Monday, 17 October 2011

Special password rules

Well, there are some people that make some very silly password rules. We have to log in to a system that relates to banking, and they have rules on passwords. What is silly is that in fact a machine has to log in every day to pick up some reports, not a person. As a person I have no reason to even log in, well, except one!

They insist you change your password every few months. This is just crazy, and I have yet to script this, so every three months or so I have to log in and change the password and change the password on the system that does the logging in. I really must automate that!

Now, I would be quite happy if we just used a client cert on the ssl or some such, but no, they use a simple username and password. But why change it? Why not have them allocate a really long complicated password and say that if we use the one they generate then we don't have to change it?

Basically, if anyone did find the password on my systems then, like anyone else forced to change a password periodically, you will almost certainly be able to guess the next password, so forcing a change periodically is pointless. In this instance all I can do with it is download the reports anyway, so not exactly massively high security needed. Heck, why the hell do they not email the reports PGP encrypted, it would be a lot easier!

Anyway, as if that is not special enough - they decided to make a change to the rules for passwords, over a weekend, not tell anyone, and invalidate passwords that don't meet the new format, and not give any clue why you can no longer log in.

It has literally taken me all day to get this sorted, and have my account reinstated, and set a new password.

But, for your amusement, the new rules are :-
  • Must not be the same as your login
  • Must not be the same as any of the past 12 passwords used
  • Must be at least 7 characters
  • Must contain at least 2 numbers which must not be at the start or the end
  • Must not contain 2 consecutive characters the same

It looks like they use upper case letters and numbers only, but they don't restrict to that thankfully, as that would mean they would have more than halved the time needed to brute force a password by adding these rules.

Why on earth do people do this?

I have emailed them but they won't get it!


  1. You need to stop thinking of these things as being about security, and start thinking of them as being about diverting blame.

  2. Also note that they're by inference storing those passwords in clear.

  3. Mike, I nearly accused them of that. But actually they can check it is not the same s the last 12 passwords without doing that, and they could have invalidated the current password on first correct use of it after the policy change rather than by storing it. I suspect you are right though.

  4. i agree with mstevens - but try getting them to admit it!

  5. Aren't they all dictionary words though? Therefore would be easy to guess by a computer program?

  6. In the xkcd example he is assuming a 2048 word list, and in fact assuming the attacker knows the word list (I.e. worst case scenario). Being dictionary words or not is not relevant if the attacker knows the word list. In practice he won't and so it will be harder to guess. The reason for such a small word list is to make them common words that are was to remember. The comic is accurate.