this post was submitted on 09 Sep 2024
595 points (99.5% liked)

Programmer Humor

19564 readers
1200 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago
MODERATORS
 

Edit: @Successful_[email protected] solved it. It says "one special character". Not "at least one".

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 9 points 2 months ago (4 children)

Well now. When we've been enforcing password requirements at work, we've had to enforce a bizarre combination of "you must have a certain level of complexity", but also, "you must be slightly vague about what the requirements actually are, because otherwise it lets an attacker tune a dictionary attack against you". Which just strikes me as a way to piss off our users, but security team say it's a requirement, therefore, it's a requirement, no arguing.

"One" special character is crazy; I'd have guessed that was a catch-all for the other strange password requirements:

  • can't have the same character more than twice in a row
  • can't be one of the ten-thousand most popular passwords (which is mostly a big list of swears in russian)
  • all whitespace must be condensed into a single character before checking against the other rules

We've had customers' own security teams asking us if we can enforce "no right click" / "no autocomplete" to stop their users in-house doing such things; I've been trying to push back on that as a security misfeature, but you can't question the cult thinking.

[–] [email protected] 5 points 2 months ago (1 children)

Why do they think no copy paste is safer?

[–] [email protected] 9 points 2 months ago

Because if you disable browser autocomplete, what's obviously going to happen is that everyone will have a text file open with every single one of their passwords in so that they can copy-paste them in. So prevent that. But what happens if you prevent that is that everyone will choose terrible, weak passwords instead. Something like September2025! probably meets the 'complexity' requirement...

load more comments (2 replies)