Can we get rid of the silly requirements for passwords?

[Reynard-Miri]

Yes they do.

[Archaic Sage]

I actually work in IT Security they do add additional security, by a very long stretch. Not only that but there's not only the risk of a brute force computer attack but also a brute force human attack. We also have other security in place to attempt to prevent computer brute force.

Additionally adding a special character in the first 6 characters dramatically increases the strength from a computerised attack.

[Maxine MagicFox]

Sorry, garrett. But those of us "in our field" do know more about this. We are not just protecting against one form of attack. The "human element" is just as important as the computer element. Protecting against multiple forms of attacks is extremely vital.

Oh and by the way, there's a wikipedia article for this ^_^
http://en.wikipedia.org/wiki/Password_s ... _passwords

[Reynard-Miri]

Dictionary attack.

[Reynard-Miri]

Hey Garrett, maybe you should .

[zamisk]

And that was the last time a webcomic was viewed as a credible source on ItL.

[warcraff]

Kudos on the better security for passwords.
This will the third time I've asked to have a new password sent to my email account. Awesome.

[Archaic Sage]

Perhaps you should try remembering your passwords. We don't ask for anything that's not standard in many industries or that difficult. We don't block dictionary words, we don't block specific phrases and we don't ask for 1.5 or 2 factor authentication as part of the login process and to be fair.

If you ever work for a big company, they will have password policies that meet the following:

1 upper case character
1 lower case character
1 special character (e.g. ? @ ;
1 number

In fact, some companies also block their own names and seasons from being used, so your password can't be Autumn2013.

They will also enforce a change every 90 days.

In fact, I actually have one account I use (for work) whereby I have a username, a password, a security question and a password that's part memory and part one time password from a separate device that changes every 20 seconds - so if you get a slow connection you've got to reauthenticate as it can sometimes be wrong by the time the page has loaded.

[Kimiko]

I worked at a company that password change set to every 30 days. Most people had one password and just incremented the number at the end each time. If you knew their password once, you'd know it three months later.

[Archaic Sage]

Yep, which is too frequent in my opinion. That said the latest technology can actually prevent that from happening.

[Reynard-Miri]

At my company it's 90 days and I'm pretty sure you can't reuse the same password again ever.

[Archaic Sage]

There's certain password requirements for PCI DSS, which is a standard that all companies that process credit cards have to follow in order for banks to do business with them. For the most part these mirror security standards, so things like changes no less than every 90 days, at least 8 characters in length, a mix of cases, numbers and special characters, off of the top of my head, I think it states you can't reuse any of your past 12 passwords and that's all I can remember without looking at the standard.

Some technology allows us to prevent sequential numbers (2, 4, 6, 7, 8 etc) and others allows the system to know that your last password was Autumn100, so will ban Autumn101 or 200 and if you had Autumn200 then 400, that'd be banned as it's a sequential.

It's a difficult line for corporations to tread as you need to be compliant and safe (and in the EU if you have a breach of personal data is a much bigger issue than in the states as we have 24 hour notification laws and other problems) and ensuring people don't write their passwords on a post-it and put it under their monitor, or on it.

[Windywalk]

Password change error is
The password does not contain the required characters.
Mixed cases (both of capital and smaller) and numbers don't make sense.
alphabet and number are enough.

[Archaic Sage]