Comments on: Screens around the web: password restrictions http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/?utm_source=rss&utm_medium=rss&utm_campaign=screens-around-the-web-password-restrictions Sat, 11 May 2013 19:51:19 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Chris X Edwards http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/#comment-292924 Chris X Edwards Wed, 05 Sep 2012 18:36:50 +0000 http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions#comment-292924 http://wondermark.com/866/

]]> By: Erik http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/#comment-40966 Erik Thu, 17 Apr 2008 07:37:23 +0000 http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions#comment-40966 I agree completely. American Express’s restrictions in particular seem to be designed for ease of brute-forcing. There are a total of 2,684,372,063,360 possible passwords one can use with those restrictions, and I’m sure a dictionary attack program could crack the majority of their customers’ passwords in a few minutes each. Makes me want to cancel my account…

]]> By: Chris X Edwards http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/#comment-30069 Chris X Edwards Thu, 14 Feb 2008 23:25:11 +0000 http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions#comment-30069 Reminds me of these 2WIRE routers (i.e. EESID shows up as ###2WIRE all over town) that are set with a default password of exactly 10 numeric bytes. You can do the math… or, this is fun if perhaps somewhat spurious:
http://www.hackosis.com/projects/bfcalc/bfcalc.php

]]> By: Diwaker Gupta http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/#comment-23192 Diwaker Gupta Fri, 14 Dec 2007 05:11:11 +0000 http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions#comment-23192 *@odi*: So? Their software should be smart enough to escape problematic characters. In any case, no one who is serious about security would ever use HTTP Basic authentication — it is just what it says, BASIC. All of the web sites I mentioned go over HTTPS, and authentication is handled at the application layer.

]]> By: Diwaker Gupta http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/#comment-23191 Diwaker Gupta Fri, 14 Dec 2007 05:09:32 +0000 http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions#comment-23191 *@ian*: hmm, thats a good point. But still, I don’t think it quite justifies the abysmal rules. Meanwhile, have you see myvidoop.com? Quite an interesting approach to the whole password management problem.

]]> By: Ian Holsman http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/#comment-21964 Ian Holsman Wed, 05 Dec 2007 23:17:16 +0000 http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions#comment-21964 I’m guessing some systems have a restriction like the above so that you can use the same password on a phone with a IVR?

but yeah.. it’s kinda silly

]]> By: Odi http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions/#comment-21703 Odi Mon, 03 Dec 2007 09:02:34 +0000 http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions#comment-21703 The HTTP Basic authentication scheme reserves the colon character to separate username from password. Thus a colon must not be used in the username or password. (If you know the implementation of the Basic scheme parser [indexOf(':') or lastIndexOf(':') ?], you MAY allow it in either username or password…)

]]>