Ineffable Wingbolt Erebus the Black Posted July 15, 2012 Share Posted July 15, 2012 Monday, April 02, 2007 by Jake Vinson (not me) Originally Posted By: Jake Vinson We all know the rules for good passwords. They should be at least 90 characters long, have no recognizable words or phrases, consist of 30% lowercase characters, 30% uppercase characters, and 40% special characters, and they should be changed daily, if not hourly. Where I work, if you forget your password, you're fired on the spot and recommended for execution. OK, maybe I'm exaggerating a little, but let's quit jerking each other around and get serious. Password security is a big deal. Enrique knows this as well as the rest of us. Sadly, two developers he worked with missed the message. Enrique was doing maintenance work on an application that allows users to register to buy and sell antiques. The registration process was simple. Enter a username, address, phone number, email address, and password, and you're in. Of course, if the username is taken, you're asked to enter a different username. And of course, if the password you've chosen is in use by another user, your registration fails. No, I'm not kidding. Passwords had to be unique throughout the system. And judging by lists of user passwords I've seen, many users probably encountered this issue when trying to use a password of "password." The password field of the user table was also the primary key field making it impossible to have duplicate passwords, and they were stored unencrypted to make the verification process easier. On the bright side, the original developers hadn't forgotten to set a unique constraint on the username, but Enrique was intrigued enough to email them and ask them about the architecture. They sent back a database diagram, and what Enrique saw next chilled him to the bone. The password field was used as the foreign key throughout the system. To reiterate, every table that recorded a bit of user information used an unencrypted password to identify the user. A lot of words ran through Enrique's head, most of which can't be printed here. His biggest concern, though, was "what if the user wants to change their password?" See, most users have grown accustomed to luxuries like the ability to change their password. He fired back another email asking this very question. "Well, we'd first check that no one else was using that password. Then we run sp_change_password." sp_change_password consisted of a long list of UPDATE statements; one for each table that had any user related information in it. Any time new tables were added, they'd have to remember to update sp_change_password. None of these updates were done within a transaction. Enrique asked about referential integrity — if a field was updated, other tables would point to data that didn't exist anymore. "Oh, we had that problem the first time, so we removed all of the foreign key constraints in the database and it works now." Since referential integrity wasn't preserved, cascading updates were impossible, requiring sp_change_password to be built, but then referential integrity couldn't be preserved, and now the circle is complete. Enrique knew he'd have to push the other developers and let them know how bad of a design this was, so he pointed out possible system exploits. "Say someone made a script that'd create accounts like crazy, guessing different passwords each time. If a password error came back, they'd have a user's password. If a username error came back, they'd have a user's username. Eventually a matrix of usernames and passwords would be compiled, then it'd be a simple matter of attempting to log in." "Ohhh... umm... I guess you're right," was all the developer could muster. "But then we'd have to change every table to use a username as the foreign key, maybe even apply constraints on the server, and change the token each user carries throughout the application to be their username!" It was a major change, but Enrique insisted they do the work. The next day, the boss summoned Enrique to his office. "I hear there might be some major delays in our project, and I heard a funny rumor that you have something to do with it." ..... if anyone is looking for employees , Enrique is looking for a job. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Student of Trinity Posted July 15, 2012 Share Posted July 15, 2012 There was an XKCD strip a while ago that implied that longish pass-phrases that don't make any sense are the best way to go. The idea is that a string of six random words is like a sequence of six characters, but each drawn from a set of around 100,000 possible characters (i.e. words). Whereas if you use special characters and upper and lower case and numbers and so on, you're getting a set of maybe only 100 possible characters. So six random words should be about as good as 15 random characters. They'd take longer to type, since after all your string of random words amounts to a string of correlated letters without special characters, so you're ultimately just getting a secure password by having a very long password. But it's a very long password that is much easier to remember than a much shorter string of random characters, because it's easy to make up a crazy but memorable little story in which the random string of words somehow makes sense. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Randomizer Posted July 15, 2012 Share Posted July 15, 2012 For a while I used six letter names created by Tolkien. Then one day I forgot my password and found out how many names fit that requirement. You are looking for a string that is long enough so a program can't get it my trying everything or running a table look up of all the words in a dictionary within a reasonable amount of time. However limiting the number of tries works just as well. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Jerakeen Posted July 15, 2012 Share Posted July 15, 2012 Here is a different perspective. Does anyone here use one of those applications? Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Student of Trinity Posted July 15, 2012 Share Posted July 15, 2012 No, but I'm thinking about it. It's essentially the strategy of putting all your eggs in one basket — and making sure it's a really good basket. You pick one master password, and you make it a real humdinger, probably by the XKCD method. Then this dedicated company generates tons of wacky gibberish passwords for you, and somehow keeps track of them all so that you don't have to. If that company ever gets cracked, you are toast, but as long as they stay secure, you're pretty much okay. Frankly, the other option is to decide it doesn't matter too much, anyway. Watch your credit card bills, and report any mysterious expenses as fraud right away. Don't post anything online that you don't want the world to see. I'm not sure what a hacker could really do with my online identities, anyway. Post embarrassingly foolish things here, I suppose; but I doubt anyone would be able to tell if they did. Quote Link to comment Share on other sites More sharing options...
