Apple made it onto a site that tracks dumb password rules https://dumbpasswordrules.com/sites/
Last edited by a moderator:
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
dumb password rules
- Thread starter ifxf
- Start date
- Sort by reaction score
grr blocked. Tried Googling some and I definitely agree with this:
Financial or medical site full of private information? Only 12 characters and limit which special characters are allowed!
My one online banking was 8 MAX and no symbols. That's being cracked in not time. Amd the one where they said it doesn't give you rules but keeps declining the new PW.
Financial or medical site full of private information? Only 12 characters and limit which special characters are allowed!
My one online banking was 8 MAX and no symbols. That's being cracked in not time. Amd the one where they said it doesn't give you rules but keeps declining the new PW.
My dad's bank used to allow long passwords, then at one point changed the password rules to limit them to eight (!) characters. Dad's existing (long, non-reused) password continued to be accepted when logging in. About five years later they redesigned the login page and put an 8-character limit on the input field. Suddenly he couldn't log in any more.
Of course, when he contacted them, they told him that he was mistaken and that his password could never have been more than eight characters long...
It was probably that the limit was 8, and anything beyond 8 was truncated by the system, so if your father typed in MyPasswordisGREAT, it may have only seen MyPasswo then a system update started a more involved password verification and enforced a maxium
All I know using Apple devices for the past 30+ years The one password that no one take is the symbol! I use this in my routers and switches!
Websites: "We require an impossible-to-remember 72-character password that must contain 16 capital letters, 4 punctuation marks, a hieroglyph, and the last 5 digits of Pi"
Also websites: "Passwords are so insecure you must now enter this 5-digit number we texted your phone."
Also websites: "Passwords are so insecure you must now enter this 5-digit number we texted your phone."
Yup. In the case of Apple being on the site, consecutive characters does lower password entropy. And seem to recall that that could be exploited (read: instead of 4 billion years to crack random, now only takes 3 billion; will need to dig up the old study and no time right now). This has been a recommendation for a while now, but not sure how helpful/valid it is seen in this day and age (In Jessica’s example, easily exploitable with a decent password cracker).
Also yup. Ran into this years ago on a Microsoft site iirc. Entered a 20 character passcode but only took 15 and never reported that it was too long.
Yeah, I remember that study. People forgetting and having to reset their passwords all the time is better than having to deal with people breaking into accounts with weak passwords, especially with all the data now stored in them.
It seems to be really common these days for sites to conflate an Internet connection with a phone connection. So-called "naked" broadband has been available for well over a decade, yet the number of sites that just blindly assume you have phone service (whether to text a verification number or whether to demand one for some other reason) seems to actually be growing.
The other day I tried to do something with a Google account. "You need to give us your phone number so we can text you". Fortunately there was an "other options" section... which yielded "install this app on your phone". That doesn't help when I don't have a phone!
Re: Apple getting a bum rap on the cited website: per current NIST recommendations, the TLDR (there is A LOT to read) portion:
So, basically, a Kanye rule (ie. his "1111" or "4444" [can't recall what it was exactly] iPhone passcode that was captured on film), that makes things easier to guess. So Apple is not being "dumb" imo.
EDIT: this also covers "pattern" PINs: 1397, 0853, etc. which appear on semi-regular "worst PINs" lists.
Wikipedia's summary article pretty much covers NIST recommendations, minus some (appears to me) subtle for end-users recent (2021) changes.
en.wikipedia.org
www.netsec.news
So, basically, a Kanye rule (ie. his "1111" or "4444" [can't recall what it was exactly] iPhone passcode that was captured on film), that makes things easier to guess. So Apple is not being "dumb" imo.
EDIT: this also covers "pattern" PINs: 1397, 0853, etc. which appear on semi-regular "worst PINs" lists.
Wikipedia's summary article pretty much covers NIST recommendations, minus some (appears to me) subtle for end-users recent (2021) changes.
Password policy - Wikipedia
Summary of the NIST Password Recommendations - NetSec.News
NIST advice on passwords has recently changed. Here we offer a summary of the NIST password recommendations for 2021.
www.netsec.news
Last edited:
I don't buy the idea that they're wanting our phone numbers due to security. They just want more info, and more ways to contact us and sell out number to others.
Trouble is, you then have to provide users with an easy mechanism for resetting passwords (without turning up in person with 2 forms of physical ID and a blood sample) which probably involves assuming that email is secure, training users to click on links in emails or, worse, relying on stupid easily-researched security questions (If I ever get a cat I'm naming it "#Fel1x463!" just to be safe).
We're sleep-walking into a situation where a mobile phone is not an optional item. At some stage this is going to cause problems for a minority who can't get mobile phones. However, I guess they're already more common than bank accounts or driving licenses, so given that we desperately need some sort of personal authentication system it's probably the best place to start... Even better with apps that can do proper challenge/response rather than relying on SMS.
