![[lang]](/images/eye.png)
Passwords on the web are stupid |
2007-05-24
|
Case in point.
Today I could not remember my password on Digg. I asked to change it, and tried to changed it to "my standard passwords for sites I barely trust". Doing that made it clear why I wasn't able to log in with that password to begin with.
Digg requires passwords to be at least 6 characters long but *only*
contain letters or numbers. So my standard password for this kind of sites was not compatible.
Yesterday I had to create a CERN account to be able to do something on the Europython site. So I tried to use the same password.
CERN wants you to use symbols from at least three groups of the following: small letters, capitals, numbers, and other symbols. So again, my standard password for this kind of site doesn't work.
This happens all the time. How hard would it be for a site to let you see what the password policy is so you can mentally browse through your passwords and pick the one that fits their policy ?
Is it just me being cranky, or do other people suffer web pass rage ?
You need openid :)
Comment by Kris Buytaert — 2007-05-24 @ 11:38
I have openid. These sites don’t.
Comment by Thomas — 2007-05-24 @ 11:52
This saved my web-passwords sanity :
http://passwordmaker.org
(and they have a nice firefox extension :))
Comment by Aurélien Bompard — 2007-05-24 @ 11:58
A corollary for this is that the authentication tools should let you know what the rules are when you have failed an authentication request. “Oh, that’s right, I had to have a symbol for this site!” or “This site wanted 15 or more characters in something like a phrase.”
It’s worse when it’s a site you feel it is important to be able to access, yet you do so infrequently. If you don’t log into the bank website weekly or more frequently, will you remember the password when you need to transfer the money needed to get your son out of trouble?
Comment by Rusty — 2007-05-24 @ 12:06
Don’t use “standard passwords”. Not even for sites you barely trust, just don’t.
Of course, life is never that simple and I too have some passwords in use for more
than a dozen accounts. But it is a bad habbit.
Always try to use new passwords and write them down on a piece of paper stored
somewhere safe. I’m sure you can memoize the 5 or so frequently used passwords and
let the browser on your personal desktop remember the rest.
Comment by Martijn Vermaat — 2007-05-24 @ 12:17
Did you try bugmenot? http://www.bugmenot.com
Comment by anon — 2007-05-24 @ 12:18
Do you know pwdhash?
http://crypto.stanford.edu/PwdHash/
This solved my password problems. Pwdhash calculates via a locally executed JavaScript a has out of the domain and a user submitted password and transmits this hash as password.
This way you can have secure and individual password for each internet site. Take a look. It’s worth the effort. There are also plugins for Firefox and IE.
Comment by Christoph Langner — 2007-05-24 @ 12:22
i totally agree. been saying this for ages. mind you, i really like the sites that have no password until you need one or which just enable more stuff when you add a password. and i like the mugshot approach too – very nice.
Comment by whyohwhyohwhyoh — 2007-05-24 @ 12:35
So how low in the stack can we get the keyring?
Comment by Rob J. Caskey — 2007-05-24 @ 13:31
Let’s wait until all lazy web-masters add OpenID support.
Comment by Peter Lemenkov — 2007-05-24 @ 14:31
I totally agree with you. Almost all of the sites I have accounts on have different password rules. I hate the ones that require only letters and numbers or put a limit of length. IMO, if your password sucks and gets cracked tough cookies. :)
Comment by Jesus Rodriguez — 2007-05-24 @ 14:44
agreed, i HATE how some passwords have lazy rules, and some extreme rules, and it does get quite annoying.. i’m up to about 13 passwords i use (since some sites even make you change ur password every 4 – 6 months)
Comment by sn0n — 2007-05-24 @ 17:14
Yeah, it’s very annoying. And so many sites require accounts at first place without generating any extra value. Like commenting the blogs of some people, even on planet gnome..
Comment by brondie — 2007-05-24 @ 19:00
I use Revelation:
http://oss.codepoet.no/revelation/
and generate a new random password for every site.
I keep the database on a LUKS-encrypted SD card that I carry with me, with a backup on CD in secure storage.
little effort goes a long way :)
Comment by Adam Williamson — 2007-05-24 @ 20:30
Thomas, if you’re coming to EuroPython, you may have the basis of a lightning talk with this kind of material. And it’s not inconceivable that at least some people present will share your views on Web site authentication mechanisms…
Comment by Paul Boddie — 2007-05-25 @ 00:47
Yeah, totally annoying.
People put all sorts of stupid or crazy restrictions so you have to make up a password that you end up not remember when you most need it, and as noted from the previous commentators, for very low return value, usually.
Comment by Stavros Giannouris — 2007-05-25 @ 07:47
I came up with a generic password for sites that I didn’t care about that met all of these criteria. I then discovered that Yahoo claims that a password can be between 8-20 character, but that it couldn’t actually be 20 characters long.
Stupid.
Comment by Jeff Bailey — 2007-05-25 @ 18:18
Revelation is nice, but I use KeePass and KeePassX for my password management. I have the stand-alone Windows, Linux, and Mac versions all on a flash drive along with the encrypted password database, which I back up regularly. That way I only have to remember two or three passwords (login for my computer, key for the password database), but I can have a separate, randomly generated password for whatever I use and can access the passwords where ever I go. Maximum security at each site with minimum effort :)
Comment by John — 2007-05-25 @ 19:48
[…] prompts to share the password management […]
Pingback by mark mazurek » Blog Archive » Web Passwords — 2007-05-26 @ 01:12
IMHO, too many web site authors appear to be under the impression that accounts on their site matter.
Given the choice, would everyone really value their Digg identity as highly as their bank accounts?
Note what I’m *not* saying (that everyone should place more or less value on Digg security).
Comment by Ben — 2007-05-26 @ 11:04