For the Stupid Password Rules at Iowa State | /en/2012/08/stupid-iastate-password-rules/

[yihui]

For the Stupid Password Rules at Iowa State

https://yihui.org/en/2012/08/stupid-iastate-password-rules/

[giscus-bot]

Guest *Ahmadou Dicko* @ 2012-08-07 10:09:33 originally posted:

You forgot to set the seed :)

[yihui]

Oh yes, thanks for the reminder. The seed was rpois(1, 1e8).

Originally posted on 2012-08-07 13:39:30

[giscus-bot]

Guest *Tal Galili* @ 2012-08-07 20:57:30 originally posted:

LOL

[giscus-bot]

Guest *Stephanie* @ 2012-08-07 11:21:24 originally posted:

So Yihui, this is Stephanie. I came in at the same time as you and yet have never been prompted to reset my password. I think I have figured out why - only people with teaching or TA responsibilities must reset it. So, stop teaching and the problem will be solved!

[yihui]

I see. Thank you so much for being in the control group!

Originally posted on 2012-08-07 13:41:21

[giscus-bot]

Guest *Phillip Kent* @ 2012-08-07 11:32:47 originally posted:

Have you tried 'apg' (Automated Password Generator) in Linux? (Don't know if it has a windows port.) It generates strong, memorable passwords instantly, with loads of options. Easily satisfies the obscure requirements of password security systems.

[yihui]

Thanks for letting me know. I use Linux exclusively, but I did not try apg. I'm too frustrated to remember this 8-char password now :)

Originally posted on 2012-08-07 13:47:20

[giscus-bot]

Guest *Susan Vander Plas* @ 2012-08-07 13:16:35 originally posted:

The worst part is that the 8 character limit means that they probably aren't even hashing the passwords to store them, so somewhere, that password is lying around just waiting to be stolen...

Stupid ISU!

[yihui]

I can imagine there is a field in their database which was created as CHAR(8).

Originally posted on 2012-08-07 13:50:51

[giscus-bot]

Guest *No* @ 2012-08-07 15:12:42 originally posted:

Just use a password manager like PasswordSafeSWT and put the encrypted password file in your Dropbox folder. Why re-invent the wheel?

[yihui]

The problem is I have to guarantee Dropbox has been installed everywhere, or I'll have to login the Dropbox website to get that encrypted file, then I have to download the software to decrypt it. I'm totally fine on my own machine, but I do not have access to it all the time.  The only "portable" solution is to memorize the password, but for our system, the password expires again and again...

Originally posted on 2012-08-07 15:51:12

[giscus-bot]

Guest *DavidC* @ 2012-08-08 06:06:00 originally posted:

I started using Lastpass earlier this year. If you have access to a browser you have access to your passwords. No need to download anything if you are using someone else's computer etc. Great smart phone app for it too.

[giscus-bot]

Guest *baptiste auguie* @ 2012-08-07 19:49:32 originally posted:

funny that, we have the same stupid rules, and I too came up with an R solution. Essentially, I only remember have to choose a random seed. 
I chose to sample the characters according to their frequency in the english language, so that you don't have to type too many

xZxWzy.password <- function(
  n = 9, capitals = TRUE, numbers = TRUE, special = c("@", "!", "$", "&"),
  seed = 123, ramanisfun = FALSE, replace = TRUE, frequencies = c("french", "english")
) {
  if (ramanisfun) return("ramanisfun")
  frequencies <- match.arg(frequencies)
  frequencies <- switch(
    frequencies,
    french = c(
      8.13, 0.93, 3.15, 3.55, 15.1, 0.96, 0.97, 1.08, 6.94, 0.71, 0.16, 5.68,
      3.23, 6.42, 5.27, 3.03, 0.89, 6.43, 7.91, 7.11, 6.05, 1.83, 0.04, 0.42,
      0.19, 0.21
    ),
    english = c(
      8.167, 1.492, 2.782, 4.253, 12.7, 2.228, 2.015, 6.094, 6.966, 0.153,
      0.772, 4.025, 2.406, 6.749, 7.507, 1.929, 0.095, 5.987, 6.327, 9.056,
      2.758, 0.978, 2.36, 0.15, 1.974, 0.074
    )
  )
  set.seed(seed)  # reproducible randomness
  pool <- c(letters, special)
  prob <- c(frequencies, runif(length(special), min(frequencies), max(frequencies)))
  if (capitals) {
    pool <- c(pool, LETTERS)
    prob <- c(prob, frequencies)
  }
  if (numbers) {
    pool <- c(pool, seq(0, 9))
    prob <- c(prob, runif(10, min(frequencies), max(frequencies)))
  }
  paste(sample(pool, size = n, replace = replace, prob = prob), collapse = "")
}
password()

[yihui]

Long live the statisticians!

Originally posted on 2012-08-08 02:24:34

[giscus-bot]

Guest *Tystan* @ 2012-08-08 04:07:58 originally posted:

I know someone who agrees with you

http://xkcd.com/936/

[giscus-bot]

Guest *Luis Apiolaza* @ 2012-08-08 05:00:28 originally posted:

Add to your list 'you can't have the same letter more than twice' and, of course, 'it can't be a dictionary word' and you get the policy at Canterbury's supercomputer.

[giscus-bot]

Guest *Minzhao* @ 2012-08-10 13:56:26 originally posted:

lastpass helps  to remember the password

[giscus-bot]

Guest *Yue Shentu* @ 2012-08-10 14:09:22 originally posted:

I just use KeePass, and save both the portable executable, a randomly selected key file(buried in other folders with thousands of others), and the password database in Dropbox.  If I have access to a browser on a windows computer, it's easy.  For linux it's a bit harder as you do have to install keepass, and without admin right I don't know if it's possible. There is also an iPhone app that does keepass but it doesn't support using both password and key file. Then again to use R to generate passwords you really have to have R installed. So I would call it a draw. 

For the silly password rule, I don't know if permutation of the previous password is allowed. If your previous password hasn't been guessed, there is no reason to not just recycle it with a different order just to get around the stupid rule. 

[yihui]

They have yet another mysterious rule which is your new password must not be similar to the old ones. I did shuffle my password for a couple of times, but failed for a few times due to the unknown "similarity measure".

Originally posted on 2012-08-10 17:23:55

[giscus-bot]

Guest *Jarad Niemi* @ 2012-10-04 17:04:44 originally posted:

I also complained to no avail:

Please change the 3 month password change policy on AccessPlus. Here

are a number of articles describing why this policy makes little

sense.

http://www.schneier.com/blog/archives/2010/11/changing_passwo.html

http://www.pcmag.com/article2/0,2817,2362692,00.asp#fbid=Tca5jISAKsj

http://docs.google.com/viewer?url=http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf&pli=1

[name-temp]

I know this post is well over 10 years old, but stumbled upon it while looking for something else, and wanted to shed some light on the weird requirements. The password requirements basically 100% match the IBM RACF requirements for their ALPHANUM symbol set (the default setting for many years), so more likely than not this password limitation was from ISU using a mainframe somewhere, that you had an account on, potentially indirectly.
https://www.newera.com/INFO/RACF_PW_Symbols.pdf

[yihui]

Good to know. Thank you for pointing out the possible source!