Ineffable Wingbolt BMA Posted July 15, 2012 Share Posted July 15, 2012 That looks interesting; I'll try LastPass. UBB's random password generator had given me "iQrCFg" when I had forgotten mine. Not very creative, but I suppose with all those upper and lowercase letters it must be hard to get at. I had read somewhere that websites and software have become so secure that they can no longer be dictionary-attacked or trial-and-errored, and that the only sure fire way of getting a person's password is through logging the person's keystrokes. Quote Link to comment Share on other sites More sharing options...
Well-Actually War Trall Actaeon Posted July 15, 2012 Share Posted July 15, 2012 This is all an underhanded plot to guess our passwords, isn't it BMA? Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted July 15, 2012 Share Posted July 15, 2012 I know this story; I think it was on the Daily WTF some time back. Quote: The password field of the user table was also the primary key field making it impossible to have duplicate passwords, and they were stored unencrypted to make the verification process easier. This is... awesome. The only way to improve on it would be to tell users which other account has the password they tried to enter. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast keira Posted July 15, 2012 Share Posted July 15, 2012 http://howsecureismypassword.net/ Personally, I have one to two passwords that I use regularly. Then, for stuff that like my domain registrar and some financial [censored], I use a more-complex and absurdly long password. I just adore how my online banking password is less secure than my SW password, due to lameass password limits (Only up to 12 chars? Are you [censored] kidding me?). I use public-key authentication for all the important stuff, though. I actually started using the idea for more than email signing because it was more convenient. No passwords to dick with, just open ssh and it does the hoofwork. Quote Link to comment Share on other sites More sharing options...
Ineffable Wingbolt Erebus the Black Posted July 15, 2012 Author Share Posted July 15, 2012 Originally Posted By: Aʀᴀɴ I know this story; I think it was on the Daily WTF some time back. Quote: The password field of the user table was also the primary key field making it impossible to have duplicate passwords, and they were stored unencrypted to make the verification process easier. This is... awesome. The only way to improve on it would be to tell users which other account has the password they tried to enter. Finally someone bothered reading beyond the first two paragraphs Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Alorael at Large Posted July 15, 2012 Share Posted July 15, 2012 I am required to have passwords with a company that has poor IT. So poor, in fact, that its online systems are fragmented and there are three separate accounts and passwords required. The account names all have different requirements. One is a string of numbers, one must be a full name, and one is a combination of initials and random number. The password requirements range from 8 characters with no restrictions to the usual draconian "must have a number, a capital letter, a symbol, and at least 8 characters, no words." Fine; I set all my passwords to the same exacting string. But then I learned the horrible truth: required password changes. One every month, one every three months, and one doesn't. Oh, and one of the things rejects new passwords if they match any previous password, but another rejects passwords for being similar to any of the last 50, by some arbitrary metric. Needless to say, this requires the password to be stored in plaintext somewhere. This is obviously the case, though, because the "I lost my password!" button just emails it back to you, again in plaintext. —Alorael, who can now never log into any of these places on the first try. He'd accept this if there were decent security, but security is neither necessary (there is no private information or payment involved) nor present (passwords in plaintext!). He'd like to brain all those responsible. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Dintiradan Posted July 15, 2012 Share Posted July 15, 2012 These are my favourite kind of DailyWTF stories. Most of them have just one simple facepalm moment, but ones like these are a cavalcade of catastrophe. I also use public-key authentication when possible, but a problem I've had is trying to remember the login password when public key authentication is turned off (we had a hacking attempt in our department a while back). Remembering multiple passwords is easy when you use them on a regular basis, but if you haven't had to type in your password to log in for months, it's easy to forget. Which brings me to a related point: what do people think about writing passwords down? People like Bruce Schneier seem to be okay with it. I keep my list at home, not in my wallet, and only write down my less vital passwords (no banking passwords, for example). If someone breaks into my house, I've got more important things to worry about than someone getting my WebDip login information. