back to article Either my name, my password or my soul is invalid – but which?

Try as I might, it won't go in. I have entered pretty much everything else so far but this time I'm getting a definitive "no". I respect that, of course, but it leaves me jolly frustrated. Despite all my powers of persuasion, I'm left standing in the cold with one hand on my lock. Yes, lock. The site keeps rejecting my …

    1. LDS Silver badge

      Re: "Wrong" email addresses

      It's still happening today, some don't accept email addresses from free email services - probably they believe you've just created one to give 'em to hinder them harassing you for the next several years...

      1. Elmer Phud Silver badge

        Re: "Wrong" email addresses

        Shirley not!

        And no one ever uses them for FB accounts, either,

      2. Doctor Syntax Silver badge

        Re: "Wrong" email addresses

        "some don't accept email addresses from free email services - probably they believe you've just created one to give 'em to hinder them harassing you for the next several years."

        No problem. I use a paid email service and create addresses to stop them harassing me for several years. What's more, if I think I might need to use the service in the future I can keep the address in place but just set it to bounce until the occasion arises.

    2. David Nash Silver badge
      Facepalm

      Re: "Wrong" email addresses

      I seem to remember also that some sites only accepted email addresses from what they considered to be proper email, ie. hotmail, etc. Anything else wasn't a "known" email so was rejected.

    3. Hans Neeson-Bumpsadese Silver badge

      Re: "Wrong" email addresses

      "I do remember some years ago, that some sites where a bit "snobby" and not excepting users that had email accounts from the likes of Hotmail and Yahoo."

      In my recent experience I found the exact opposite. I tried signing up to The Times website so I could read news articles and it utterly refused to accept my email address (I have my own domain). Seeing as it wasn't for anything particularly important I used a throwaway Gmail address and sign-up worked first time.

  1. tfb Silver badge

    Idiot password checkers

    I use random (and I mean random: generated from proper randomness) strings of dictionary (/usr/share/dict/words / /usr/dict/words) words as passwords (well, passphrases). It's easy to show that these, if they are long enough, are harder to guess than normal line-noise passwords (the alphabet the symbols are chosen from is much bigger, the symbols are randomly chosen). But I still have to add a little bit of line-noise to the end of them to keep the stupid 'must be line noise' checker happy.

    1. Robert Carnegie Silver badge

      Re: Idiot password checkers

      For a password to remember, and easy to type: 6 random distinct consonants, then 2 numerals. I usually grab 20 letters https://www.random.org/strings/?num=1&len=20&upperalpha=on&unique=off&format=html&rnd=new - shuffle at random and pick out letters that fit e.g. Robert Carnegie -> Rbtcng95 (I don't actually use my name for this). That's the password, but to remember it, pick words that represent 5 or 6 of the letters. I find that after a few days, remembering the words e.g."Robot carnage" (possibly my name spell checked) brings up the letters and the numbers as well.

      An online password checker spotted that "Fiqbly45" contains a given name (Bly) and a dictionary word (Fiq with a Q, evidently), it must be a fiend at Scrabble.

    2. veti Silver badge

      Re: Idiot password checkers

      That's fine, but is it any more memorable than just a random string of gibberish?

      I've tried lots of approaches over the years. This is my current favourite.

      1. tfb Silver badge

        Re: Idiot password checkers

        Based on my experience (so, OK, sample of one, self-selected), passphrases made from random words are much easier to remember, yes. I think this is because we have specialised machinery in our heads for dealing with natural language, and while we don't have specialised machinery in our heads for dealing with written language (too recent, evolutionarily) the more general-purpose machinery we've trained to deal with it turns out to work really well. So if you see a string of words in a natural language you speak then you're remarkably good at remembering them even if they are randomly chosen.

        This works, surprisingly, even if you have never seen the words before: I just ran my generator for a three-word passphrase and it came up with 'cinephotomicrography franchisal lineation': I don't think I've ever used any of those words, or probably even seen them before, but I typed all but the first without looking back at the window I'd covered.

        1. Spamfast Bronze badge

          Re: Idiot password checkers

          XKCD again as mentioned earlier.

          But the problem is that many systems won't let you use passphrases. Either they won't accept passwords that long or they insist on 'at least one upper, lower, digit, rune' etc as in Dabbsie's original article.

          Every place I go I email the IT admins the link to the XKCD cartoon but unfortunately your average Microsoft-only IT bod doesn't understand what 'entropy' means - or anything else about real, effective security.

          Also, Windows only supports the 'enforce password compexity' (runes!) option so that's what the IT twonks enforce.

