back to article Either my name, my password or my soul is invalid – but which?

Try as I might, it won't go in. I have entered pretty much everything else so far but this time I'm getting a definitive "no". I respect that, of course, but it leaves me jolly frustrated. Despite all my powers of persuasion, I'm left standing in the cold with one hand on my lock. Yes, lock. The site keeps rejecting my …

Anonymous Coward

Why block Beatles songs as passwords? is it because we can work it out.

67
0
Reply
Silver badge

Hey Jude

Don't get hacked.

Pick a bad password, and make it better.

37
0
Reply
Anonymous Coward

Re: Hey Jude

It's easier to pick one with a little help from my friend.

26
0
Reply

This post has been deleted by its author

Silver badge

Re: Hey Jude

Nothing to get hung about

15
0
Reply
Silver badge
Flame

minimum password reset time

...casually sabotage his own monthly New Password prompts by changing his password 11 times immediately.

Which is why you should set a minimum time between changes - just dont be monumentally stupid about it.

I worked at a place (I.T. provider) where they had set the minimum time to longer than the maximum time on one of the customers systems.

Result - Impossible to change password. Do the server team give a shit? no! they arnt the ones dealing with outraged and frustrated customers and setting everyones password for them manually - no small task on top of my extremely overworked day. This went on for months. I attempted ease the situation by asking questions like "Hey guys, what are the actual password rules as people seem to be struggling". I was met with vague shit like "oh , its gotta be 8 and have a number in it, i think"

It took for me to dig out the gpo editor , dig into the AD and find the policy - and the problem and wavi it in their faces.

I said that like they then did something about it didnt I ? no such luck , no shits were given , they couldnt see the issue?!? It took more weeks of cajoling and bitching upstream.

First job I ever resigned from without having a new job ready.

My girlfriend worked there a few months longer , doing the accounts , and suddenly had a load of extra work when their accounts server died with no known backups , all data lost and they had to re-enter what data they could find from whatever paperwork they had filed!

This is an I.T company! That sells backup solutions!

25
0
Reply
Silver badge

Re: minimum password reset time

> Which is why you should set a minimum time between changes - just don't be monumentally stupid about it.

Ugh, even that brings its own problems. Being told you can't change a password that's been compromised because the minimum time hasn't elapsed. On one of our systems, a privileged generic* account password is retrieved several times a day by different people, but can only be changed once a day. So a bunch of people can re-use the password all day, with no accountability for who did what.

A long password history usually means you don't need a minimum time. Until you meet That Guy who ruins it for everyone:

>>...casually sabotage his own monthly New Password prompts by changing his password 11 times immediately.

* Yes, they should have individual logins. But the ancient application doesn't support that, OR auditing,

5
0
Reply
Silver badge

Re: minimum password reset time

"accounts server died with no known backups , all data lost and they had to re-enter what data they could find from whatever paperwork they had filed!

This is an I.T company! That sells backup solutions!"

Reminds me of the company that sold a lot of word processing solutions in the early 80s.

Their invoices were done on a typewriter.

2
0
Reply
Silver badge

University

A certain university somewhere in mid-Wales has password rules that forbid anything like a dictionary word in just about any known language, and checks it. They must have a Cray handling the password validation.

Contain both upper and lower case characters (e.g., a-z, A-Z)

Have digits and punctuation characters as well as letters, e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)

Are at least six alphanumeric characters long.

Are not a word in any language, slang, dialect, jargon, etc.

Are not based on personal information, names of family, etc.

If I remember rightly, you can't reuse the last 30. But at least it only forces a change every year.

25
0
Reply
Silver badge

Re: University

in just about any known language

Does that include Welsh?

(Thanks for that one, Red Dwarf.)

31
0
Reply
Silver badge

2 factor

if the second factor is merely a detoured PIN sent to your smartphone: all a thief has to do is nick your phone and he sits and waits for the second password to light up in front of him.

but , but , 99.% of people hacking your password have no idea who or where you are and probably arnt in the same country! so its not that easy for them to whack you over the head in the study with the metal pipe and nick your phone!

16
0
Reply

Re: University

What a monumentally stupid university! They are just absolutely ensuring that their users will write it down, almost certainly somewhere stupid.

Whenever the subject of password strength arises here, I refer them to this:

https://xkcd.com/936/

Don't get me started on bloody stupid biometrics - they should never be used for anything but identification, never authentication. I haven't made any friends pissing on the parade of breathless tech junkies extolling the virtue of their super-secure fingerprint enabled phones. "But it HAS to be super secure, it's NEW and BIOMETRIC!"

