Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
| reply to Daniel
Re: Sites That Don't Allow Special Characters In Passwords !?!
What I can't believe is that there banking sites out
there that won't let you use special characters in
passwords. That is just plain dumb and short sighted.
On the opposite side of the coin are sites that require
1 or more special characters, capital letters and so on
in their passwords. Paypal does.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot) |
|
timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL
clubs:
 ·AT&T Southeast
|  reply to Daniel
What I hate is sites that ask you to create a new password, but don't give any hint whatsoever as to what characters you may use or how long the password can be. Lots of them do this. 
Tim
--
The shortest sentence is, "I am". The longest is, "I do".
~ Project Hope ~ |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
|  reply to nwrickert
(topic move) Sites That Don't Allow Special Characters In Passwo
Moderator Action
The post that was here (and all 12 followups to it), has been moved to a new topic .. »Sites That Don't Allow Special Characters In Passwords !?!
stated reason was: Jailworthy |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to EGeezer
Re: Sites That Don't Allow Special Characters In Passwords !?!
I consider social sites like BBR and others to deserve complex passwords. You would have to change a lot more than the password characters.
Practically speaking, login to BBR is done by persistent cookie transmitted as clear text.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| reply to Daniel
Merrill Lynch also limits length as well as limiting to characters and numbers only. That's why I have not authorized any online transactions with them, and change the login frequently. Since the folks there know me personally, that's how I do business. Same with Chase and a few others.
A couple of observations -
***********
I consider social sites like BBR and others to deserve complex passwords. Why?
Because hacking someone's account can provide a miscreant with a "trusted" ID, and can be used to gain trust and possible information of other members, as well as profile information that's marked private. While that may not hurt me a great deal, it could hurt others if my ID is used maliciously to gain trust from other members. A collateral result would be that my name could be damaged in the eyes of my fellow community members.
Also, if the account were used for illegal purposes like uploading CP or sharing copyrighted information, I could become a target of an investigation. I don't need that hassle.
************
Some of the authorization systems used by these institutions were - or are - also used for touch tone phone logins. they save money by using pieces of the phone system for internet authorization.
************
Very few sites allow changing a user ID, so that in many cases leaves only one changeable factor - the password. If an account is compromised, the hacker will still have the user ID. That should be something to look at when upgrading security.
************
Lastly, my passwords are either memorized or stored offline where a burglar would be unlikely to find them. Although we live in a good neighborhood and have no untrustworthy residents or guests, I consider some information worthy of securing against casual observation or discovery. That's just part of my risk analysis and resulting policies.
************
HTH
EG
--
03:14:07 UTC Tuesday, Jan. 19, 2038 - a date that will live in infamy... |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| reply to Daniel
FWIW I have 2 Chase accounts. I DO use special characters in my password so not sure if it is true about Chase being listed. I will say that both my accounts were initially with other business and was bought out/sold/transferred to Chase and my online access simply transferred over. Even with Chases new security procedures my password(complex) still worked/works. |
|
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs: | reply to Daniel
I agree with you. Sites that don't allow special characters really urk me. I could go ahead and list some internal apps here within my company but that would be pointless. I can't think of any sites off hand that don't allow special characters. |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to Mele20
Re: Big Sites That Don't Allow Complex Passwords !?!
said by Mele20  :I just took issue with the "sky is falling" attitude of the OP. You see what you want to see. All I did was bring the issue up; I didn't ever say it was life or death, or use any other language that would indicate I thought there was a need for panic. If that's what you saw then that's on you. All I did was bring it up. I think your interpretation of "sky is falling" comes from you not getting the point of the post in the first place. Meaning, if anyone even mentions something that in your mind "doesn't matter", then by virtue of it even being brought up it's automatically considered overreacting. said by Mele20 :I also disagree with the OP that everyone except myself memorizes all 200-300 passwords that they have and may change (especially banking ones) every three months. That would have been a much better point had I ever said that. But since I didn't, it's not.
--
dmiessler.com -- grep understanding knowledge |
|
Bubba17
Less is More
Premium
join:2006-09-21
| reply to Daniel
I completely agree with your position for password character-set inclusion. Long ago, I adopted 'program-controlled' management for security vital sites, and more. At this moment, away from my machine, I'm incapable of accessing 95% of the sites of import to me. The 5% committed to memory share a common core, with subtle variations, and character-set allowance punches them to a higher security level.
