back to article Either my name, my password or my soul is invalid – but which?

Try as I might, it won't go in. I have entered pretty much everything else so far but this time I'm getting a definitive "no". I respect that, of course, but it leaves me jolly frustrated. Despite all my powers of persuasion, I'm left standing in the cold with one hand on my lock. Yes, lock. The site keeps rejecting my …

Page:

    1. Anonymous Coward
      Anonymous Coward

      Re: But...

      They don't let him sit up there after the LAST time. So now he has to let the pilot do all the flying.

  1. Halcin

    DNA to replace passwords? Has no one seen Gattaca?

    I was also going to say that replicating DNA is "easy" for those that know how. But even easier would be to say "bleed on this will you?"

    1. Teiwaz Silver badge

      DNA to replace passwords? Has no one seen Gattaca?

      I was also going to say that replicating DNA is "easy" for those that know how. But even easier would be to say "bleed on this will you?"

      Gattaca? I thought it was a dreary Corporate training film....

      There's DNA in piss* isn't there? That's always an option

      * there is in faeces, hey, if they want a sample, might as well have something I'll be dumping at some point during the day anyway. I prefer to get lightheaded and trippy in my own time.

      1. Doctor Syntax Silver badge

        "there is in faeces"

        A lot of it is bacterial.

        1. Anonymous C0ward

          Probably some from the various animals I've been eating too.

    2. Doctor Syntax Silver badge

      I was also going to say that replicating DNA is "easy" for those that know how.

      Of course it is. I've been doing it all my life.

  2. PerlyKing
    Facepalm

    Really special characters

    I recently had to do a factory reset on my Android phone. When it came to signing in to my Google account afterwards, I discovered that my randomly-generated password contained a character which is not available in the stock Android keyboard. Now that's secure! ;-)

  3. Doctor Syntax Silver badge

    Let's call out the bollox of using email addresses as login IDs. A user ID and a password taken together are a long string. Doesn't it make it easier to guess the string if you're given half of it? And an email address is one thing that you do tend to give out. It's a mitigation, but no more, if you're able to set up individual addresses for individual sites but the basic rule should be to have email address as a separate field.

    Example 1. PayPal. The ID is the email address. OK, I can set up a unique address for this but I then find that hands out that address to merchants. Evidence? I had to change the PayPal ID (a pain in itself) because a merchant to whom I purposely hadn't given an email address decided it was a good idea to spam me using my PayPal ID. So PayPal, acting as a banker in that it's able to handle my money, is happy to hand out half my login credentials to a 3rd party. I'd like to think that they've stopped that crap under GDPR but I don't expect they have.

    Then there's the assumption that an email address is a guaranteed to be unique and permanent ID personal. It's neither.

    It doesn't necessarily have to be a unique individual address. Companies who adopt this tactic are quite happy to tell you to contact them on something like sales@numptiesrus.crap.

    And it certainly doesn't have to be permanent, especially if it's an ISP provided address.

    Example 2. I have a login at IBM which includes the name of my second (or last but one) ISP who, before I left them, had been taken over at least 3 times and hasn't been a valid, or at least a used, email address for at least 10 years. They won't allow it to be changed but do at least allow a separate, working, address to be provided.

    1. David Nash Silver badge

      Paypal

      Agree - I too had the experience of giving a merchant my preferred email address for them, and receiving email from them to my paypal login instead.

    2. Loud Speaker

      The purpose of using an email address for login is that the average idiot can remember his email address. He probably can't remember a password with more than 4 characters, but he can use the "reset password" button - much easier than typing 32 character passwords.

      1. Anonymous C0ward

        The other reason, is that anything other than randomly generated gibberish, even firstname+lastname+birthdate-of-first-hamster, is usually already taken.

    3. J.G.Harston Silver badge

      But an email address is the only thing that is close to 100% going to be unique to you and nobody else. JohnSmith? Millions of them. InitSurname? Millions of them. XYZyyymmdd? Thousands of them. youremail@yourdomaim? ONE. By definition.

