Random Acts of Senseless Fuckery
Published on October 5, 2004 By evilPidge In Gadgets & Electronics
So I'm a student here at the University of Texas at Austin, and we have a pretty spiffy computer network running here called UTDirect. Its pretty helpful for finding out information and taking care of business. You can register and add/drop classes, you can check your grades, you can figure out what books you need to buy for you classes. You can find out the email address for a professor and the web page, if any for a particular class. All in all its a pretty nifty class.

To get into this system you have to type in an EID, and electroic identification (read: user name) and your password. Pretty simple huh? I used to be one of those stupid people that had a pretty simple password. I used to use "pidge" as my password, boy, that'd be a simple one for someone to figure out. I finally wised up and changed it to something more difficult. I changed my password to the license plate number of the first car that I bought with the last two digits reversed. I was pretty pleased with that. How the hell would someone figure that out huh?

Well recently the ITS department instituted new rules for passwords here at the university, and I thought I'd pass those along to let everyone else know how stupid they were. These are the actual requirements for the new passwords:

1) UT EID password is case-sensitive
2) It must be between 8 and 20 characters long.
3) You may not re-use any of your last 10 passwords
4) It cannot contain blanks
5) It must consist of letters, numbers, and special characters. The special characters that are permitted are: ! @ # $ % & * ( ) . + = : ; " '
6) Your password cannot contain any words found in the dictonary or common proper nouns of four letters or longer. In addition, common letter transpoitions are not allowed (for example @ for a, ! for i, or zero fo O).
7) It cannot contain your UT EID
8) It cannot contain your first or last name
9) It cannot contain your birthday in any form
10) It cannot contain your Social Security number

Easy huh? I thought I was set, my old licence plate number had seven digits and the last digit was a 7, so me being the smart guy I am just added an & after the last digit of my licence plate. I did this and everything worked great, until I went into one of the computer labs to work on some homework. It would seem that this computer lab uses an additional log in program that has a problem with &'s. Now this wouldnt be a problem if it came back and told me that there was a problem with my password. So the first time it doesnt work. I figure I typed my password in wrong. The second time, I thought perhaps this log in system was different from UTDirect and that I had to use my old password to log on to the comptuer and then my new one to log onto UTDirect. Well that didnt work either. So I decided to ask one of the guys that worked at the computer lab. He asked me to try to log in so he could see what happened. It didn't work. He then asked me to try to log on to one of the Mac's. Well that didn't work either, and for those of you that haven't been keep count, that would be 5 incorrect log ons. My password was now locked. It turns out I would have to physically go into the Registrars office to get my password reset. WHEE, cause I got plenty of time for that. When I walk into the registrar's office, they reset my password easily enough, almost as if they have had plenty of practice doing it. They then gave me a sheet of paper that tells me how to go unlock my password so I can go and reset it. This sheet came from a stack of literally a thousand sitting on the desk.

Almost as if they thought they might need a few."

Comments (Page 1)
2 Pages1 2 
on Oct 05, 2004
HAHAHAHAHA!!! I feel your pain. I've taken to using SKATS for passwords. If you remember any of that, you could just SKAT something and add a number and an occasional . to make a password. For example -

1JEF.lhl

That gives you upper and lower cases, numbers, and special characters!
on Oct 05, 2004
lol, i literally havent thought of SKATs in years. I'd probably be hard pressed to translate it anymore.
on Oct 05, 2004
The actual policy is somewhat stricter than normal, but not really unreasonable. Each rule is there to negate a specific, common type of password-guessing action. ( Although, with all the other rules, I think they could have done fine with a 6-character minimum.)

Where they obviously blew it was in not choosing a policy that actually works with all their systems.

(Disclaimer: I am an IT manager with a particular interest in security.)
on Oct 05, 2004

lol the harder they make these policies the more inventive people get at circumventing them....

try something repetitive like @W2w@W2w@W2w

fits all the criteria and only 2 keys plus some shifting....

on Oct 05, 2004
The actual policy is somewhat stricter than normal, but not really unreasonable. Each rule is there to negate a specific, common type of password-guessing action. ( Although, with all the other rules, I think they could have done fine with a 6-character minimum.)

