Timeline for Why did customer services say using symbols in a password is insecure?
Current License: CC BY-SA 3.0
47 events
when toggle format | what | by | license | comment | |
---|---|---|---|---|---|
Aug 26, 2022 at 19:17 | answer | added | Peter Green | timeline score: 0 | |
Feb 1, 2016 at 17:41 | answer | added | paparazzo | timeline score: 1 | |
Feb 1, 2016 at 17:34 | comment | added | Wayne Werner | Because they're not parametrizing their SQL queries. | |
Feb 1, 2016 at 14:23 | comment | added | OJFord | Just to name and shame because I'm still angry about it - one of Transport for London's public facing Oyster login system requires a password between 8 and 10 characters long, starting with a letter, containing at least one capital, containing at least one number, and containing no symbols. I complained. This is also "for security". | |
Feb 1, 2016 at 14:20 | answer | added | Andrea Corbellini | timeline score: 2 | |
Feb 1, 2016 at 10:13 | comment | added | Ben | Don't fetishize symbols. Length beats character classes - especially when people only throw in a number of symbol to keep the "password strength meter" happy. A 64bit entropy password could be 20 decimal digits. Lowercase letters and numbers still needs 13 characters to equal it and then only if it's random. Adding a choice of 30 symbols to a 10 character password of random upper/lower/digit is equivalent to making it an 11 character password. In reality the tendancy to choose common sequences of characters means you really need 20 characters whatever alphabet you are choosing from. | |
Feb 1, 2016 at 10:04 | comment | added | MrWhite |
... and/or write it in a predictable manner. When forced to use a "special character" I have witnessed several people just stick a ! on the end!
|
|
Jan 31, 2016 at 8:09 | answer | added | Shameerariff | timeline score: 0 | |
Jan 30, 2016 at 17:50 | comment | added | Tony Ennis | One point here - the more onerous the password rules (One uppercase! One lowercase! One number! One 'special'!) the more likely people are to write the password down. There is 'mathematically secure', and there is 'practically secure'. | |
Jan 29, 2016 at 19:34 | comment | added | Michael | @iProgram Praise Javascript, where the semicolon is optional! | |
Jan 29, 2016 at 10:05 | comment | added | iProgram | @John Us programmers always hate the semicolon! | |
Jan 28, 2016 at 23:12 | comment | added | John | Is there really any valid reason to prohibit the semicolon? I know that some of the responses on here say that they may limit responses so that keyboards will have the characters in the password present, but isn't prohibiting a semicolon indicative of not hashing or sanitizing inputs properly? | |
Jan 28, 2016 at 23:10 | answer | added | Denver Coder | timeline score: 0 | |
Jan 28, 2016 at 20:30 | comment | added | corsiKa | Am I the only one who thinks this question sounds like the start of a very lame joke? | |
Jan 28, 2016 at 14:36 | comment | added | Иво Недев | @JohnDeters If i know your site only has letter/number passwords i have to go trough so much less combinations to brute force the same length password with characters in it .... So it's not a mistake! | |
Jan 28, 2016 at 1:26 | comment | added | David Richerby |
Most likely, the answer is that the customer service person didn't know the real reason. As an aside, I'd recommend against using £ in a password: any time you try to enter that symbol outside the UK, except on your own laptop, you'll find that the key doesn't even exist, so you can't log in. (Of course, if this is the kind of password that you wouldn't dream of typing in except on your own laptop, that's much less of an issue.)
