Sunday, April 06, 2008

[New York]: Technology Thinks You Are Dumb

The Urban Caballero is tonight grappling with the following (from a real university website):

Your password or pass phrase must conform to the following rules:

* It must be 7-40 characters long. It is recommended that passwords be a minimum of nine characters.
* It must not be a word that appears in any dictionary of English or non-English words or names.
* It must be composed only of characters in the Roman alphabet or symbols on the U.S. keyboard.
Note: no Chinese, Korean, Cyrillic, or Japanese characters are allowed.

What the System Looks For

Dictionary Words
The password-checking system screens all passwords against its own large dictionary of 2.7 million English and non-English common words. The words in most major languages are represented, spelled forward and backward. This dictionary is regularly updated to cover all words peculiar to the University community (such as "stanford"). Any words found in this dictionary are rejected as passwords.

Random Suffixes and Prefixes
Many people attempt to disguise a dictionary word by adding random characters at the beginning or end of the word. The system automatically screens for this technique. For example, the passwords below would not be allowed:






(No matter what X or XX is.)

Non-Letters As Letters
Many people try to use certain non-letters as letters within their passwords. The system automatically translates all of the following non-letters into letters before looking up words in its dictionary:

$ = s 4 = h 2 = a 3 = e 0 = o 1 = l 1 = i

Passwords like $tanford would therefore be rejected.

SUNet ID passwords are case-sensitive: uppercase and lowercase letters are considered to be separate letters (except at the beginning of a word). Capitalizing random letters in a dictionary word (caRpoRTS) will not, however, fool the screening program. The point is to capitalize letters in a non-word password, in order to provide another layer of complexity against other password-cracking programs.

Obvious Tricks
The system automatically screens out passwords set in the following manner:

* Passwords based on a dictionary word spelled backward (drofnats).
* Passwords based on two dictionary words in a row (dogdog).
* Passwords based on the person's login name.
* Passwords that are all white space.
* Passwords that contain control characters.
* Passwords that are all numbers.
* Passwords followed and/or preceded by 1 or 2 characters (9cheval, cheval9, 99cheval, cheval99, 99cheval99 etc.)
* Passwords with several repeating characters (aaaaaaaa or aaaabbbb or abababab).
* Passwords that do not have more than four characters that differ from the previous character by one (1234abcd).
* Passwords with license plate patterns (daaaddd).
* Passwords with social security patterns (dddssdddd).
* Passwords with phone number patterns (dddsdddd or dddsdddsdddd).

Obviously, I won't tell you what password the Urban Caballero finally managed to choose (I'd have to kill you, and besides, I don't know it) - but the real problem is, by tomorrow, I don't think even he will remember!


At 2:39 PM, Blogger Jean said...

I wonder if the computer could figure out and reject pig latin: anfordstay.

The most common result of these kinds of rules is that the person write the password on a sticky note and puts it right on their computer!!

At 5:54 PM, Anonymous susanlynn said...

I'm nostalgic for those good old days when you either picked up the phone or put a stamp on a letter and mailed it. Insert big sigh right here.


Post a Comment

<< Home

Find me on Google+