Where they obviously blew it was in not choosing a policy that actually works with all their systems.

(Disclaimer: I am an IT manager with a particular interest in security.)


the thing that makes me wonder, is with all these extra rules, how many people will now write down their passwords instead of just memorizing them. iirc that is still the #1 systems are compromised.
on Oct 05, 2004
Oh yes Pidge,
between my three PWs at work, three for E-mail accounts, 5 or 6 on-line merchants, I am often lost and need to reset them. The Army's new policy is pretty similar
to UT's now.
on Oct 06, 2004
Well, Pidge, that's one reason I think 6 characters would have been more reasonable; it falls on the happy side of the old "7, plus or minus 2" rule of how many bits of information people can remember fairly easily.

On the other hand, the fact that people write their passwords down isn't necessarily the problem. The fact that people leave their written-down passwords SITTING OUT FOR ALL TO SEE is the real problem. Print them clearly on a small piece of posterboard and stick it into your wallet, and you won't have a problem unless you get mugged.

Or better yet, apply a simple transformation rule to the passwords (e.g. reverse the case of the letters, or add 1 to all the numbers, or remove the first and last printed characters, or insert your first and last initials at the beginning and end of the password) when they're written down, then un-transform them yourself when you type them in. All you have to remember then is the transformation rule, which will stymie just about anyone else.
on Oct 06, 2004
Or better yet, apply a simple transformation rule to the passwords (e.g. reverse the case of the letters, or add 1 to all the numbers, or remove the first and last printed characters, or insert your first and last initials at the beginning and end of the password) when they're written down, then un-transform them yourself when you type them in.


oh, yeah. THATS easy
on Oct 06, 2004
I said "OR", not "AND". Any one of those simple transformations will do, you don't have to do all of them.

Puts me in mind of a tale I read about a japanese shogun who wanted to share the secret of gunpowder with an ally. He wrote up the instructions in fine detail and dispatched a messenger to deliver the paper.
Along the way, as feared, a rival shogun killed the messenger and took the instructions.
The rival shogun then blew himself and his castle up attempting to follow the instructions.
Why? Because the messenger had been told to relay one extra bit of information upon delivering the message to its rightful recipient: "When you get to the last step [where it says something like 'Finally, bake the entire batch in the highest heat you can manage for 12 hours], skip it."
on Oct 08, 2004
Thats pretty clever indeed. Keep a bit of verbal information in your messanger.
on Oct 08, 2004
Thats pretty clever indeed. Keep a bit of verbal information in your messanger.
on Oct 08, 2004
When confronted with password woes, I have a tendency to forget all my passwords, mainly because I have 24 that I have to remember wtih my bank account, school, and internet accounts. I have a tendency to use 4 variations of the same one. My school ID number is 1086076, so I have passwords like 1080607060, or a1607g6h, (my initials) etc.
on Oct 17, 2004
Hey what about talking to the school about image-based passwords. They might not listen, but it never hurts. They've been shown to be more secure and nd people have a higher rate of remembering them.

I forget the school that did tests, but they seem to be catching on and a few new variations are availible. Microsoft is even thinking about implying them[Still Microsoft shall still be the #1 deadly virus. ]

Anyway. It might warrent a letter to the office.

People forgetting passwords is an expensive thing and they might save a few bucks with it, be the envy of surounding schools, and thank you...

Or just throw it away...

anyway.

~abeeda.com
on Oct 17, 2004
Puts me in mind of a tale I read about a japanese shogun who wanted to share the secret of gunpowder with an ally.


Heh, good story.

on Oct 17, 2004
Off the top of my head I have to manage passwords for 14 accounts. Now this doesn't count any forums or game services I use (i.e. MMOs, Steam etc). I have a set of 4, maybe 5 passwords I use across all of them, and most of them are just slight transformations on 2 or 3 base passwords. As I gather more and more critical accounts it's getting harder and harder to remember which passwords I use where, and most systems have a three strikes and you're out rule preventing me from guessing through my set.

Now, I've done the IT manager thing, I've run servers and networks, but even I'm to the point now where I have to start writing them down. Kinda makes you wish there was some sort of master centralized logon system. Imagine a global Kerberos server.
2 Pages1 2