          1. John Miles

            Re: Idiot password checkers

            Different cases are easy to deal with - You naturally put a capital for a name or first word of phrase or sentence and rest lower case. You can include a number in the phrase or a word that sounds like a number and there are some symbols that can be substituted for words - so you could take the correct horse battery staple" and turn it into "correct horse and battery free staple" which becomes "Correcthorse&battery3staple" which I find easy to remember and type and still meets the stupid password rules (unless they limit length too short)

            1. veti Silver badge

              Re: Idiot password checkers

              (unless they limit length too short)

              Which they normally do. Honestly, what percentage of sites even allow you to have a password of more than 16 characters?

              Worst of all, those that allow you to enter such a password, but silently truncate it without telling you. Then reject the full password when you enter it later.

              I've learned to limit myself to 10 characters. Most places accept that. OK, it's not as secure as it could be, but like the old joke says: "I don't have to run faster than the bear, I just have to run faster than you". There are plenty of people way easier to hack than me, and that's what matters.

    3. Shadow Systems Silver badge

      Re: Idiot password checkers

      I like to use Elder Runes. It means my password is unique & anyone attempting to say them aloud winds up summoning an Elder God. It's a self-Darwinian method of password security. =-)p

      1. tfb Silver badge

        Re: Idiot password checkers

        Well, yes, of course. I didn't specify what /usr/share/dict/words on my machine contains, or exactly what LANG is set to, and perhaps I should not do that.

        I have found an interesting thing regarding this: encryption is not enough. Even looking too closely at the encrypted contents of the disk is enough to cause quite nasty things to happen to potential eavesdroppers. The results are usually fatal, and I imagine the eavesdroppers are glad of that, at least until their minds go.

    4. Spamfast Bronze badge

      Re: Idiot password checkers

      #!/usr/bin/python3

      import secrets

      with open('/usr/share/dict/words') as f:

      words = [l.strip().lower() for l in f.readlines()]

      xkcd = ' '.join([secrets.choice(words) for i in range(4)])

      print(xkcd)

    5. Anonymous Coward
      Anonymous Coward

      Re: "proper randomness"

      You should bottle that up! I hear it is very sought-after.

  2. krivine

    Plus sign in email addresses is often fun

    When registering with some sites I add '+${siteName}' between my username and @. This makes for easier classification using Gmail labels. Many sites reject the plus sign, although it's a valid character in email addresses. Morrisons supermarket took it one step further, by letting me register username+morrison@gmail.com, but then refusing to let me log in with it. I gave up on them.

    1. Andraž 'ruskie' Levstik

      Re: Plus sign in email addresses is often fun

      Yeah - I ran into that one way to many times. At least the register lets me do it.

    2. Pen-y-gors Silver badge

      Re: Plus sign in email addresses is often fun

      I find it's easier to have an extra domain e.g. getstuffed.org.uk and then use different names for every site - tesco@getstuffed.org.uk, ukgov@ etc.

      Forward everything to another a/c but it's handy for throw-away things.

      1. Doctor Syntax Silver badge

        Re: Plus sign in email addresses is often fun

        "Forward everything to another a/c"

        Why? Just use that domain as your email domain. All the aliases come into a single mailbox (you can check the alias name in the To: field if you need to see who spammed) and set up, tear down or set to bounce as you please.

    3. 's water music Silver badge
      Trollface

      Re: bait and switch sign up

      Morrisons supermarket took it one step further, by letting me register username+morrison@gmail.com, but then refusing to let me log in with it. I gave up on them.

      A rarer favourite of web coders who have grown bored of "you failed my validation but if I tell you hwo I'll have to klill you" is to accept an overlong password value and simply truncate it to the length they were anticipating before creating your account. Similar fun can be had with the username. Those super secure password/unique email wonks don't like it up 'em.

    4. tfb Silver badge

      Re: Plus sign in email addresses is often fun

      I had an account on photo.net which (a) changed at some point so it would not let me use my account-with-+-in-it and (b) kept on sending me junk mail to that address and ignored my requests to delete it or make it work again. If I had more than one suitcase nuke I think I would have used one of them to deal with this cretinism.

      There are, I believe, RFC-822 parsers out there (as in: there are hundreds): why can't these fuckwits just use one to tell if email addresses are valid rather than use some half-baked regexp of their own devising which doesn't actually work.

      1. Richard 12 Silver badge

        Re: Plus sign in email addresses is often fun

        No. Just no.

        You should never, ever attempt to "validate" an email address.

        Ok, it's worthing checking that it's got at least one "@" followed by at least one printable character, but beyond that?

        Not worth the cycles.

        Just send an email to it - after all, you don't actually care whether it's RFC compliant, you care whether there's a mailbox at the end of it.

