this post was submitted on 09 Sep 2024
590 points (99.5% liked)

Programmer Humor

19813 readers
220 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
 

Edit: @Successful_[email protected] solved it. It says "one special character". Not "at least one".

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 8 points 3 months ago (2 children)

Well now. When we've been enforcing password requirements at work, we've had to enforce a bizarre combination of "you must have a certain level of complexity", but also, "you must be slightly vague about what the requirements actually are, because otherwise it lets an attacker tune a dictionary attack against you". Which just strikes me as a way to piss off our users, but security team say it's a requirement, therefore, it's a requirement, no arguing.

"One" special character is crazy; I'd have guessed that was a catch-all for the other strange password requirements:

  • can't have the same character more than twice in a row
  • can't be one of the ten-thousand most popular passwords (which is mostly a big list of swears in russian)
  • all whitespace must be condensed into a single character before checking against the other rules

We've had customers' own security teams asking us if we can enforce "no right click" / "no autocomplete" to stop their users in-house doing such things; I've been trying to push back on that as a security misfeature, but you can't question the cult thinking.

[–] [email protected] 5 points 3 months ago (1 children)

Why do they think no copy paste is safer?

[–] [email protected] 8 points 3 months ago

Because if you disable browser autocomplete, what's obviously going to happen is that everyone will have a text file open with every single one of their passwords in so that they can copy-paste them in. So prevent that. But what happens if you prevent that is that everyone will choose terrible, weak passwords instead. Something like September2025! probably meets the 'complexity' requirement...