I have at least 13 distinct user ids based on "Andrew John Petersen" (that I recall... which is to say nothing about my spam accounts or systems where ids are generated for you using an iterative approach). They generally involve some combination of the following (any of which could be skipped and between any of which there might be periods, dashes, or underscores):
- Prefix (single character, site code, title, iterative number, etc.)
- First name (either full, nickname, substring, or initial)
- Middle name (either full, nickname, substring, or initial)
- Last name (either full, nickname, substring, or initial)
- Suffix (single character, site code, title, iterative number, etc.)
So, when I try to access a site or system for which I know I have an id, the first challenge is figuring out which combination I use in this specific case.
Once I've determined that, I must figure out which password is used.
Assume, as an example, that my desired password is "football". Here are some restrictions I've actually encountered, and an example of the password I might use instead:
a) must contain an uppercase and lowercase letter. --> Football
b) must contain a number. --> f00tball
c) must contain a special character. --> footb@ll
d) must be between 6 and 8 characters. --> football
e) must not contain consecutive digits. --> football
f) must not contain more than 2 sets of repeated characters. --> futbol
And, of course, these rules can be combined.
F00tb@ll would comply with a, b, c, d, and e -- but fails f.
Futb0l would meet a, b, d, e, and f -- but fails c.
I could throw an exclamation point on the end, assuming the site allows them, but the point is that I very quickly have multiple sites/services where I know my password is "football"... but I just don't know how I spelled it.
Some of the rules make sense. I can see wanting to enforce mixed case (a) and alpha-numeric (b) as that brings the character set up to 62 (26 + 26 + 10). Special characters (c) are a mixed bag, as some characters are fine in some systems and disallowed in others.
But requiring a specific length of password (d)? That provides a smaller field of options.
Must not contain consecutive digits (e)? I can see not wanting to allow 12345 (this isn't some idiots luggage), but I once had a password that contained a twelve, which I expressed as "12". Unfortunately, one and two are consecutive digits, so I couldn't use twelve. That's just lame.
Not more than one set of repeated characters (f)? Again, this limits the options, which is the opposite of heightened security. Yeah, you don't want someone to have a string of 8 qs (or qqqq if they're being witty), but "bookkeeper" shouldn't be out of the running... well, unless it's obvious that you like words with lots of double letters, or you happen to be a bookkeeper, but that's not really the point.
All of these different rules eventually result in many people writing down their user ids and passwords, which is the number 1 no-no in terms of security. That brings me to the topic of security questions... but that's a topic for another post.
No comments:
Post a Comment