|
|
Jan 28, 2016 at 0:17 | comment | added | Niet the Dark Absol | What worries me is, why would the password need to go through the database at all? It should be irreversibly hashed well before then. | |
Jan 27, 2016 at 22:30 | comment | added | Christian | Why assume that the costumer service person knows why the decision was made? All they know is that the programmers decided to use that policy. | |
Jan 27, 2016 at 18:25 | answer | added | Thanos Tintinidis | timeline score: 5 | |
Jan 27, 2016 at 16:21 | comment | added | n00b | why does every bad password policy question become a hot topic on this site? these are so overdone and the answer is always the same. more entropy, and more randomness = stronger passwords. [Insert XKCD comic here] | |
Jan 27, 2016 at 16:15 | answer | added | borjab | timeline score: 2 | |
Jan 27, 2016 at 14:50 | answer | added | MvG | timeline score: 8 | |
Jan 27, 2016 at 13:11 | answer | added | Ian Ringrose | timeline score: 13 | |
Jan 27, 2016 at 12:35 | answer | added | Pete Kirkham | timeline score: 5 | |
Jan 27, 2016 at 10:11 | comment | added | Matt Wilko | Because one of the them is called Little Bobby Tables and they have learnt their lesson: xkcd.com/327 | |
Jan 27, 2016 at 9:43 | comment | added | Rory Alsop♦ | Important to note - "Sorry, the guidelines we put in is place is for security measures" does not mean using symbols is less secure! It means the guidelines they have put in place are for the security measures they have decided are appropriate. You may want them to use stronger security measures, but their risk assessment has given them a position they feel is fine. | |
Jan 27, 2016 at 7:30 | answer | added | zakius | timeline score: 2 | |
Jan 27, 2016 at 1:59 | comment | added | DJMcMayhem | Because they're wrong. | |
Jan 26, 2016 at 23:55 | comment | added | Joshua | Name and shame. I would not choose to do business with anyone who does this. This screams to all engineers "WE STORE PASSWORDS PLAINTEXT". | |
Jan 26, 2016 at 22:29 | comment | added | iProgram | @loneboat This was a online chat. They also said they will forward it on. Wouldn't supplies me if they don't. Mind you, they did call me a genius so they may do. | |
Jan 26, 2016 at 22:26 | comment | added | loneboat | @iProgram: "To make sure they have better security in the future I did educate them and said that..." Call me cynical, but I doubt your comments were remembered for more than three seconds after the phone call ended. :-) | |
Jan 26, 2016 at 21:09 | comment | added | NotMe | Simple: their programmers actually don't understand what secure coding means and just applied what they saw on a web site somewhere. They then feed a line of BS to the customer support team (who honestly doesn't know anything either). Regarding preventing "sql injection" you'll likely find other text fields on that site that you can absolutely enter those characters in. | |
Jan 26, 2016 at 20:56 | answer | added | dr jimbob | timeline score: 15 | |
Jan 26, 2016 at 20:50 | comment | added | John Deters | It's a mistake to think leaving symbols in the character set magically adds security. If you want to increase defenses against brute force password cracking, you are much better off by increasing the minimum password length to 12 or more characters, and by requiring increased complexity including requiring all three types of upper and lower case characters and digits. | |
Jan 26, 2016 at 20:44 | history | tweeted | twitter.com/StackSecurity/status/692085738037444608 | ||
Jan 26, 2016 at 19:59 | comment | added | TTT | Nitpicking your math: typically passwords are case sensitive, so only allowing letters and numbers would have 62^8 combinations instead of 36^8. | |
Jan 26, 2016 at 19:57 | comment | added | jao | Troy Hunt has some info on it here and here which I think is interesting to read. | |
Jan 26, 2016 at 19:56 | comment | added | dakre18 | @iProgram Wouldn't hurt, however, if it isn't scripted the rep worded it poorly. That can happen if the rep isn't familiar with password security, but worst case it's scripted to avoid reps saying the wrong thing (normally). | |
Jan 26, 2016 at 19:39 | comment | added | iProgram | @dakre18 Think I should try again another time so I know if it is scripted or there is another problem like sanitising data? | |
Jan 26, 2016 at 19:37 | comment | added | dakre18 | @iProgram just wanted to clarify that, but if you hear the same thing from more than 1 customer service rep, it's scripted (obviously at that point), but they won't ever tell you that's how their developers designed it. If they did, it would just cause more problems. | |
Jan 26, 2016 at 19:31 | answer | added | Mark Buffalo | timeline score: 38 | |
Jan 26, 2016 at 19:15 | comment | added | iProgram | @dakre18 As I said, I assumed that is what they were saying, I gave the quote that they sad to me in quotation marks. This was from an online chat. | |
Jan 26, 2016 at 19:03 | comment | added | sethmlarson | Allowing symbols is passwords does increase the search space for passwords and makes them more secure, there's really no reason to disallow them.They may be using the passwords internally and thus need to sanitize them of symbols? But that would indicate other things that you should be worried about such as storing your password in it's plaintext form in a database. | |
Jan 26, 2016 at 19:02 | comment | added | dakre18 | Just to give a clear answer, did their response literally say passwords are more insecure with a symbol, or is that the way you interpreted their message? And was the message written (email) or verbal? I would assume they have to say it because of a policy, or give a similar answer and they just worded it poorly. The answer is most likely going to be "because that's how it was designed," but there's no way to find that out. The only way to be more secure than their passwords is to make sure your password is unique to that website. | |
Jan 26, 2016 at 18:59 | answer | added | John Deters | timeline score: 208 | |
Jan 26, 2016 at 18:59 | answer | added | Eddie Studer | timeline score: 82 | |
Jan 26, 2016 at 18:44 | history | asked | iProgram | CC BY-SA 3.0 |