Frustrating Password-Checkers

My corporate password-checker:

"Magellan1492" - Rejected! Weak password. Reason: repeated characters.
"Mike1234" - Accepted. Strong password.

::bonks head on desk::

(I then created a sticky-note with my password, because I refuse to memorize more than three.)

Whomever writes these password-checkers needs to inject some common sense. The second password was four characters longer with non-sequential digits.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

networker050184

Then they all expire at different times too! Check out keypass if you haven't. A little better than a sticky note!

NetworkVeteran

networker050184 wrote: »

Then they all expire at different times too! Check out keypass if you haven't. A little better than a sticky note!

I should. I have an encrypted USB dongle with all my personal passwords, but never bothered setting one up with all my corporate passwords (I don't like to mix personal w/ business).

Roguetadhg

I change all my passwords at the same time to avoid the confusion. My work passwords (that I have control over) is different than personals. My personal passwords are just a magellan cluster-....

Sticky Note? Do you at least hide it under your keyboard? You should encrypt you sticky note passwords with:

http://www.thinkgeek.com/product/e7b3/

A Decoder ring! Whoo!

As far as 1492. It's a popular year. One that stands out from the history books. Why not use a passphrase?

Like: Dr1nkM0r3Oval7!n3 I]In the spirit of the decoder ring[/I

Tackle

Roguetadhg

Sad face!

NetworkVeteran

Lmao @ Rogue & Tackle.

I have some passphrases in my repertoire of three corporate passwords, too, which failed for repeated letters as "Correct Horse Battery Staple" would.

Let's take a couple passphrases--

IlbcmTwtcmTota

This is "weaker" according to many password-checkers because the alphabet it's chosen from only has 52 characters to choose from [a-zA-Z].

Mike1234

This is "stronger" according to many password-checkers because the alphabet it's chosen from has 62 characters to choose from [a-zA-z0-9].

However, 52^14 =~ 2^80 while 62^8 =~ 2^48.

I wish password checkers would realize this! Especially since they direct you towards passwords that are harder to remember and more likely to end up on a post-it note.

(I will grant an exception for password databases that only store 8-bit passwords.)

(And no, I wouldn't normally pick either of those as passwords!)

DevilWAH

I use keypass, I also use the method of first letter from a short string of text like

"the best dog i have ever had was called moses 1998" = tbdihehwcM1((8

for personal non secure passwords as easy to remember and plenty strong enough to protect a log in to a site such as this.

For work I use random generated passwords along with some thing like Keypass to store and recall them. I don't really think about the pass word checker on the applications, I generaly keep in mind how you crack passwords and insure I chose passwords that are hard to break.

NetworkVeteran

DevilWAH wrote: »

I use keypass

Thanks for the tip! I installed a copy earlier this evening for my corporate passwords.

jibbajabba

I should really stop using the same password everywhere *rolls eyes*

DevilWAH

jibbajabba wrote: »

I should really stop using the same password everywhere *rolls eyes*

I disagree, it has been shown it can be better to use one single complex password that you can remember across multiply systems, than multiply shorted passwords, that are frequently changes and end up getting jotted down or when changed the same formate is reused.

A lot of companies are starting to relax the 30 / 90 day pass word renewal process, in favour of just increasing the password length and complexity.

Ahriakin

For web stuff I use LastPass with a Yubikey.
On the mathematical complexity comments above that's only part of the picture. Most credential attacks will not start with absolute brute-force but with predefined tables that (depending on the skill and resources of the attacker) may have been customised for the target. A theoretically more calculationally complex password can in reality be weaker because it was easier to derive from external information about the target. But that in it itself illustrates that there will never be a perfect password checker, they are just there to enforce some very basic minimums and yup will often get it wrong.

cyberguypr

I hear you on password length. The other day I was watching this SANS webcast where John Strand presents the case for long passwords. He sums it up with "length is the only thing that matters" and provides examples of how complexity and randomness defeat the purpose.

One of our vendors requires us to change passwords every 30 days. They have implemented every single obstacle you can imagine: complexity, history, no email/name/account/user permutations, no dictionary, and most likely a few other things I can't remember. We always end up documenting the password somewhere or resetting it every time we need to use their service. Ridiculous.

demonfurbie

all the password checkers need to be reworked with a simple if then else statement like
if the password is greater than 26 letters yes if not then use the rules that they already have

tpatt100

jibbajabba wrote: »

I should really stop using the same password everywhere *rolls eyes*

That Apple-Amazon-Wired story made me realize this. I always knew it but dang I kept putting it off.