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast keira Posted July 15, 2012 Share Posted July 15, 2012 I have all my passwords I could forget stored in an encrypted file on my machine. I never write anything down. And I absolutely never tell anyone my passwords either. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Trenton. Posted July 15, 2012 Share Posted July 15, 2012 How did you know that my password is password? Nah. It's not. It would be too easy to have it like that Nobody EVER gets my passwords. Giving them out is like, just asking for trouble. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast The Mystic Posted July 15, 2012 Share Posted July 15, 2012 I have about a dozen different passwords on various sites ranging from [sorry, I'm not telling] to [my lips are sealed] to [you've got to be kidding me] to here. Good luck figuring out any of my passwords without software, or even what most of them are for. Despite being written down, everything's been coded using a somewhat complex set of rules only I know and understand. Originally Posted By: !Pinkie Pie How did you know that my password is password? Nah. It's not. It would be too easy to have it like that Of course it's not. Everyone knows your username is "password," and your password is "username." Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk nikki. Posted July 15, 2012 Share Posted July 15, 2012 My password is usually "incorrect", so that if I forgewt it and guess wrong, my computer will just tell me the answer. (And, on the off-chance I stole this joke from here, pre-emptive apology postcards have been sent off.) Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Dantius Posted July 15, 2012 Share Posted July 15, 2012 Originally Posted By: Ephee My password is usually "incorrect", so that if I forgewt it and guess wrong, my computer will just tell me the answer. (And, on the off-chance I stole this joke from here, pre-emptive apology postcards have been sent off.) Did you know that UBB has a feature where it recognizes your password and, if you try to type it out on the boards, it blanks it out and replaces it with asterisks when you post it? It's true! Look, my password is ************. It shows up just fine in the "reply" box and the "Preview" window, but now it's been censored once I post. Clever. Who would have though UBB had it in it? Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk nikki. Posted July 15, 2012 Share Posted July 15, 2012 Originally Posted By: Dantius Did you know that UBB has a feature where it recognizes your password and, if you try to type it out on the boards, it blanks it out and replaces it with asterisks when you post it? It's true! Look, my password is ************. It shows up just fine in the "reply" box and the "Preview" window, but now it's been censored once I post. Clever. Who would have though UBB had it in it? I've heard Facebook has a similar feature. Of course, typing in passwords is for chumps. I tend to just have my browser remember as many of mine as possible; the only one I ever have to manually type in is for my bank, but Firefox does remember my username for that. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Mea Tulpa Posted July 15, 2012 Share Posted July 15, 2012 *puts on moderator hat* Please don't post your passwords, folks. That will lead to people abusing your account. People are making this story up to get you to make a fool of yourself. *takes off moderator hat* Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Sullust Posted July 16, 2012 Share Posted July 16, 2012 hunter2 Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast keira Posted July 16, 2012 Share Posted July 16, 2012 SexygoblinTimes_123$ Quote Link to comment Share on other sites More sharing options...
Well-Actually War Trall The Ratt Posted July 16, 2012 Share Posted July 16, 2012 supercalifragilisticantspellthislongword........, Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast The Mystic Posted July 16, 2012 Share Posted July 16, 2012 I believe the word you're trying to spell is supercalifragilisticexpialidocious. Which, by the way, is a helpful hint when remembering a password like "Super-Hyper_Narcoleptic.with.Extra-Halitosis." Quote Link to comment Share on other sites More sharing options...
Well-Actually War Trall Cairo Jim Posted July 16, 2012 Share Posted July 16, 2012 Pneumonoultramicroscopicsilicovolcanoconiosis. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Alorael at Large Posted July 16, 2012 Share Posted July 16, 2012 My password is the same as my login name. You just have to guess both! —Alorael, who once used the same password on Desperance and Spiderweb. Alec gleefully then used his Spiderweb account. That particular password has long been retired. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Lilith Posted July 16, 2012 Share Posted July 16, 2012 Originally Posted By: Dintiradan Which brings me to a related point: what do people think about writing passwords down? People like Bruce Schneier seem to be okay with it. I keep my list at home, not in my wallet, and only write down my less vital passwords (no banking passwords, for example). If someone breaks into my house, I've got more important things to worry about than someone getting my WebDip login information. If you're worried about having written passwords stolen but still want a reminder, you can always use steganography. My PIN for my old Visa card was stored in my desk drawer in the form of a short poem: the number of words in each line corresponded to a digit of the PIN. Originally Posted By: Archives of the Annals of Review —Alorael, who once used the same password on Desperance and Spiderweb. Alec gleefully then used his Spiderweb account. That particular password has long been retired. are you sure it was alec because he doesn't remember doing this Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Dantius Posted July 16, 2012 Share Posted July 16, 2012 Originally Posted By: Lilith Originally Posted By: Dintiradan Which brings me to a related point: what do people think about writing passwords down? People like Bruce Schneier seem to be okay with it. I keep my list at home, not in my wallet, and only write down my less vital passwords (no banking passwords, for example). If someone breaks into my house, I've got more important things to worry about than someone getting my WebDip login information. If you're worried about having written passwords stolen but still want a reminder, you can always use steganography. My PIN for my old Visa card was stored in my desk drawer in the form of a short poem: the number of words in each line corresponded to a digit of the PIN. That's kind of similar to how I store my passwords at work- I write them in Chinese numerals on a slip of paper, write an English version of some famous Chinese quote by Confucius or somebody, source it in English, and tack it up on my bulletin board. Then I just stick a post it note with a phone number over half of it, and nobody's the wiser. Hidden in plain sight. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Randomizer Posted July 16, 2012 Share Posted July 16, 2012 I wrote down my locker combination in a non-standard base number system. The numbers still looked like base 10, but it wouldn't work. Quote Link to comment Share on other sites More sharing options...
Well-Actually War Trall Rowen Posted July 16, 2012 Share Posted July 16, 2012 In high school I was able to get the lock on my locker set so that it would open anytime for anyone. I never even bothered knowing my combo past day 1. Everyone I knew did the same things to their lockers too. Quote Link to comment Share on other sites More sharing options...
Understated Ur-Drakon Tyranicus Posted July 16, 2012 Share Posted July 16, 2012 Originally Posted By: Rowen is off to the coast In high school I was able to get the lock on my locker set so that it would open anytime for anyone. I never even bothered knowing my combo past day 1. Everyone I knew did the same things to their lockers too. You could do this at my high school too, but people would walk down the hall turning the locks just to mess with everyone. Quote Link to comment Share on other sites More sharing options...
Well-Actually War Trall Cairo Jim Posted July 16, 2012 Share Posted July 16, 2012 I thought having lockers in high school was just a myth. Quote Link to comment Share on other sites More sharing options...
Understated Ur-Drakon Tyranicus Posted July 16, 2012 Share Posted July 16, 2012 Originally Posted By: Cairo Jim I thought having lockers in high school was just a myth. They may not be common in Australia, but they are a staple of high school in the US. Quote Link to comment Share on other sites More sharing options...
Ineffable Wingbolt Erebus the Black Posted July 16, 2012 Author Share Posted July 16, 2012 Originally Posted By: Rowen is off to the coast In high school I was able to get the lock on my locker set so that it would open anytime for anyone. I never even bothered knowing my combo past day 1. Everyone I knew did the same things to their lockers too. In high school I didn't have a locker Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Student of Trinity Posted July 16, 2012 Share Posted July 16, 2012 I could tell you how I conceal my passwords. But then I'd have to kill you. Quote Link to comment Share on other sites More sharing options...
Ineffable Wingbolt BMA Posted July 16, 2012 Share Posted July 16, 2012 Originally Posted By: Cairo Jim I thought having lockers in high school was just a myth. I've seen lockers in English movies. Must be nice. Quote Link to comment Share on other sites More sharing options...
Unflappable Drayk adc. Posted July 16, 2012 Share Posted July 16, 2012 I've never had a locker. I carry every book in my bag. It is an excellent way to carry stuff. ----------- Most unique password: ... ----------- -Nightwatcher Quote Link to comment Share on other sites More sharing options...
Garrulous Glaahk JamesMighty Posted July 16, 2012 Share Posted July 16, 2012 My locker was broken in high School, so it looked like a lock was on it, but really you could open it with the lock on or not. Quote Link to comment Share on other sites More sharing options...
Garrulous Glaahk JamesMighty Posted July 16, 2012 Share Posted July 16, 2012 Originally Posted By: Rehctawthgin's Hoovy I've never had a locker. I carry every book in my bag. It is an excellent way to carry stuff. ----------- Most unique password:... ----------- -Nightwatcher And how exactly do you type this in?!? Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Alorael at Large Posted July 16, 2012 Share Posted July 16, 2012 Originally Posted By: Lilith Originally Posted By: Archives of the Annals of Review —Alorael, who once used the same password on Desperance and Spiderweb. Alec gleefully then used his Spiderweb account. That particular password has long been retired. are you sure it was alec because he doesn't remember doing this I'm pretty sure it was Alec. I may have overstated a bit: his gleeful use was, if I remember right, one odd but not awful post before he let me know over AIM that I'd failed password security 101. It wasn't a particularly big incident. —Alorael, who used a strategy similar to Lilith's, except he made his passwords the first two or three words of lines of a poem he kept above his desk. He wasn't sure what he would do when he ran out of lines, but he stopped needing access to that particular system before he hit the last line. Quote Link to comment Share on other sites More sharing options...
Well-Actually War Trall Harehunter Posted July 16, 2012 Share Posted July 16, 2012 I have found that the acronyms I used in the army are quite cryptic appearing, yet easy for me to remember. Changing case and adding numbers satisfies most security auditing algorithms. Then I would set up a repeating series off 5 or 6 variations. The trick is remembering which version of which acronym went with which application. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast VCH Posted July 16, 2012 Share Posted July 16, 2012 I don't worry about password security. You want to use my Spidweb account or read my email, go ahead, idk. (And by that I mean if you guess my password, good for you.) Quote Link to comment Share on other sites More sharing options...
Garrulous Glaahk JamesMighty Posted July 17, 2012 Share Posted July 17, 2012 Originally Posted By: Harehunter Changing case and adding numbers satisfies most security auditing algorithms. Then I would set up a repeating series of 5 or 6 variations. The trick is remembering which version went with which application. That's the same problem I have. My password is *(Capital if required)*******(and if requires 1 number)*(if more)** Excetera. But usually I enter random versions until it accepts. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast The Mystic Posted July 17, 2012 Share Posted July 17, 2012 Originally Posted By: Lilith If you're worried about having written passwords stolen but still want a reminder, you can always use steganography. My PIN for my old Visa card was stored in my desk drawer in the form of a short poem: the number of words in each line corresponded to a digit of the PIN. You know, that sounds pretty cool. I'm curious as to how you'd handle zero, though. Originally Posted By: Rowen is off to the coast In high school I was able to get the lock on my locker set so that it would open anytime for anyone. I never even bothered knowing my combo past day 1. Everyone I knew did the same things to their lockers too. I couldn't do this with my locker; I had to buy a combination lock. However, I found that if I slammed my locker door a certain way, I could just pull the lock open. I didn't do this too often, because one of the teachers hated loud noises, and my locker was near his classroom. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast keira Posted July 18, 2012 Share Posted July 18, 2012 people in my school would jam bits of paper into the lock mechanism to prevent it from closing. I did not partake, being a lucrative target for messing-with. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast VCH Posted July 18, 2012 Share Posted July 18, 2012 Are you guys talking half lockers or full lockers? My high-school had half lockers that were I'd guess 3 feet in height. It was really awkward when someone tried to get to their locker which just so happens to be at about your crotch height. What's worse though is that nothing much fits in a half locker. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Randomizer Posted July 18, 2012 Share Posted July 18, 2012 Originally Posted By: VCH What's worse though is that nothing much fits in a half locker. Try hanging up a full length coat in one. I think I left mine empty which made it easier at the end of the year to clean it out. Quote Link to comment Share on other sites More sharing options...
Well-Actually War Trall A less presumptuous name. Posted July 18, 2012 Share Posted July 18, 2012 My high school had really narrow full lockers, for the most part. Of course, you got a locker close to (or almost close to) your homeroom class in freshman year and kept it for all four years. I knew which hallway mine was in, but since I was only in that part of the building for my freshman homeroom class and never again, it was never useful. I carried everything with me. Only a few people I knew used lockers. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast The Mystic Posted July 19, 2012 Share Posted July 19, 2012 My high school had full lockers about a foot wide/deep, and mine saw constant use. The textbooks alone weighed a total of about 40-50 pounds on average, and wheeled backpacks (or any bag with wheels, really) weren't allowed. Therefore, there was absolutely no way I'd carry all my stuff around. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.