--
HN7000s|H1(127W)-1110mhz|.98m-2w|Pro+|3.0ghz dual-core|3gig-ram|BFG7800GT-OC-256MB|XP-Pro w/SP2
"Fast is fine, but accuracy is everything." -- Wyatt Earp |
|
Just Basics
join:2003-06-08
Painter, VA | reply to Mele20
This site does allow special characters.
I try to use special characters in all of my passwords first - they are rejected about 50% of the time. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to dave
I believe the OP started out complaining that Digg was bad because they don't allow for a special character in their login and the OP said there were a number of big sites like that. Then he sort of switched to banking sites only...kind of two different topics as what banks do with passwords is not at all like regular sites where it doesn't matter that much if your password gets grabbed. We can grab each other's over at bugzilla and have fun confusing the mofo folk...you'd get more embarassed than I probably because I would likely post not too good bugs under your id and not write them up as well as you would for bugs you posted under mine. Or we could have fun adding each other's email address to a ton of very active bugs and give 10 votes to some dumb bugs, etc.  But what real harm would be done by such pranks?
I am not objecting per say to allowing this. I am objecting to the OP's attitude that this is some huge deal and we all need to immediately get behind pushing "derelict" sites to do this as of yesterday. No one has answered my question of whether or not this site, Wilders Security, and Castlecops allow special characters? If they don't are they derelict and have to be pressured immediately? I just took issue with the "sky is falling" attitude of the OP. I also disagree with the OP that everyone except myself memorizes all 200-300 passwords that they have and may change (especially banking ones) every three months.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
bluezanetti
Premium
join:2003-10-04
| reply to dave
said by dave :If it's optional, some people will not take avantage of the ability. They are no worse off. Meanwhile, some people are better off. Why is it worth arguing against this? It's not.
Blue |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
1 edit | reply to Mele20
Hold on, just let me tell our trained IT guy that he's an idiot for requiring at least one non-alphanumeric character in all passwords.
I'll get back to you with his response...
Slightly more seriously, it seems quite easy to understand. Allowing more characters gives a greater range of password possibilities, at close to zero cost. Why is it worth arguing against this?
If it's optional, some people will not take avantage of the ability. They are no worse off. Meanwhile, some people are better off. Why is it worth arguing against this?
--
Microsoft Security MVP, 2005-2007. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Daniel
said by Daniel :How about when the username is bsmith, and the password is bsmith1? We're not talking about major, complex attacks here. And we're also not just talking about banks. Banks are just one type of site that has have this issue. Sure, but then the problem is the user's ignorance/stupidity/laziness. Do you think that the user that fits this profile is going to bother to add a special character to his user name and/or password when he could not be bothered in the first place to use a more difficult user name and password? Who would use their real name in their handle or their password? That doesn't make the slightest bit of sense and even when I was brand new to computers and had no idea this site (security forum) existed and I couldn't understand McAfee 4.2 that came on my computer (bloodhound, heuristics), I certainly knew to never use my real name anywhere on the internet especially not at a banking site when logging in or in Hotmail. The only thing I was taught really before I got a computer was to hide my real identity.
I think what you are really asking for is that computer dummies be forced to get educated about security.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to Mele20
said by Mele20 :I still don't get why this is an important issue. Explain to me how these dictionary attacks are going to first figure out my USER NAME and then figure out my PASSWORD AND THEN SUCCESSFULLY COMBINE THE CORRECT USER NAME AND PASSWORD? How about when the username is bsmith, and the password is bsmith1? We're not talking about major, complex attacks here. And we're also not just talking about banks. Banks are just one type of site that has have this issue.
--
dmiessler.com -- grep understanding knowledge |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to nwrickert
Re: Sites That Don't Allow Special Characters In Passwords !?!
said by nwrickert :I have trouble getting excited that a bank won't allow special characters is a password, when that same bank uses only a 4-digit PIN to protect ATM transactions. It's not a 4-digit pin. That's the second factor. The first factor is having your card in the first place. So you have to both have the card and have the PIN. That's not weak security, and even if it were it wouldn't be a reason to accept weak security in another area.
