September 20, 2004
UT ITS is Evil
By Karl-Thomas Musselman
UT thinks that passwords are not good enough as they are now. So the Information Technology Wizards have thought up a new scheme in order to keep anyone from figuring out your password. This apparently includes the owner of the password as well. Their newly printed guidlines are the most assinine set of rules I have ever encountered for a password. Soon we will all be forced to have some god-awful combo like "jek45:@blg%7"...
What are the new password requirements?
- It must be between 8 and 20 characters in length.
- It cannot contain blanks.
- It must contain letters, numbers, and special characters.
Special characters which are permitted are ! @ # $ % & * ( ) - + = , < > :
" ' .
- It cannot contain any words found in our dictionary or common proper nouns
of four letters or longer. In addition, common letter transpositions are
not allowed (such as @ for a, ! for i, or zero for O).
- It cannot contain your UT EID.
- It cannot contain your first or last name.
- It cannot contain your birthday in any form.
- It cannot contain your Social Security Number.
- You may not reuse any of your last 10 passwords.
I can almost guarentee you that this is not going to create more difficult passwords but simply some combination that is easy to type (since almost any word longer than 4 letters will NOT work) meaning that passwords will be patterns on the keyboard. Think ASDF7890.
Please add your creative ideas for additional restrictions in the comments. Mine?
- It cannot be possible to type you password in under 10 seconds.
update Thanks to this idiotic new system, I have Already Locked myself out of my UT accounts due to the password changing shit.
update 2 Being the crafty student I am, I found a way to get around needing to contact the Main offices in the Tower. Take that, security bitches.
Posted by Karl-Thomas Musselman at September 20, 2004 05:18 AM
| TrackBack
Karl,
I have been having to create and use passwords with those same requirements for about eight years. In fact, I was one of those "IT Wizards" that enforced such rules. You wouldn't believe hoe easy it is to crack passwords with the user's name, SSN, dictionary words, etc. It may seem asinine, but they do have a reason behind their madness.
use your IF account password
oh yeah, cause i use that one about once a year.
Yeah I found that really annoying too. My password was already a 16 character string of random letters and numbers, it just didn't have a "special" character.
Real cute.
Make a password difficult enough that people like me, who memorize passwords generally, are forced to write them down.
Generally, I rot-1 each number when I have to do this though.
I concur with Sal here.
I still remember my ITS number. It was ISDF980.
I also still remember my lunch ticket number from high school though. But I can't tell you that for security reasons. ;-)
Ex-IBM, I've seen this sort of policy result in post-it notes stuck under keyboards, passwords written down all over, variations on a pair of passwords using rot-1 or rot-2, and as someone already noted, easy to type forms like "asdf1234."
I find foreign words fun to use as passwords, especially slang and obscenities. If you add a number or special character they almost always work.
Besides I like knowing the Hungarian word for a$$hole or the Dutch word for rump ranger. Source for slang
How about, you must change your password every day?
Seriously, these rules are a pain, but they are a great idea... a good fraction of successful account hacks are just brute force or intelligent guessing of weak passwords.
My trick? Pick an easy english phrase and then just spell it like a 12-yr-old "l33t_H4x0r" would.
