum length of the password, which from my understanding is the easiest way to add complexity/security to a password.

      • RecluseRamble@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        19
        ·
        4 months ago

        The actual funny (or sad) thing about this: even without a length limit all they do is make the password less secure because every constraint just reduces the possible password space.

        As someone who generates every password with a password manager those sites are a pain in the ass because you have to somehow get these constraints into the generator.

        • subtext@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          4 months ago

          It’s sad that this project from Apple has gotten literally zero traction with any password manager that I know of.

          Free, open source repository of password requirements that are just an API call away, and you wouldn’t have to worry about tweaking your password generator at all, but no one is using it. Except maybe Apple and I refuse to use their password manager.

          https://github.com/apple/password-manager-resources

      • felbane@lemmy.world
        link
        fedilink
        arrow-up
        10
        ·
        4 months ago

        Maximum length is the biggest red flag to me and was the catalyst for me making the effort to switch to unique passwords per-account years ago. There’s just so, so many shitty homerolled security systems out there… and data breaches seem to be a perennial problem these days.

        There’s just no excuse for limiting the length if you’re doing security correctly (other than perhaps a large upper limit just to protect against someone DOSing the backend with a bunch of 100MB strings; 512 characters seems reasonable).

        By setting an upper limit, you’re basically saying one or more of these things:

        • We store your password in plaintext
        • We store a hash but our hashing function has an unnecessarily arbitrarily limited input size
        • The person/team implementing the backend has no idea what they’re doing and/or just copy pasted login code from stack overflow
        • We tried to get away with minimal password requirements but some middle manager wouldn’t rubber stamp it without arbitrary_list_of_bs
        • pixeltree@lemmy.blahaj.zone
          link
          fedilink
          arrow-up
          4
          ·
          4 months ago

          My senior project for uni was replacing the professor’s friend’s website. We had a meeting to gather requirements, have him demo the site as different kinds of users, etc. Dude said “Hold on a sec” and went to a page with all accounts and their passwords listed. Was like, dude, the hell