Comments on: Screens around the web: password restrictions http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/?utm_source=rss&utm_medium=rss&utm_campaign=screens-around-the-web-password-restrictions Sun, 20 May 2012 06:51:44 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Erik http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/#comment-40966 Erik Thu, 17 Apr 2008 07:37:23 +0000 http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions#comment-40966 I agree completely. American Express's restrictions in particular seem to be designed for ease of brute-forcing. There are a total of 2,684,372,063,360 possible passwords one can use with those restrictions, and I'm sure a dictionary attack program could crack the majority of their customers' passwords in a few minutes each. Makes me want to cancel my account... I agree completely. American Express’s restrictions in particular seem to be designed for ease of brute-forcing. There are a total of 2,684,372,063,360 possible passwords one can use with those restrictions, and I’m sure a dictionary attack program could crack the majority of their customers’ passwords in a few minutes each. Makes me want to cancel my account…

]]> By: Chris X Edwards http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/#comment-30069 Chris X Edwards Thu, 14 Feb 2008 23:25:11 +0000 http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions#comment-30069 Reminds me of these 2WIRE routers (i.e. EESID shows up as ###2WIRE all over town) that are set with a default password of exactly 10 numeric bytes. You can do the math... or, this is fun if perhaps somewhat spurious: http://www.hackosis.com/projects/bfcalc/bfcalc.php Reminds me of these 2WIRE routers (i.e. EESID shows up as ###2WIRE all over town) that are set with a default password of exactly 10 numeric bytes. You can do the math… or, this is fun if perhaps somewhat spurious:
http://www.hackosis.com/projects/bfcalc/bfcalc.php

]]> By: Diwaker Gupta http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/#comment-23192 Diwaker Gupta Fri, 14 Dec 2007 05:11:11 +0000 http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions#comment-23192 *@odi*: So? Their software should be smart enough to escape problematic characters. In any case, no one who is serious about security would ever use HTTP Basic authentication -- it is just what it says, BASIC. All of the web sites I mentioned go over HTTPS, and authentication is handled at the application layer. *@odi*: So? Their software should be smart enough to escape problematic characters. In any case, no one who is serious about security would ever use HTTP Basic authentication — it is just what it says, BASIC. All of the web sites I mentioned go over HTTPS, and authentication is handled at the application layer.

]]> By: Diwaker Gupta http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/#comment-23191 Diwaker Gupta Fri, 14 Dec 2007 05:09:32 +0000 http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions#comment-23191 *@ian*: hmm, thats a good point. But still, I don't think it quite justifies the abysmal rules. Meanwhile, have you see myvidoop.com? Quite an interesting approach to the whole password management problem. *@ian*: hmm, thats a good point. But still, I don’t think it quite justifies the abysmal rules. Meanwhile, have you see myvidoop.com? Quite an interesting approach to the whole password management problem.

]]> By: Ian Holsman http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/#comment-21964 Ian Holsman Wed, 05 Dec 2007 23:17:16 +0000 http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions#comment-21964 I'm guessing some systems have a restriction like the above so that you can use the same password on a phone with a IVR? but yeah.. it's kinda silly I’m guessing some systems have a restriction like the above so that you can use the same password on a phone with a IVR?

but yeah.. it’s kinda silly

]]> By: Odi http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/#comment-21703 Odi Mon, 03 Dec 2007 09:02:34 +0000 http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions#comment-21703 The HTTP Basic authentication scheme reserves the colon character to separate username from password. Thus a colon must not be used in the username or password. (If you know the implementation of the Basic scheme parser [indexOf(':') or lastIndexOf(':') ?], you MAY allow it in either username or password...) The HTTP Basic authentication scheme reserves the colon character to separate username from password. Thus a colon must not be used in the username or password. (If you know the implementation of the Basic scheme parser [indexOf(':') or lastIndexOf(':') ?], you MAY allow it in either username or password…)

]]>