    5. Flexdream

      Re: Plus sign in email addresses is often fun

      The + label is a great tip. Seems to work with @hotmail.com too.

  3. Vagnerr

    Got to watch those password lengths

    I have had at many experiences where there was an upper limit on the password length ( usually a red flag that they may just be saving passwords in plaintext). No big problem usually as I generate random passwords anyway but its a bit of a shame if it has to be a shorter one.

    However...

    On one occasion the max password length was 20 characters. Not bad. ... Except that was the limit for creating the password. The limit for entering your password to login was only 18 characters! </slowhandclap>

    1. Justicesays

      Re: Got to watch those password lengths

      Similar very recently.

      Set a password (randomly generated).

      Copy and paste same password into login box - doesn't work?

      Read login FAQ :

      Passwords cannot contain quotes(")

      Then WTF did you

      a) let me set one with a "

      b) put "must contain a special character such as a symbol" in the listed rules , but not point out that excludes "

      Not to mention it implies your back-end is vulnerable to injection, and your covering it up with sticking plasters.

      In anther case, putting "#!/bin/bash" as part of a long password worked for the game login, not so good on the website as it was eventually blocked by the websites IPS as a potential injection attack... The password change tool was on the website...

      1. Spamfast Bronze badge

        Re: Got to watch those password lengths

        SQL injection is ridiculous. They take some random HTTP POST value and concatenate it onto a SQL statement and run it? Duh!

        Even if they run it through a sanitiser it's a risk and moreover it's ridiculously inefficient.

        Every program (web service or otherwise) I've ever written that takes user input (or input from a comms channel) for an SQL (or "a Sequel" if you prefer) query binds the input variables to placeholders in the query string. Usually the statements are pre-prepared since that avoids a layer of parsing for frequently executed statements.

        This is trivially easy to do in PHP, Python, Perl, Ruby etc. and not much more complicated in C/C++ with most client libraries.

        To paraphrase Holly, "The highest form of life in the universe is Man and the lowest is a man who works as a web developer."

        1. Loud Speaker

          Re: Got to watch those password lengths

          SQL (or "a Sequel" if you prefer)

          No

          Sequel was something entirely different - an IBM product predating SQL. MS don't want you to know this. Sequel was NOT GOOD.

          Emojis of sexually explicit vegetables should only be used for passwords on porn sites. Think of the children!

        2. Dave559 Bronze badge

          Re: Got to watch those password lengths

          > To paraphrase Holly, "The highest form of life in the universe is Man and the lowest is a man who works as a web developer."

          I agree very emphatically with everything else in your comment, apart from that sentence. Yes, there are a lot of numpty so-called web developers out there, but not all of us!

    2. Flexdream

      Re: Got to watch those password lengths

      I most enjoyed the system which rejected three different new passwords for being non-compliant without saying why, then locked me out for three failed password change attempts.

  4. Wensleydale Cheese Silver badge

    "It's not a lack of awareness, it's a clear admission from within the security industry itself what a pain in the arse it is to sign in again and again dozens of times a day with different credentials."

    BTDT. Back when I was managing a fleet of servers I had to login to over 20 different system after a network outage. These were systems which would lock you out after too many password failures. A single password per group of logically related systems was the sanest choice.

    Fortunately there was a smartcard system for the PC, so at least I didn't need to remember all the separate passwords for mail, timesheets, project management systems et al that ran on that.

  5. imanidiot Silver badge

    Nothing wrong wirh reusing passwords

    I reuse the same password or a variation thereof on multiple sites. None of them critical ofcourse. Thing like my spam email, fora like El Reg, etc, that don't contain payment info and the like all use the same password. Banking and work accounts ofcouse get their own passwords

    1. paulf Silver badge
      Thumb Up

      Re: Nothing wrong wirh reusing passwords

      About 8 years ago a system I use regularly started enforcing password changing via AD. There was much grumbling as the change timer is about 3 months and the old password cannot be a prefix of the new password which immediately rules out changing totalBollocks to totalBollocks1. Then someone pointed out to me that adding numbers into the password means it's treated as a completely different password. Thus:

      totalBollocks

      total1Bollocks

      total2Bollocks

      are all unique passwords.

      This has served me well for the last 20 odd password changes.

      1. tfb Silver badge

        Re: Nothing wrong wirh reusing passwords

        Well, the system is (you hope) storing only hashes of the passwords, so when changing password it can know, at most, the current and new plain texts and the hashes of the previous n passwords. So the very best it can do is ensure that the new password is sufficiently different to the current one and that it is different in some way (but now how different) from the previous n.

