Follow

...or, in other words, "we don't really know what we're doing".

[quote]
Password must contain 8-20 characters, at least one upper case letter, one lower case letter, and at least one number. Password must not match the username, contain spaces, 3 or more consecutive letterrs, characters, or numbers (i.e. aaa) or the following characters: " & / < > [ \ ] { | } ~ ^ !
[/quote]

  • Spaces should be allowed and encouraged (it's easier to remember a secure passphrase than a secure password).
  • No 7-bit visible ASCII characters should be disallowed; they increase security.
  • The maximum length should be more like 127 or 255 characters.

The only reason for limitations like this is if you're worried about injection attacks, and that means you're not properly sanitizing your input.

· · Web · 3 · 7 · 10

@woozle

«Password must contain 8-20 characters, at least one upper case letter, one lower case letter, and at least one number. Password must not match the username, contain spaces, 3 or more consecutive letterrs, characters, or numbers (i.e. aaa) or the following characters: " & / < > [ \ ] { | } ~ ^ !»

Hackers: "Thank you for specifying the rules; that certainly speeds up my brute force attacks!"

@woozle I also bet that this service doesn't even set a maximum amount of attempts, or do any other kind of rate-limiting, to prevent brute force attacks.

@woozle No spaces is the one that drives me to flip out and start yelling. I get the whole thing, it's all terrible and wrong and silly and they're Doing It All Wrong. But for some reason that one just pushes my buttons like you wouldn't believe. That and the short length.

I struggle to even talk rationally about it. I just want to start yelling.

Sign in to participate in the conversation
Toot.Cat

On the internet, everyone knows you're a cat — and that's totally okay.