18
3
Reply
Silver badge

Re: University

A!a?0@

B!b?1@

etc.

6
0
Reply
Anonymous Coward

Re: University

What a monumentally stupid university! They are just absolutely ensuring that their users will write it down, almost certainly somewhere stupid.

Which is why the "interview" social engineering attack works well.

Go for an interview, wear video recording glasses, and take a GOOD look around the cubbicles when you're show around. Match up name plates to the sticky notes on the monitors, and using the Email address the interviewer gave you as the guide, you now have lots of usernames and passwords.

10
0
Reply
tfb
Silver badge

Re: University

One argument for biometrics is that they are harder to shoulder-surf, especially compared with something you're likely to be able to reliably type on a phone. I'm not sure how good an argument that is, but it's not obviously silly.

8
1
Reply

Re: University

and that is precisely why they get written on post-it's and left around

6
0
Reply
Anonymous Coward

Re: University

Don't get me started. I've seen password policies by committee where the various factions couldn't be appeased, and now it's a four-branch combination of alphabet size and minimum length. I'll try to push for "min length 12, must contain 16 distinct letters" next time just to see if they twitch.

12
0
Reply

Re: University

Someone has actually generated a website to provide such passwords:

http://correcthorsebatterystaple.net/

6
0
Reply
Silver badge

Re: Biometric Login...

If want your login bad enough, I take your finger with me to the computer/bank machine, etc.

1
0
Reply
tfb
Silver badge
Big Brother

Re: University

You really, really do not want to use a website to generate passwords unless you are extremely confident both in the code it runs, the hardaware it runs on and the security of the connection between you and it.

10
1
Reply
Anonymous Coward

Re: University

*koff* That's almost certainly where I work. In the, *ahem* same department that makes these policies. It is a royal PITA changing passwords. Although, last time having rejected every complex definitely-not-a-word-in-any-language password I tried, the system suggested a much simpler, less complex alternative that was more acceptable to it.

*shrug* Go figure.

And yes, words in Welsh are also banned ;-)

9
0
Reply
Silver badge

Re: University

"unless you are extremely confident etc."

And the people running the site.

4
0
Reply
Silver badge
Trollface

Re: 2 factor

whack you over the head in the study with the metal pipe

Er, no. I think it was in the kitchen with a knife.

4
0
Reply
Silver badge

Re: University

Make sure to include one special char and 2 Cyrillic numerals

2
0
Reply
Silver badge

Re: University

Is Welsh a language?

2
2
Reply
Silver badge
Trollface

Re: University

a dictionary word in just about any known language

SQL?

1
0
Reply
Joke

Re: University

That's like five words (dunno, SELECT, WHERE, FROM, DELETE, ADD?)!

1
0
Reply

Re: University

What I always do is generate half a dozen or so, and pick portions from each, so they have no way of knowing what I used, even if they can work out who I am, etc.

0
0
Reply
Anonymous Coward

"Wrong" email addresses

I do remember some years ago, that some sites where a bit "snobby" and not excepting users that had email accounts from the likes of Hotmail and Yahoo.

23
0
Reply

Re: "Wrong" email addresses

And those idiot web interfaces (faeces?) that insist a domain name cannot contain a hyphen (well, a -).

Most of my addresses have that. My domain names have them, my last two or three workplaces have that...

Idiots.

32
0
Reply
Silver badge

Re: "Wrong" email addresses

I'd say not excepting those users would have been the preferable approach...

8
2
Reply
Silver badge

Re: "Wrong" email addresses

I still encounter sites that don't accept email addresses with 3 character domain names, fortunately all, so far, have accepted gmail.com instead...

But as Alistair alludes to, unless you have kept good notes (ie. little black book or used a password manager), it can be a bit of a nightmare when you revisit such a site and simply automatically enter your normal username...

18
1
Reply
Silver badge

Re: "Wrong" email addresses

"I do remember some years ago, that some sites where a bit "snobby" and not excepting users that had email accounts from the likes of Hotmail and Yahoo."

That used to be a good way of avoiding spammers signing up for the sole purpose of posting a load of links.

17
1
Reply
Silver badge

Re: "Wrong" email addresses

Apostrophes in email addresses fall foul of some sites.

If you look it up, they are perfectly valid. According to an Irish acquaintance with a name starting with O' it's quite good at minimising the spam he gets.

20
0
Reply
LDS
Silver badge

Re: "Wrong" email addresses

It's still happening today, some don't accept email addresses from free email services - probably they believe you've just created one to give 'em to hinder them harassing you for the next several years...

9
0
Reply
Silver badge

Re: "Wrong" email addresses

Shirley not!