  6. bondyboy

    Barclays for security?

    I always smile at the irony of all the Barclays "we care about security" messages after having to deal with one of their bank accounts that was being used to funnel scam money through having its address changed to mine.

    Nine separate contacts to Barclays informing them of this error and scam yet the account was still open 3 months after I first reported to them, on average each month saw around £40,000 coming in and being transferred out, who says crime doesn't pay?

    1. Pen-y-gors Silver badge

      Re: Barclays for security?

      If you can document it, that sounds like some sort of offence has been committed by Barclays.

      1. Justicesays

        Re: Barclays for security?

        From

        https://www.gov.uk/government/organisations/hm-revenue-customs/contact/money-laundering

        Report suspicious activity

        Call HMRC if you’re an individual who needs to report suspicious activity in relation to money laundering.

        Telephone:

        0800 595 000

        Opening times:

        24 hours a day, 7 days a week

      2. Anonymous Coward
        Anonymous Coward

        Re: Barclays for security?

        You have to understand: Barclays has a special "scandal deployment department" whose job it is to regularly involve the company in high profile scandals - allowing the in-crowd to short the stock, and then buy it back on the cheap, just after the fine is paid.

    2. Roland6 Silver badge

      Re: Barclays for security?

      Barclays used to be good about security, they initially provided Prevx (now integrated into Webroot) to their customers and then swapped this for Kaspersky. But since the US campaign against Kaspersky they haven't offered a free securtiy tool to their customers...

      But hats off to them for their scamming awareness campaign.

    3. Tromos

      Re: Barclays for security?

      Their current TV campaign is actually badly flawed as far as security is concerned. The message it puts over is to never reveal your full PIN. What it should be saying is to never reveal ANY part of your PIN as no genuine bank will ever ask for it. Your bank might ask for a couple of characters from a security code, but this is completely different from a PIN.

  7. Elmer Phud Silver badge

    Customer Delight Providers

    The Seamstresses of the IT world.

    1. paulf Silver badge
      Mushroom

      Re: Customer Delight Providers

      If some jumped up MBA type PHB (or shyster HR skank, for that matter) changed my job title from something meaningful to "Customer Delight Providers" the dying embers of their lifeless corpse would be in the bottom of a skip by the end of the day; their only company being the charred remains of the piss stained mattress, which every skip seems to contain, that was cremated with them.

      Sorry, It's been a long week and I think we ran out of Coffee by Wednesday afternoon.

      1. Teiwaz Silver badge

        Re: Customer Delight Providers

        Sorry, It's been a long week and I think we ran out of Coffee by Wednesday afternoon.

        Priceless....

        I'm in the same mood, but all I've had to drink all week is coffee (although, might be a fair amount of whisky in it).

    2. Lyndon Hills 1

      Re: Customer Delight Providers

      better than deskside support, which often got auto-corrected to the strangely appropriate despised support..

    3. Teiwaz Silver badge

      Re: Customer Delight Providers

      Customer Delight Providers

      The Seamstresses of the IT world.

      hem, hem. Oh, and two needles.

  8. Nila

    Gave up on stupidity a while ago

    It would not be too bad if all sites password complexity rules would be the same letting me use the same password for all irrelevant sites. Anyway - the only reason you need to register and log on to most of them is so they can send you spam.

    Now I just use "forgot my password" link and enter a new password of required giberrishness every time I need to log on. Even with extra hops it is much easier and even quicker than to come up with and remember unique passwords for each site. I do have a proper password for my email...

    I wish login prompts for all sites would contain their password policy upfront - so I can enter required additional symbols in required quantity after my normal password. As it is now I have to go over password reset procedure every time to find that out...

    So that's security for you.

    1. Nick Ryan Silver badge

      Re: Gave up on stupidity a while ago

      I'm speccing a new website service and am semi-seriously contemplating not bothering with passwords at all and just emailing the user a one-shot login code. It's not the kind of website service that a user is going to use very often, I suspect once ever or maybe once every year or so and forcing a user to deploy yet another password just for this seems a but silly when I suspect that the most commonly used function on the site will be "reset password".

      1. DanielsLateToTheParty

        Re: Gave up on stupidity a while ago

        "contemplating not bothering with passwords at all and just emailing the user a one-shot login code"

        I too have a pending website due and this sounds ideal. Will pitch it to the client right away! Thanks for the suggestion.

  9. This post has been deleted by its author

  10. Dr_N Silver badge
    Black Helicopters

    " If I'm facially scarred in a road accident, for example...

    ...my biometric passport will no longer work."

    They aren't that clever. You'd still be able to fly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019