      I had to set up a user list for just 30ish people. I hadn't got past 'A' before getting a clash with almost all naming methodologies.

  4. Anonymous Coward
    Anonymous Coward

    retarded rules on password

    "I should have known he'd come up with a daft suggestion like that. This is the bloke who would casually sabotage his own monthly New Password prompts by changing his password 11 times immediately and, for the twelfth, reset it to his old one again so he could carry on as before. He even kept his 11 non-passwords on a sticky note attached to his display bezel so that he could run through the same routine in the same order every month."

    I have no idea how "pro" security IT don't see incoherent/retarded AND different across multiple systems password rules in the SAME company, with different expiration dates of course, would do anything in favor of security !

    Every single staff I know in mine is doing as follows:

    - get the magic prefix that works on all systems

    - increment the number every change

    End of the day, there is virtually NO change in passwords ! It's not possible nor manageable !

  5. Katy_B

    I've noticed that many government sites which deal with things like your tax and NI record, and also most banks, will not accept special characters in passwords. Some don't even call for a capital letter as long as you have a numeral in there.

    It may be just me but I would have thought that banks and the government might think safer passwords were a good idea?

    1. Robert Carnegie Silver badge

      p!a!s!s!w!o!r!d!

      It's not really safer. And some systems choke on non-alphanumeric symbols in a password - I suspect one of our systems can't take a !

      A password of 8 genuinely random letters is safe. I standardise on Abcdef78 - as format, not as actual password - as concession to stupid system rules (and with all consonants, like I think I said above), and I put ! at the end if I really have to. But a password of a word with $ for S isn't safe because hackers have already got all those combinations in their dictionary.

    2. J.G.Harston Silver badge

      The HMRC site barfs on "special" characters anywhere you use them. "Note: 50% of income in 2015-16 after the first £500..." Barf! Sorry, can't accept that! No reason given, but by experimentation you have to remove : % - and - !!!! - £. When trying to submit your bloody taxes!

      1. AndyFl

        I share your pain

        Yes, you cant even put a <CR> into the box where you add more information which makes it close to impossible to write anything even remotely readable when it is more than a few word in length.

        And as for prohibiting the percent sign! Words fail me - it is a fscking finance site!

        I have several times put a complaint into the feedback link - never got a response either.

        I had a huge problem signing up on the HMRC site in the first place as I was in Qatar. The password mail took 3-4 weeks to arrive but was only valid for 2 weeks. When I called them up to ask what I was supposed to do they suggested I got it sent to someone in the UK who could phone it to me. I think they have completely lost the plot. After all, what is the point of insisting they send out a super secret code then because they fscked up the expiry telling people to send it to someone else!

    3. J.G.Harston Silver badge

      HMRC won't even accept "special" characters in the damn text fields! You have to spell out £ % - & + / in full. Won't even accept newlines, so you have to run everything in one huge paragraph like Infant School.

  6. Marketing Hack Silver badge
    IT Angle

    Obligatory Dilbert reference

    He feels your pain.

    http://dilbert.com/strip/2005-09-10

  7. AndrueC Silver badge
    Facepalm

    I had a similar issue when I tried to sign up with Samsung several years ago (I had a good reason, I wanted a firmware update for my TV so I could get into the engineering console). Anyway it refused to let me create an account so eventually I had to resort to a less legitimate source. I've since found out that it was my DEA system that caused the problem. Samsung will not let you register an email address with 'samsung' anywhere in it. Of course it never actually tells you that :-/

  8. CAPS LOCK Silver badge

    I would have thought that, by now, everyones password would be

    correcthorsebatterystaple. Mine certainly is.

    1. TomPhan

      correcthorsebatterystaple

      Our in-house training still recommends that as an example of a secure password.

  9. allthecoolshortnamesweretaken Silver badge

    Re: "I bet you wish I'd captured all this on my webcam."

    Yes.

