• We have gone insane


    Your password must:

    • be 15 to 30 characters long
    • contain at least two uppercase letters (A-Z)
    • contain at least two lowercase letters (a-z)
    • contain at least two numbers (0-9)
    • contain at least two of the following special characters: #@$%^!*+=_
    • change at least four characters from your previous password

    Your password cannot:

    • contain spaces
    • be one of your last ten previous passwords


    • Ah. At Ohio State, the change-password robot can also spot actual words (e.g., “dog_owner_42”) and rejects those as well.

      • That’s unfortunate. According to security experts I know, when you take into account the memorability-guessability tradeoff, you are actually considerably more secure if your password is a randomized string of whole words rather than a jumble of characters following these kinds of rules.

        • I don’t see why using words, randomly ordered or not, is
          more secure than a jumble of characters, assuming they are equal
          length strings. Maybe easier to remember, but anything containing
          whole words is vulnerable to dictionary attacks. If a hacker is
          able to steal password hash values from a system, they can rapidly
          test strings containing whole words using a program to generate
          millions of possibilities. The fact that passwords, chosen for
          memorability, are commonly combinations of whole words is the key
          to success for such attacks. Longer passwords are safer than short
          ones. Randomly ordered words are safer than well known phrases.
          Expanding the alphabet with upper and lower case, digits,
          punctuation, and special symbols increases safety. But most safe is
          a long string with no words appearing in a dictionary, a jumble of
          characters as you put it.

    • First class absurdity, all right.

      But the requirement of at least 4 characters being changed suggests that whatever system is being described has to store the original password.

      So…??? That means that any hacker who finds the password file immediately has all users’ credentials, plus any patterns each user favors in setting them (i.e., if the password must change monthly, putting the month name at the end of some shorter password root).

      Normally, password systems store not the password itself, but a “hash” made through a specific scrambling process. By checking a hash of what the user types in each time against the stored hash, the user can be verified easily and quickly. But the file of hashes (if the scrambling process is robust) cannot be tortured to reveal what the original password was. Any given hash might have been constructed from any one of millions of inputs.

      Specifically, it’s not possible to distinguish whether the password differs in at least 4 characters from a previous password, merely by comparing their hashes.

      So either this set of rules is apocryphal or else reflects a sadistic intent to make passwords as difficult as possible, while actually (presumably, stupidly) lowering security. Absent knowing the provenance of these rules, I’ll guess the former—entertaining fiction, the product of frustrated creativity.

      • No, the system only needs to know the old password at the time it is changed to validate the new password.

        • Thanks for the point. I still wonder what system demands
          such excruciatingly-difficult-to-follow rules, yet is not protected
          by a more robust setup such as requiring
          three-factor-authentication, access only from within a VPN, etc.
          Assuming that these passwords are required to be reset fairly
          frequently (why worry about the last ten if they’re years old),
          then the password will be written down or stored in a password
          vault, which raise new vulnerabilities. So where do these rules
          come from?

    • Get a password manager, such as lastpass. It will generate passwords, remember usernames and passwords and automatically fill them in on web sites. It makes the whole process much easier.

      The good password managers are protected by high end encryption. They improve security and usability.

      Consider two-factor authentication for important sites (if they support it).

      And yes, this is insane.

      • Agreed. Firefox’s password manager does the trick, at least for web applications.

        It is not absurd to require secure passwords. Of course, using all those character classes isn’t sufficient to make it secure. Nonsensical passphrases are best, like DumplingRaw4Straw.

    • Ours is no longer a password.

      Passphrase requirements:
      – Contain at least 15 and no more than 127 characters.
      – Use at least four unique characters (letters, numbers, or symbols).
      – Use at least four words. “Word” is defined here as two or more distinct letters; words must be separated by one or more spaces or other non-letters, not including numbers or the underscore character ( _ )

    • This is where the Oxford Book of English Verse (or having memorized a lot of poetry) can come in handy. For example, the first letter of each word from Sir John Suckling’s “A Doubt of Martyrdom,” three lines at a time, will give you all the letters you need; you can use the line numbers to supply the numbers, and then you just have to rotate the damn special characters. If you have to change your password every month, this poem, 35 lines long, will last you almost a year.

      Ofshlg1Skup2Sftsb3@# is pretty cryptic and should satisfy the IT folks. At the end of the year, you will have meomrized the poem. Then you can start over and use it again, since ten passwords will have gone by.

      The Yale Book of American Verse will work too. Fitz-Greene Halleck’s “Marco Bozzaris” is not likely to be easy for anyone but you to guess; it is over 110 lines and will last you a good long while.

      If you know other languages, Rilke or Baudelaire or Goethe will generate similarly cryptic passwords.

      Insanity can be overcome with poetry.

    • Send this to your IT admin: http://xkcd.com/936/

    • Someone at work helped me out by mentioning that when you type upper case characters you should hold the shift-key down measurably before you hit the character because if you type too fast it won’t register the shift-key and will reject your string.

    • Now you know why healthcare.gov is having so many problems.

    • Here is some help:

      How to choose secure passwords:


      Program to store multiple passwords in encrypted form so only you can access them with a single master password:


    • The main reason that password restrictions are growing is due to the ease which which shorter passwords can be cracked, somewhat regardless of hashing and/or encryption methods, using widely available password hash dictionaries–which allow hackers/crackers to identify passwords based on hash results of thousands of commonly used passwords and password variations.

      Believe me when I say that the increasing password requirements seem daunting, but they are not there for we IT geeks to haze you.

      I recommend using the caps-lock key to group lower and upper case letters together into like-cased words to generate the bulk of your password (as a pass phrase) and mix in your numbers and special characters to take care of the rest.

      You might find it interesting to know that a 3 to 5 word long pass phrase, totaling 20 characters, is more difficult to crack than the standard “15+ characters, 2 upper, 2 lower, 2 number, 2 special character” requirement.

    • Complex passwords with numbers and upper and lower case letters may reduce hacking from outsiders, but they greatly increase the risk of inside jobs.

      Because if someone can’t remember their password, they write it down, usually next to the computer, making it easy for relatives or others with access to the house to get into accounts. One of my relatives does this. Right next to the computer is a nice list: Account, Username, Password.

      And sure, those passwords are long, have upper and lower case, numbers and no words. They’ll pass any filter a company can devise. But if I wanted to steal my relative’s money, I just have to get my phone out of my pocket, take a snapshot. 3 seconds and I have access to all bank and shopping accounts.

      • This is why a secure encrypted password storage program is
        so important. This free open source program, Password Safe, by
        Bruce Schneier is excellent: https://www.schneier.com/passsafe.html
        It will store passwords encrypted, together with associated user
        and website info, can generate new secure ones, and makes it easy
        to use complex passwords by providing a button that transfers them
        temporarily to the clipboard for pasting into a password field. It
        then clears the clipboard automatically after a few seconds for
        security. There are free Windows and Linux versions, and also for a
        variety if other systems, and a Mac and iOS app are available
        (these have a small cost. I’m not the developer).

    • Not directly related to the discussion, but one suggestion
      I heard and found useful is to have two standard strings, and for
      each site, insert a unique code. For example, if you have a Wells
      Fargo checking account password would be WFCA. Then you only have
      to remember the two strings, and don’t have to write anything down.
      And when someone, say Adobe, messes up and all their users
      passwords become public, you won’t be in immediate

    • Oops. My BNF angle brackets were taken to be HTLM. That’s:

    • Simpler solution:use simple passwords, or none, and never use anything that could be damaging if someone got your password.

      realisticlly though, users will always be on the losing side of the battle between them and crackers.