venta: (Default)
venta ([personal profile] venta) wrote2015-10-06 09:07 am
  • Add Memory
  • Share This Entry
Entry tags:

The joy of repetition really is in you

The other day, I was trying to sign into my Subway loyalty app. That's Subway the sandwich shop. They've changed their security model, and please would I pick a new password.

I have a generic password that I use for everything I don't really care about. It's a decent enough password (the sort of sites that tell you how strong your choice is usually put it at medium).

Subway rejected it: it had no capital letters. I tried a different one, which was rejected due to having no numbers. Ok, fine. I'll stick a capital in my generic password, and I'll doubtless forget I've done that and have to reset it in the future, but really who cares.

Subway rejected it because it had consecutive repeated characters. Wait, what? Does that rule actually achieve anything other than massively reducing the search space a potential hacker needs to hit?

To be honest, this is my feeling about all the "must have a capital", "must have a numerical digit" rule. It's quite possible to produce a strong password with neither. By enforcing these, you're just making my password very slightly easier to brute force.

Of course, given the general approach to passwords (see Ashley Madison's list of cracked passwords) I appreciate that the rules are there for a reason.

But "no repeated letters"? I don't get it.

Threaded | Flat
lnr: (Pen-y-ghent)

[personal profile] lnr 2015-10-06 08:14 am (UTC)(link)
Oh dear oh dear. To be honest nearly everything is in a password app for me these days, but I do have a completely rubbish password for random things I want to remember when not online to use the app (like wifi logins).

It's the Sparks one with the monkey, over and over and over and over.

[identity profile] bopeepsheep.livejournal.com 2015-10-06 08:41 am (UTC)(link)
I suspect this is why I keep having to retrieve/reset the password for certain sites: their requirements are incompatible with my general approach to passwords and the requirements of most other sites. Virgin Media are one offender: you should/must(?) have a number in it but it *cannot* be at the beginning of the password, which scuppers my usual "not that important" passwords - all start with a number (and some sites require you to start with a number). I suspect that when I set it up I used one of these and simply moved the number to the end ... but I've forgotten that so many times now that I end up just resetting it whenever I have to actually type it in.

They also asked me to type in my "phoning up" password (I was on the phone with them at the time and did check, this was correct!) and it kept rejecting. Because the guy on the phone repeatedly neglected to mention that their system had recorded it in ALLCAPS and run all the components of it together so instead of Word NUMBER Word I had to enter WORDNUMBERWORD. Which makes sense - except that when I set it up originally they said the spaces were fine, and it would strike me as the kind of thing that is rather important to tell the customer if you're trying to fix a major problem by getting them to do this.
Edited 2015-10-06 08:42 (UTC)

[identity profile] vicarage.livejournal.com 2015-10-06 09:00 am (UTC)(link)
I never understand why companies with such petty financial reward systems like Subway think their password systems need to be complex. Surely they realise the difference between defrauding me of £1000's, or a sandwich.

I have a petty password (with variants for annoying companies) which I put in a wiki page (protected by stronger password). Most of it is 32 years old, the end bit only 25 years old

I have a stronger password which is a decade old

I have individual passwords for the real money, written with gaps on a piece of paper on my desk.

[identity profile] drdoug.livejournal.com 2015-10-06 09:51 am (UTC)(link)
I've also seen requirements for passwords not to have repeated numbers, or consecutive numbers, or numbers that it deems to be dates or parts thereof (!) and, of course, for them not to have rude words or parts of rude words in them.

There's also the fun problem when passwords are required to have or not have non-alphanumeric characters. And of course which characters fall in to which the three groups (must not use, may use, must use at least N of) is massively variable.

And don't get me started on password recovery questions.

This sort of malarkey is why I gave up my old password system for a password manager. It's great. So much better for practical convenience, and also (probably) more secure. It turns out I was using my old system for ~200 passwords. Now I have >300, but it's waaaay less bother and mental effort. I don't need to worry about signing up for a new account somewhere - it's easy.

[identity profile] divergentcodex.livejournal.com 2015-10-06 10:40 am (UTC)(link)
Please excuse me while I setup a farm of machines in the cloud, devoted to cracking your subway password, because I could really do with a sandwich, and that's far easier than walking in the shop and buying a damn sandwich. Passwords are stupid.

[identity profile] zhuhell.livejournal.com 2015-10-06 10:58 am (UTC)(link)
Ибергайк
Threaded | Flat