  10. Terry 6 Silver badge

    Teachers' passwords

    I used to see a lot of schools. In September everyone's password had either expired because it ran out at the end of the previous month, or been forgotten. If the former there'd be a queue to call IT support for the first day or two. If the latter it'd be post-it search time or a call to IT......

    Except for the teachers that had a memorable password and stuck a number on the end. They'd be the ones logged in and getting lesson plans and stuff printed before the kids came in. The others would be huddled in a panic waiting for their turn to talk to IT and trying to remember what it was they'd spent hours planning a couple or three weeks earlier.

  11. Anonymous Coward
    Anonymous Coward

    Stupid email address checks are the worst.... Most annoying* is FaceBook, which prevents you from using email addresses whose name is "mail", ... tough luck if your address is "mail@<mydomain>.com".

    * Though in hindsight, maybe it's a good idea to have a "fb@<mydomain>.com" that FaceBook cannot link to any of my online activity...

  12. Anonymous Coward
    Anonymous Coward

    Idiotic Clients

    One of my clients has insisted that users can have the same username, this client also insists that username and password can be the same. They want to make it as simple as possible for the users to login, I might as well throw my security certifications in the bin.

    I still work for them, mostly because they pay lots of cash.

    Anonymous obvs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Idiotic Clients

      My neighbour wants me to remove my fence and the lock on my gate so he can have access to the public highway through my yard - from his yard that is unfenced and open to the highway and the great wild public at his end.

  13. toffer99

    Anyone got advice on password managers? I'm thinking of jumping to one.

    1. Giovani Tapini
      Black Helicopters

      use any one you like but dont be surprised if the NSA discover all your credentials soon after...

    2. Flakk Silver badge
      Trollface

      One that hasn't been hit with security vulnerability disclosures? Oh wait, they all have. Nevermind. ;)

      It's not especially easy to use, and password data replication is a largely manual affair, but I like VeraCrypt (which, of course, also had vulnerability problems a few years ago). For me, it hits the sweet spot between the strong encryption that I like and the PITA factor that I believe is actually called for in some circumstances (the more sensitive the asset, the more difficult it should be to access it).

    3. Doctor Syntax Silver badge

      "Anyone got advice on password managers?"

      Run it locally. KeepassX is what I use but then I use a single laptop most of the time so it's not too much trouble to occasionally copy the file if I need to but I'm planning on using a Nextcloud server at home so that will make synchronisation even easier. I believe Android & iThing versions are also available.

  14. Barry Rueger Silver badge

    Gmail addresses with dots

    For many years my primary email has been :

    firstname.lastname@gmail.com

    The period in the middle does seem to make everything clearer.

    Still, nearly ten years later, and despite Gmail owning 75% of the webmail market, there are sites that reject that dot.

    1. Andy A

      Re: Gmail addresses with dots

      Could be worse.

      One place I worked at used

      <firstname>.<lastname>@<country>.<division>.<companyname>.com

      Luckily, in my case <country> was just uk, but any number of services couldn't cope with the total length of the string, and many more borked at the dots. It's annoying to find there isn't room in the box to type the whole email address.

      Kept the spam down though.

    2. CAPS LOCK Silver badge

      Re: Gmail addresses with dots

      Fear not. Gmail doesn't 'see' the dots so you can use 'firstnamelastname@gmail.com' instead.

      1. Anonymous Coward
        Anonymous Coward

        Re: Gmail addresses with dots

        I regularly get spam emails to my <myemail>@gmail.com - which were actually addressed to <my.email>@gmail.com

        There also appears to be 3 other people somehow with the same <myemail> , 1 in the UK and a couple in the USA, which is deeply disturbing.

        The drawback of having a relatively simple email address.

  15. Anonymous Coward
    Anonymous Coward

    Dvorak typing

    I'm not sure the Dvorak layout increased my speed (it did decrease my RSI) but if you switch back to Qwerty and type "Thisismypassword" you'll actually enter "Kjg;g;mtra;;,soh" or something similar and I've never met a password checker that doesn't think that a "strong" password.

