Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I used to have those: 8-24 characters among which 1 uppercase/lowercase, 1 special character among a whitelist, and renew that every 2 months. At renewal, must be different from all your previous passwords and the new password must be at least 3 character different from last one. SSH keys can't be used per security policy and the same rule has been applied to the password manager.

A pain.

And yes the most annoying is that it's never the same rules, and I resort to using Keepass or worse, my browser password-remembering system (stores passwords to Google/Mozilla servers)

Is bruteforcing passwords still a thing nowadays? Once in a while I tend to forget my Wikipedia account password and after a couple of failed attempts I get shown a captcha.

On another day, I got locked out of my own account because I was trying to log in using another mobile device with another SIM in another country.



> and the new password must be at least 3 character different from last one.

Does this sort of rule imply that they are saving passwords whole (either plaintext or encrypted, as opposed to hashed)? I can understand "can't match your last N passwords" cause that's just saving old hash entries. But editdistance(old, new) < 3 implies you know the string value somewhere.


Not necessarily, I forgot to mention that when changing your password through their UI you still have to enter your old password. So it's safe to assume that the string comparison is made at form submission. For history rule I don't want to imagine it being implemented otherwise.


Not many places will try a brute force attack directly on a login interface, but if your database is leaked the definitely. Nothing to rate limit an attacker then




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: