The joy of repetition really is in you

[venta]

The other day, I was trying to sign into my Subway loyalty app. That's Subway the sandwich shop. They've changed their security model, and please would I pick a new password.

I have a generic password that I use for everything I don't really care about. It's a decent enough password (the sort of sites that tell you how strong your choice is usually put it at medium).

Subway rejected it: it had no capital letters. I tried a different one, which was rejected due to having no numbers. Ok, fine. I'll stick a capital in my generic password, and I'll doubtless forget I've done that and have to reset it in the future, but really who cares.

Subway rejected it because it had consecutive repeated characters. Wait, what? Does that rule actually achieve anything other than massively reducing the search space a potential hacker needs to hit?

To be honest, this is my feeling about all the "must have a capital", "must have a numerical digit" rule. It's quite possible to produce a strong password with neither. By enforcing these, you're just making my password very slightly easier to brute force.

Of course, given the general approach to passwords (see Ashley Madison's list of cracked passwords) I appreciate that the rules are there for a reason.

But "no repeated letters"? I don't get it.

Comments

[lnr]

Oh dear oh dear. To be honest nearly everything is in a password app for me these days, but I do have a completely rubbish password for random things I want to remember when not online to use the app (like wifi logins).

It's the Sparks one with the monkey, over and over and over and over.

[venta.livejournal.com]

Half a kudo for the monkey, but it ain't Sparks :) (Though I can see why you'd think it was.)

[lnr]

D'oh - I looked it up, of course. Brain not awake yet obviously :)

[bopeepsheep.livejournal.com]

I suspect this is why I keep having to retrieve/reset the password for certain sites: their requirements are incompatible with my general approach to passwords and the requirements of most other sites. Virgin Media are one offender: you should/must(?) have a number in it but it *cannot* be at the beginning of the password, which scuppers my usual "not that important" passwords - all start with a number (and some sites require you to start with a number). I suspect that when I set it up I used one of these and simply moved the number to the end ... but I've forgotten that so many times now that I end up just resetting it whenever I have to actually type it in.

They also asked me to type in my "phoning up" password (I was on the phone with them at the time and did check, this was correct!) and it kept rejecting. Because the guy on the phone repeatedly neglected to mention that their system had recorded it in ALLCAPS and run all the components of it together so instead of Word NUMBER Word I had to enter WORDNUMBERWORD. Which makes sense - except that when I set it up originally they said the spaces were fine, and it would strike me as the kind of thing that is rather important to tell the customer if you're trying to fix a major problem by getting them to do this.

[vicarage.livejournal.com]

I never understand why companies with such petty financial reward systems like Subway think their password systems need to be complex. Surely they realise the difference between defrauding me of £1000's, or a sandwich.

I have a petty password (with variants for annoying companies) which I put in a wiki page (protected by stronger password). Most of it is 32 years old, the end bit only 25 years old

I have a stronger password which is a decade old

I have individual passwords for the real money, written with gaps on a piece of paper on my desk.

[venta.livejournal.com]

If you had my Subway password (and the email address I gave them, which is not my regular address) and could sign into my account you'd get my name, full address and birthday. As well as my free sandwich. So I should be pleased they are taking security seriously.

Back in the days when I used to dash through Reading station on the way to dance practice, I ate at Subway sufficiently frequently that the rewards were actually pretty good value. Nowadays I do it so infrequently it probably isn't worth bothering.

[venta.livejournal.com]

Of course, the strength of my password is borderline irrelevant if (for example) they store it themselves in plaintext.

[drdoug.livejournal.com]

I've also seen requirements for passwords not to have repeated numbers, or consecutive numbers, or numbers that it deems to be dates or parts thereof (!) and, of course, for them not to have rude words or parts of rude words in them.

There's also the fun problem when passwords are required to have or not have non-alphanumeric characters. And of course which characters fall in to which the three groups (must not use, may use, must use at least N of) is massively variable.

And don't get me started on password recovery questions.

This sort of malarkey is why I gave up my old password system for a password manager. It's great. So much better for practical convenience, and also (probably) more secure. It turns out I was using my old system for ~200 passwords. Now I have >300, but it's waaaay less bother and mental effort. I don't need to worry about signing up for a new account somewhere - it's easy.

[venta.livejournal.com]

I use a password manager at work(it's a shared one as we have hundreds and hundreds of passwords that multiple of us need to know). It's a massive pain in the arse to use. Although in fairness some of that is because my colleagues store nonsense in it.

I have a terrible fear of password managers... What if it breaks? What if I need to sign into something somewhere it isn't available? But I concede they probably are the way forward.

[shermarama]

I can't reconcile myself to password managers either - and every so often, while out and about with my ex who used one, there would be situations where he couldn't log in to something and I could, and I'm afraid I'd be terribly smug about it.

[venta.livejournal.com]

I'm usually smug, but of late I've had a few serious forgetting incidents.

Including this morning, when I inexplicably couldn't remember the password for the server I've been happily logging into most work days for 18 months.

(Or, rather, I could remember it but was for some reason persistently transposing two characters when I typed it.)

[damerell.livejournal.com]

Plus presumably we are just waiting for the first widespread compromises of password managers. (Indeed, I'm amazed it hasn't already happened, except presumably the NSA, GCHQ, etc have done it and aren't letting us know about it).

I have a simple site-name-based permutation of my standard password for things I don't really care about too much.

[hirez.livejournal.com]

Ha. We were restarting some Important Kit the other week, which needed a p/w that I did not have.

'It's in the password manager!'

'Yes, it is. Starred out. Which is fine. However, that's not going to work when I plug in a screen & keyboard to the machine in the server room, is it?'

'Ah.'

[divergentcodex.livejournal.com]

Please excuse me while I setup a farm of machines in the cloud, devoted to cracking your subway password, because I could really do with a sandwich, and that's far easier than walking in the shop and buying a damn sandwich. Passwords are stupid.

[venta.livejournal.com]

Ha! After all that effort, you will discover that I currently have a balance of zero points and am not even due a freebie :)

[zhuhell.livejournal.com]

Ибергайк

[bopeepsheep.livejournal.com]

http://www.mcsweeneys.net/articles/nihilistic-password-security-questions STATOY. :D

[venta.livejournal.com]

Nice (though I had to Google 'STATOY' :)

I recently had to talk to an incidence of telephone banking. I had no memory of having ever set up a password, or answers to any security questions.

Quite surprisingly, once I'd jumped through some extra security hoops, the lady on the other end told me what my answers to a "memorable word" and "memorable place" had been. They weren't the defaults of Mother's-maiden-name and place-of-birth, which she'd suggested.

However, they were clearly mine. I do remember the place, and the word made me laugh out loud at my own joke. So well done, past-me. I now imagine it will be another five years or so before I need to phone them again, and we can do this whole thing again.

[ringbark.livejournal.com]

So why didn't you tell us that STATOY is "saw this and thought of you"? That way, I wouldn't have needed to Google it too.

[exspelunca.livejournal.com]

Following an appalling breach of security on their part (it could have caused a divorce if Sir hadn 't been aware of what I was doing) I won't talk to my bank on the phone so, when they did ring me, I wasn't sure it was the bank and asked them security questions. Did it ever freak them!