--
dmiessler.com -- grep understanding knowledge |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to Daniel
I have trouble getting excited that a bank won't allow special characters is a password, when that same bank uses only a 4-digit PIN to protect ATM transactions.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
sheiny
join:2005-03-13
Turlock, CA
| reply to Blackbird
said by Blackbird : Well... if the "alarm goes off", what does the institution do then - especially if these attacks are a continual real-time phenomenon? if you establish too restrictive a logon policy (eg: 3 failed logons and the account gets blocked), you set everyone's accounts up for the mother of all DOS attacks. For SSL connections you have an IP address you can block. Not trying to minimise the DOS potential but even failing after a few thousand failed logon attempts would negate the effectiveness of brute force attacks. If an attacker can use offline techniques to attack online sites then a majority of passwords will likely fail (50-60 percent).
"Choosing Secure Passwords"
»www.schneier.com/blog/archives/2···ure.html |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Daniel
Re: Big Sites That Don't Allow Complex Passwords !?!
I still don't get why this is an important issue. Explain to me how these dictionary attacks are going to first figure out my USER NAME and then figure out my PASSWORD AND THEN SUCCESSFULLY COMBINE THE CORRECT USER NAME AND PASSWORD? Your argument reminds me of the recent thread here yelling the sky was falling in for Linksy router users because the default password is administrator and some folks never bother to change it although Linksy very clearly states that it needs to be changed immediately upon setting up the router. I changed mine but even if I had not, my user name is not easy to figure out by dictionary attack so I thought the whole thread was overblown. There were complaints I think I recall about the length and what is allowed in the Linksy user name and password and I couldn't see what the problem was as no one could demonstrate that it would be easy "low hanging fruit" to use a dictionary attack on a Linksy router to determine first the user name and second the password and then match them up.
So, do you have any evidence of how fast and easily this can done? Plus, you have continued to side step the fact that banks will lock the account so fast that your head will swirl if you start putting in the wrong user name and/or password. Three simple typos and you, yourself, are locked out. I can't tell you how many times I have gotten locked out of my local bank account because the user name is required to be in all caps and the password must be in mixed case. I got that wrong so many times especially since I can't see what I am typing for the password. I can't call the bank and get reinstated immediately either. There is a three day waitng period unless that has been changed recently. This bank won many awards back in the late 90's early 2000's as being the most secure, best banking site on the internet.
Besides my home bank that I no longer access on the internet as I have no loans or credit cards or savings account with them so I can't do any banking other than looking at my checking account statement and I write only two checks a month so I have little need to look at it before it comes in the mail, I use only two banking sites both of which have excellent protection already. In fact, Chase drives me nuts as does CapitalOne with logging me out not just within 13 minutes which is done even if you are actively using the site at that moment but which logs you out if there is hesitation, stumbling about, all sorts of things get you logged out. There are many protections that we are not really aware of at banking sites.
Again, this is barking up the wrong tree. The banks and business sites where purchases are made need first of all to ALWAYS use a secure login in page. I don't see you complaining about that problem. What difference will it make if your password has special characters if you aren't really on the site's secure page when you login?
I suppose you already know the answer to the dslreports login? Our site must allow special characters? Wilders and Castlecops also do this? As I said, I have no idea as I have not changed my password at any of these since I joined 6 years ago here and 5 years ago for the other two sites. You have me curious as if this is so important then I'm sure all three sites allow the special characters and somewhere on these three sites there must be a warning that I have missed telling me to change my password to include special charcters...right? Where is the the warning for this site?
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
 ·Clearwire Wireless
| reply to Daniel
Re: Sites That Don't Allow Special Characters In Passwords !?!
Here's my banks PW policy (Bank of Hawaii)
"Note: Your Password must be between 6-32 characters in length. It must contain at least 1 alpha and 1 numeric and is case sensitive. Your Password and User ID cannot be the same."
It's a flexible policy that's soon to be backed up with a unique to the account picture & phrase authentication (verification?) scheme. What I think would be a good practice is if these PW protected areas set a minimum PW strength & ran them through an automated password strength checker, rejecting the PW's that don't meet the threshold. |
|