    1. Dave559 Bronze badge

      Re: Dvorak typing

      That sounds a risky endeavour. Possibly typing "Kjg;g;mtra;;,soh" won't actually summon an elder god, but some of the passwords that you might come up with would do...!

      (Hmm, working in the IT department at Miskatonic University must be an "interesting" experience...)

  16. J.G.Harston Silver badge

    I once worked at an organisation that rolled out logon ids that were First Initial, Last Initial, Payroll Number (eg lh891234). Except for our small department who had started before this roll-out. Whenever we contacted the HelpDesk we had to go through the rigmarol of "your ID is your payroll number..." No it isn't! "Yes it is, your ID is your payroll number..." No! Listen to me!

    It was a struggle, but we eventually forced them to migrate us to the "standard" logon ID scheme.

    1. Wensleydale Cheese Silver badge

      " your ID is your payroll number..." No! Listen to me!"

      The company running a course I was taking couldn't make up their minds what my real name was. Their correspondence had me down as firstname lastname middle name and lastname middlename firstname.

      Start the course and the lecturer says he's set accounts up in the form of firstname.lastname.

      No combination of the above variations worked. I had to ask the lecturer what the system thought my login was, and he couldn't understand the question, simply repeating "Firstname dot lastname".

      We set up a completely new id in the end.

  17. TomPhan

    My standard password anecdote

    A place I briefly worked at was very big on security and automatically generated random passwords for everyone at the end of every month. Which were printed and left in an envelope on your desk to start using the next day.

  18. earl grey Silver badge
    Facepalm

    1-2-3-4-5

    That's the kind of combination an idiot would put on his luggage!

    Sorry, couldn't resist.

    1. Sureo

      Re: 1-2-3-4-5

      "That's the kind of combination an idiot would put on his luggage!"

      Might as well, the TSA and all the crooks know how to open it anyway.

  19. Terje

    I just don't understand why so many sites try to force you to weaken your passwords by specifying you must have at least one upper case character one number and one non alphanumeric character. there are ten numbers, there are in reality something like 16 special characters that is ever likely to get used...

    Just enforce a decent length password. and for the love of god don't ...ing limit the password length at say 32 characters, if the function you use to hash the password can't handle arbitrary long input (within reason) then fix your hash function don't force the user to limit the password.

  20. Kevin McMurtrie Silver badge
    Trollface

    New password: Z?+>&d-*OT[,AwIHLuiM

    And simply click "Forgot password" if I come back.

  21. Flexdream

    "..all a thief has to do is nick your phone and he sits and waits for the second password to light up in front of him."

    And your better alternative to this is?

    1. EnviableOne Bronze badge

      Doesnt even have to knick your phone, can re-route using SS7, NIST, NCSC et al. have recommended against SMS second factor for an age.

      IMHO, the best second factor available at the minute is the OAuth2.0 TOTP.

      However why people are still dreaming up passwords i dont know, just plug the rules into your pwd manager hit generate, et voila ... PLus it evades the 5$ wrench method. I dont even know what most of my passwords are!

      password size limit is redundant, a hash comes out the same length no matter the input.

      forcing types is useless, length trumps complexity. even if its all lower case a 14 char pwd takes longer to brute force than an 8 char alpha num with specials and uppers.

      force a minimum of 12 chars, tie this to the pwnedpassword database, and dissalow anything that was breached, or in a sector/site specific common words list, and roberts your parents male sibling

      1. Robert Carnegie Silver badge

        @EnviableOne

        I'm not quite sure I like this. Is it saying that I can't have password = 5000358745115 because someone else on planet Earth once had that password?

        It's not actually my password, it is the bar code of Tesco Omega 3 linseed oil tablets - which may not do you any good, it turns out.

  22. Anonymous Coward
    Anonymous Coward

    My password would be

    Drop_Table <password.h>;

  23. J.G.Harston Silver badge

    Why am I commenting on a thread that is eight months old? How did I not notice this thread was eight months old? How did this thread bubble up to the top of Reg's news page making me think it wasn't eight months old?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019