Comments on: Most Password Policies Are Bad http://blog.damianbrady.com.au/2008/07/02/most-password-policies-are-bad/ ramblings of a late 20s IT nerd / volleyball junkie / semi-professional drinker Mon, 26 Apr 2010 01:56:16 +0000 hourly 1 http://wordpress.org/?v=3.0 By: nickf http://blog.damianbrady.com.au/2008/07/02/most-password-policies-are-bad/comment-page-1/#comment-379 nickf Thu, 03 Jul 2008 04:18:03 +0000 http://blog.damianbrady.com.au/?p=68#comment-379 In my own personal experience, and corroborated by some other things I've read about common passwords (http://www.modernlifeisrubbish.co.uk/article/top-10-most-common-passwords), there's a few places to start if you want to try to guess someone's password: a) the name of their favourite football team. at a job I once worked at where virtually the entire userbase was situated in Adelaide, just out of interest I queried the database: SELECT * FROM users WHERE password LIKE MD5('crows') OR password LIKE MD5('power')... unbelievable how many people had this. b) their own first name. c) their pet's name. (obviously, you'll need to know them personally for this one) If none of these three work, add a "1" to the end. If that doesn't work, add "123". On a personal level, I've been really frustrated by some sites which enforce a minimum length, as well as a MAXIMUM length (sometimes only 8 characters)!! It's shockingly poor form on at least three counts: a) I need to create an entirely new password just for this site, so I need to make it even easier to remember or guess if I forget it b) It means that any potential hackers only have to run brute force attacks for strings of a defined length. c) It tends to suggest that my password is now sitting somewhere unencrypted. scary. In my own personal experience, and corroborated by some other things I’ve read about common passwords (http://www.modernlifeisrubbish.co.uk/article/top-10-most-common-passwords), there’s a few places to start if you want to try to guess someone’s password:
a) the name of their favourite football team. at a job I once worked at where virtually the entire userbase was situated in Adelaide, just out of interest I queried the database: SELECT * FROM users WHERE password LIKE MD5(‘crows’) OR password LIKE MD5(‘power’)… unbelievable how many people had this.
b) their own first name.
c) their pet’s name. (obviously, you’ll need to know them personally for this one)

If none of these three work, add a “1″ to the end. If that doesn’t work, add “123″.

On a personal level, I’ve been really frustrated by some sites which enforce a minimum length, as well as a MAXIMUM length (sometimes only 8 characters)!! It’s shockingly poor form on at least three counts:
a) I need to create an entirely new password just for this site, so I need to make it even easier to remember or guess if I forget it
b) It means that any potential hackers only have to run brute force attacks for strings of a defined length.
c) It tends to suggest that my password is now sitting somewhere unencrypted. scary.

]]>