You're worried about that sort of thing but you want to log in to Google?
Seriously, while I'm sure that Google are delighted for an excuse to gather more data, using mobile phones for 2-factor authentication and password reset is probably the least worst solution that works for most people. Especially with services like Google where your account is likely the same one you use for email, so you need an independent system...
There's a catch here: we desperately need a common system for identity verification because the various ad-hoc work arounds that we're resorting to are both intrusive and ineffective. Problem is, who has the resources to actually establish such a system? The candidates seem to be Google or some unholy alliance of the other big-name tech firms (SFX: peal of thunder), The Government (SFX: scare chord!!!) or the credit reference agencies (SFX: cracked bell tolling dissonantly against a background of howling wind).
...and if they could agree on that (well, not the Pi bit, but, for example, the length and which punctuation marks were available) then we could all just use password managers to generate strong random passwords and remember them for us. The problem with "dumb password rules" is when they reject perfectly cromulent passwords like "donkeyfronthatstandbarbecuetree" (if you want to remember & manually type it) or "%%$gpojadf*@q(ytRC)/00013tz" (if you have a password manager) because they're too long or use the wrong punctuation, but still accept "!Pa55w0rd" and have the unintended consequence of encouraging users to use "!Pa55w0rd" for every site.
...then there's the 'enter characters 3, 7 and 9 from your password' variety which probably do guard against phishing (but not, dear <insert name of my bank*> when you're asking for 3 digits from a 4 digit PIN), but are just plain annoying, tedious to fill in, pretty much force you to write the password down and also mean that the bank has your password stored as plaintext.
(* who care so much about phishing that they periodically call me up out of the blue and expect me to confirm name/address/whatever before trying to sell me stuff, and regularly send out emails with big friendly 'click me' buttons with hidden URLs... must be some sort of solipsist disorder whereby because they know they're not scammers so I must also know they're not scammers - if the real phishers ever learn spelling and grammar, the banks will be in real trouble... ).
I have a couple Google accounts that I created for work about 8 years ago. At the time I had to enter a phone number as an alternate contact. Now they keep trying to “authenticate” that number with a text. Except that is a landline number for our company. The expectation that EVERY number entered into a form is a smartphone is annoying.
For example (reason #85,429 why I'm one of the seven people in the world not to use anything made by Meta):
You Gave Facebook Your Number For Security. They Used It For Ads.
Add “a phone number I never gave Facebook for targeted advertising” to the list of deceptive and invasive ways Facebook makes money off your personal information. Contrary to user expectations and Facebook representatives’ own previous statements, the company has been using contact information...
...and reason #200,873:
Facebook Turned Its Two-Factor Security 'Feature' Into the Worst Kind of Spam
Facebook is bleeding users, with external researchers estimating that the social network lost 2.8 million US users under 25 last year. Those losses have
gizmodo.com
----------
This isn't really so different from landlines up to fifteen years ago or so. Some people, either due to finances or circumstances, were unable to have a landline of their own. This meant a lot of tasks were difficult or impossible, as with the lack of a mobile phone today.
In the US, this led to a number of government-led programs, such as the requirement for phone companies to provide a basic, ultra-low cost service to people meeting an income test and the imposition of surcharges on most phone plans for subsidizing rural phone services, and to many private sector offerings, such as standalone voice mail and cheap pagers.
So as copper wire-based landlines become less and less used–in my area, the phone company doesn't even offer non-VOIP wired phone service to new lines–it is very likely the bulk of federal and local government requirements on telephony providers and users will shift from landlines to mobile service. And who knows, maybe Motorola will be resurrected with a "smart" pager as its flagship product!
Last edited:
Yes it was like this at work at one point. I think at the time it may have been 8 or 12, but you could make it more, but it would work with just the first however any chars.
EDIT: Now that I think about it, I think it was worse. I think it didn't tell you the char limit and would let you make it longer, but it would only take the first X chars. If you put in the whole thing, it would be invalid. Just happened by trial and error we figured it out.
Last edited:
When I was in elementary school, I was considered "rich" because we had our own phone line and not a party line.
Not old enough to have had a party line. I think two things "rich" were having a hard drive and a second phone line for Internet.When I was in elementary school, I was considered "rich" because we had our own phone line and not a party line.
Never had a party line here, although I'm old enough to remember the switchover to 7-digit phone numbers (probably late 80s). By the late 90s we had two phone lines at home with two numbers, one for voice and one for fax/modem.
When ADSL1 came along, the local provider had a winning pricing strategy: An ADSL connection was the same price as dialup plus a second line. I know a lot of Internet users switched over... and forked over an extra $4/month or whatever it was to keep their fax number with a different ringtone.
Then we ran into the debacle of ADSL being much more popular than the phone company expected, and running into "port waiter" lists and lack of availability...
We had seven for my whole life that I remember. I forget when we had to go to ten. I know it happened in other areas before us.