Well there it is. It's a government website. It needs to be secure. Password restrictions have always annoyed me on websites where it's just my shit that going to get fucked. Yes all of these restrictions will make my shit more secure, but if I want my password to be hunter12 then that should be my perogative. But on a government website it makes sense.
Edit: politeness
Edit 2: Jesus fucking Christ I get it. These types of passwords are more susceptible to brute force passwords. I don't need 20 of you motherfuckers to tell me the same damn thing.
Password strength should be measured by bits of entropy, not arbitrary limitations. These forced limitations actually reduce the amount of possible combinations making brute forcing easier. Also, people are likely to compensate for the difficult restrictions by just writing it down. Maybe not a big deal for a one-off government website, but forcing password restrictions like this for a bank account means someone is just going to write it down on a piece of paper or save it in their phone which makes it that much easier for someone to get access to it.
Which I why I said it annoys me when it's just my shit. I should get to pick exactly what password I want for my bank account. I agree with that point.
I was pretty upset work a shit as government website we used to document unclassified training had requirements like that, but my fucking bank was letters and numbers only 8 characters max, no upper case.
My bank makes you use your account number as your login name. I have to have a written copy of the number every time I want to access my online account. So secure!
But they can. And if they do, their account number is written on the check. Therefore, an account number should never be treated as confidential or secret information.
I have a checking account, but no checks. I found checks were too easily stolen and forged. They were pieces of paper stored in a drawer. These password systems make it far more likely people will write it on a piece of paper and store it in a drawer where a thief will look for it.
I'm not even that old and remember memorizing friends' phone numbers in case you were calling away from home (where your phone book was).
Seems like memorizing something as important as a bank account # wouldn't be too demanding. And if you're worried about having to have a written version of it every time you login, it's already on every personal check in your checkbook.
You should easily to be able to remember your bank account number if you log in with any kind of regularity. I know my bank account number, the login number, and credit card number.
Yeah but that's just the login name. That's not what needs to be secure. Your PIN/password needs to be secure and not written down anywhere. (And weird regulations make people write down passwords.)
Memorize your SSN, bank account number, and similar. It's not even very difficult and saves loads of time. Imagine if you had to look up your phone number every time you wanted to give it to someone.
Mine uses that but as password you need both your PIN number (shout-out to all haters of the term "PIN number") and a randomised code that they send to your phone every time you log in.
Bits of entropy is a great way of measuring potential security, but a horrible way of measuring actual security.
This all goes without saying, but people won't use a difficult password out of generosity to your system. If you say "make a password" and you make no restrictions, you maximize entropy mathematically - my password could be '$A&FruitBalloon*<F12>@R{Sunglasses Emoji}<pageUp>', or it could be 'password'. And most people are not going to use the first when the second is so much simpler.
If you think of the search space as a one dimensional graph of arbitrary units of complexity, a graph going from 0 to infinity but having most of the passwords between in the first ten 'units', vs a graph going from one to one hundred and having none in the first ten and most in the 50's is a more secure system.
You shouldn't measure password strength by how secure it could be, but by their worst and average cases, because a hacker doesn't succeed when they find every single password, they succeed when they find just one.
Title-text: To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.
Title-text: To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.
Yes that's partly how they cracked the enigma code, they knew whatever the settings a letter never represented itself. It greatly reduced the number of possibilities.
2.0k
u/buttonstoyou Mar 08 '16
How about I just go to a new website, how about that.