And no one ever uses them for FB accounts, either,

7
0
Reply
Silver badge
Facepalm

Re: "Wrong" email addresses

I seem to remember also that some sites only accepted email addresses from what they considered to be proper email, ie. hotmail, etc. Anything else wasn't a "known" email so was rejected.

5
0
Reply
Meh

Re: "Wrong" email addresses

I know someone with an apostrophe in their email address, due to their irish O'whatever name. Despite the fact it's 50/50 whether the receiving email server will accept it or not, the admin has never enforced a policy that removes it when creating accounts.

What annoys me is when you have to login somewhere else and it's not obvious they have a different country keyboard layout. Those special characters are not where they are supposed to be. So do I devise new passwords which only uses the characters that don't move say between US and UK layouts, thus weakening the password due to less entropy, or use them and struggle to login some places?

Decisions!

7
1
Reply

Re: "Wrong" email addresses

Plenty of systems won't accept emails where the TLD is more than 3 characters, because they used some half-baked regex copied off Stack Overflow. It was wrong long before the recent TLD proliferation, too: .museum has been around since 2001.

15
0
Reply
Anonymous Coward

Re: "Wrong" email addresses

a + in an email address is valid, and a very useful way to track who is leaking your email address as you can use unique gmail addresses when you sign up for crap stuff which all go into your single mailbox but I've found plenty of places will not accept it as a valid email even though it complies with rfc2822

21
0
Reply
MOH

Re: "Wrong" email addresses

Yep, they're perfectly valid. Didn't stop Aer Lingus refusing to accept them for the first few years of online booking

5
0
Reply
Anonymous Coward

Re: "Wrong" email addresses

"an Irish acquaintance with a name starting with O' "

Oh, you know Robert O'Tables?

26
0
Reply
Bronze badge

Re: "Wrong" email addresses

Once had a friend with an email address that was similar to (but not) a.b.c@d-e-f.co.uk

It was a useful one for testing email validation, the amount of times some web app would refuse to accept it showed that the devs were using some useless regex from the first search result that was stack overflow.

9
1
Reply
Bronze badge

Re: "Wrong" email addresses

Though there was that one time I actually *won* a competition.

Found out by phone though.

"Congratulations you won!

... we usually notify by email but we think something went wrong with our system as your email address is coming up as wall.meerkat+ourcompany@gmail.com"...

9
0
Reply
Silver badge

Re: "Wrong" email addresses

"I do remember some years ago, that some sites where a bit "snobby" and not excepting users that had email accounts from the likes of Hotmail and Yahoo."

In my recent experience I found the exact opposite. I tried signing up to The Times website so I could read news articles and it utterly refused to accept my email address (I have my own domain). Seeing as it wasn't for anything particularly important I used a throwaway Gmail address and sign-up worked first time.

3
0
Reply
Anonymous Coward

Robert O'Tables

"Robert O'Tables", love it!

One of the people at my workplace not only has an Irish family name, but whose personal name is from another European language and contains an accented letter. I perhaps use this person's record on my dev server rather more than some others, as it's a really great name to test many corner cases or potential input/output data validation/security risks.

8
0
Reply
Silver badge

Re: "Wrong" email addresses

"some don't accept email addresses from free email services - probably they believe you've just created one to give 'em to hinder them harassing you for the next several years."

No problem. I use a paid email service and create addresses to stop them harassing me for several years. What's more, if I think I might need to use the service in the future I can keep the address in place but just set it to bounce until the occasion arises.

1
0
Reply
Silver badge

Re: Robert O'Tables

"an Irish family name ...I perhaps use this person's record on my dev server rather more than some others"

A certain large systems house on whom we all like to pour scorn were repeat offenders in sending badly formed XML with Irish names. After we'd explained it all to the developer doing the work they got it right. A few months later the developer we'd trained had had his visa run out and been replaced by another import, all ready to screw it up again.

2
0
Reply
Bronze badge

Re: "Wrong" email addresses

I take it your friend's name is O'DROP DATABASE';

6
0
Reply
Silver badge
Holmes

Re: "Wrong" email addresses

... we usually notify by email but we think something went wrong with our system as your email address is coming up as wall.meerkat+ourcompany@gmail.com"...

Couple of years ago I ordered some stuff from a webshop, using my standard pattern of "myname.webshop@surname.net". This resulted in them calling me to acknowledge the order, as their confirmation mail kept not getting sent (apparently they did pay attention to such things, good on them) and with it them expressing surprise at me having an account on their mailserver.

Their software apparently had some hitherto unknown knicker-twisting properties

1
0
Reply

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018