Log in

No account? Create an account

Previous Entry | Next Entry

Password annoyances.

I am constantly getting locked out of web sites not because I'm forgetful of passwords but because so many of these websites have so many arbitrary password rules that I have to make variations on one of my usual passwords that is just different enough that I can't fucking get in later if my computer has forgotten what the password was.

Goddamn it, there should not be any fucking arbitrary "you can't do a password without [x]" bullshit. Like, your password has to have a capital letter, a special character, but not a period or comma or a dozen other characters, and it has to be at least 6 but no more than 10 characters long, and your password should have a prime number in it and be in the metric system, every other character should be capitalized, and sacrifice your firstborn to us, but only if you give us 10% of everything you own when you die, your mother's maiden name, and your porn name. Oh and we'll only give you three chances to get all that right or the account will lock up for a day or so.

Honestly, I am quite capable of making secure passwords by myself without all these fucking arbitrary rules! This bullshit is making things 10 times harder than they need to be, and it's all false security anyway because you can always reset the password anyway if you can get into the email account.

I tell you, the most sensible password things I've seen to date are Google and TrueCrypt. TrueCrypt will accept whole sentences as a password, without bitching about spaces and periods and question marks and so on. And while Google isn't quite that good, it doesn't have many of these arbitrary rules (just doesn't like spaces and periods and commas, I think), and you can add more security by linking the account to a cell phone and/or requiring verification codes (which I can lock in a text file inside of a TrueCrypt vault).

Honestly, web sites, if you would stop quibbling about pointless details and basically go the TrueCrypt route and allow any fucking characters we want, and whole sentences, then that would be much more secure and a hell of a lot less hassle.

This was cross-posted from http://fayanora.dreamwidth.org/1204529.html
You can comment either here or there.


( 2 comments — Leave a comment )
Jan. 27th, 2014 12:14 pm (UTC)
The bits about minimum length and having caps and "special" characters" in them really *do* make things more secure.

I recall how shocked I was when my bank's website wouldn't accept anything more than 6 characters, alpha only. (it's now a lot better than that).

Alas, most folks *aren't* good at picking secure passwords. Even if they think they are.

The limits on maximum length of password are because the site has to *store* them (hopefully encrypted). If you've got a million customers/users then every extra character is a megabyte of data that has top be stored (and yes, they have to allocate space for the maximum length for *all* users, because password is one of those things where using a variable length field is a nightmare)

The usual advice is to go ahead and use a sentence, but just the first letter of each word. Or the last.

Periods and commas are usually forbidden because they make for more typos. And also because it's less likely that "standard" input verification routines will work with them.

Going the other way, you'd be amazed how many idiots set up databases with phone numbers or zip codes stored as *numeric* data. This leads to a lot of errors when the "number" exceeds the size of the numeric type used. If it ain't gonna be used for calculations, always store stuff as *character* data.

Getting back on track, yeah some places go overboard.

I suggest you try something like LastPass to remember most of your passwords. That way you only need to keep the important ones in your head.

Jan. 27th, 2014 12:16 pm (UTC)
Oh yeah, missed this on the first pass.

Linking to cell phones is a *really* bad idea. Among other things, what if you have multiple IDs with the same site/service? All the reasons for those involve *not* wanting them linked in any way. Using the cell phone eliminates that.

and may be how google linked names to out all those TG folks.
( 2 comments — Leave a comment )


The Djao'Mor'Terra Collective
Fayanora's Web Site

Latest Month

August 2019


Powered by LiveJournal.com
Designed by Taichi Kaminogoya