You ever see those ads back in the day where they’d have a little master combo lock, and someone would fire a handgun right at it? The bullet would ricochet off the lock, sending the lock flapping around all over the place, and when everything settled – there was the lock, still all locked up.
I’m not saying those were faked or anything… but they sure were misleading.
To bust apart your master lock, you’ll need a hammer, a flathead screwdriver, a strong pair of pliers, a good pounding surface, and 15 minutes.
Assuming your lock looks like mine, on the back you’ll find a nice little steel lip. Pound the flathead down under that.
Pound forward so that you can get the flathead under the front dial. It’ll pop right off.
Under the dial there’s a thicker piece of protective steel. Choose a good spot and pound through it using the flathead. Pry up a lip and pull it back with your pliers. The insides of the lock will kinda just dissolve and fall out. Give the lock a tug and bam! Your lock is open.
This is straight off GoDaddy’s FTP user password requirements for their shared linux hosting plans:
You must create a password for your account. This means that your password:
- Must contain 7 to 14 characters.
- Must contain at least one lowercase letter.
- Must contain at least one uppercase letter.
- Must contain at least one number.
- Must begin with a letter.
- Cannot contain the user name.
- Cannot contain the following characters: question mark, space, caret, single quote, double quote, colon, backslash, dollar sign, ampersand, greater than, less than, tilde, semi-colon, or accent.
The result of these kind of password requirements is that your user has to come up with a new password, or a new variation on one of their existing passwords, just for your site. Now in the perfect world, users would have a unique password for everywhere on the internet they have a login. There are programs out there to help users do that. But guess what. People don’t use them. For some good reasons too – like now a copy of your passwords, one way or another, are being stored somewhere that isn’t your brain. Which is the whole idea – your password is something that only you can produce and you can do so anywhere anytime you need to.
So in reality, your users likely have somewhere between 10 and 100 logins across the internet. If they’re forced to try to remember a special username/password combo for your site – they won’t. They’ll write it down, and stick in their wallet. Or in the drawer next to their desk. Or in a plaintext file on their desktop. Which is about as secure as, well, putting something yummy in the snack room with a sign that says ‘yummy’.
When a hosting provider like GoDaddy does this kind of bad practice, it isn’t that big a deal. It just makes their FTP user base more likely to be compromised. Now when your bank does it (I believe all my banks do it at one level or another) it’s serious. This isn’t helping the security problem – it’s just passing the buck. Even though this makes the average user more vulnerable to attack, that’s no longer your bank’s fault. It was you who didn’t safely guard your 7 different usernames, 3 levels of passwords, and up to 5 variations on those different passwords for your various logins across the internet. That’s what I’m up to: 7, 3 and 5. Now soon to be 6.
As a user, what do you guys use to manage all your usernames/passwords? As a developer, what kind of restrictions do you apply for your users’ passwords and/or usernames? Do you know of any standard set of password restrictions, or any standard algorithm for computing what constitutes a ‘good’ or a ‘weak’ password?