venta: (Default)
venta ([personal profile] venta) wrote2015-10-06 09:07 am
  • Add Memory
  • Share This Entry
Entry tags:

The joy of repetition really is in you

The other day, I was trying to sign into my Subway loyalty app. That's Subway the sandwich shop. They've changed their security model, and please would I pick a new password.

I have a generic password that I use for everything I don't really care about. It's a decent enough password (the sort of sites that tell you how strong your choice is usually put it at medium).

Subway rejected it: it had no capital letters. I tried a different one, which was rejected due to having no numbers. Ok, fine. I'll stick a capital in my generic password, and I'll doubtless forget I've done that and have to reset it in the future, but really who cares.

Subway rejected it because it had consecutive repeated characters. Wait, what? Does that rule actually achieve anything other than massively reducing the search space a potential hacker needs to hit?

To be honest, this is my feeling about all the "must have a capital", "must have a numerical digit" rule. It's quite possible to produce a strong password with neither. By enforcing these, you're just making my password very slightly easier to brute force.

Of course, given the general approach to passwords (see Ashley Madison's list of cracked passwords) I appreciate that the rules are there for a reason.

But "no repeated letters"? I don't get it.

Flat | Top-Level Comments Only

[identity profile] venta.livejournal.com 2015-10-06 10:28 am (UTC)(link)

I use a password manager at work(it's a shared one as we have hundreds and hundreds of passwords that multiple of us need to know). It's a massive pain in the arse to use. Although in fairness some of that is because my colleagues store nonsense in it.


I have a terrible fear of password managers... What if it breaks? What if I need to sign into something somewhere it isn't available? But I concede they probably are the way forward.

shermarama: (bright light)

[personal profile] shermarama 2015-10-06 11:14 am (UTC)(link)
I can't reconcile myself to password managers either - and every so often, while out and about with my ex who used one, there would be situations where he couldn't log in to something and I could, and I'm afraid I'd be terribly smug about it.

[identity profile] venta.livejournal.com 2015-10-06 12:47 pm (UTC)(link)
I'm usually smug, but of late I've had a few serious forgetting incidents.

Including this morning, when I inexplicably couldn't remember the password for the server I've been happily logging into most work days for 18 months.

(Or, rather, I could remember it but was for some reason persistently transposing two characters when I typed it.)

[identity profile] damerell.livejournal.com 2015-10-08 04:39 pm (UTC)(link)
Plus presumably we are just waiting for the first widespread compromises of password managers. (Indeed, I'm amazed it hasn't already happened, except presumably the NSA, GCHQ, etc have done it and aren't letting us know about it).

I have a simple site-name-based permutation of my standard password for things I don't really care about too much.

[identity profile] hirez.livejournal.com 2015-10-06 12:12 pm (UTC)(link)
Ha. We were restarting some Important Kit the other week, which needed a p/w that I did not have.

'It's in the password manager!'

'Yes, it is. Starred out. Which is fine. However, that's not going to work when I plug in a screen & keyboard to the machine in the server room, is it?'

'Ah.'
Flat | Top-Level Comments Only