Strong passwords.... Or not

I absolutely hate password "strength" plugins - they're almost always terrible. I use a password manager so all my passwords are generated according to the rules of the website I'm on to be as strong as the site will allow (within reason).

So I was on NPower trying to register, it told me up to 20 chars, mixed case and at least one number. I got my password manager to generate me a 20 character mixed case password with numbers. I forgot to tick the box for special characters.

The results for strength of password were alarming: 

So 20 random chars is the same strength as "Orange1"? Add a space to the end (or any special character) and it's suddenly stronger?

Who writes these things anyway? Validating the strength of a password is really bloody hard and it's not going to be done well by 15 lines of JavaScript in a browser. I wish we could all agree to leave those heaps of shit behind us.

Comments

Post a Comment

Popular posts from this blog

Full text search in Entity Framework 6 using command interception

Image
Background One of the main problems we encountered using Entity Framework was its lack of support for full text search. Our search function is based around a series of processors that attempt to match the incoming phrase against a set of patterns that we're expecting (10+). For example, there's one for dates and times, recent financial quarters as well as more domain specific ones. Everything is cached and so is really fast, except when it isn't: Here's the monitoring chart for our SQL DB in Azure That's a spike to 100% resource utilisation because we fall through to a phrase search as a last resort (which cannot be cached) - it's exceedingly rare but it still hurts. Before EF, the app used full text search and it was one of the casualties when the app was migrated to EF4 several years ago. The lack of full text search has been getting more and more painful as the amount of data has grown. We really needed full text search back... Command intercept...
Read more

Trimming strings in action parameters in ASP.Net Web API

In standard MVC it's very easy to create a model binder to trim all of the strings passed into action methods. The approach I used for that was from here:  http://blogs.taiga.nl/martijn/2011/09/29/custom-model-binders-and-request-validation/ . It works well and it trims the properties of models too. The problem came when I tried to do the same thing for Web API. I added a similar StringTrimmingBinder and registered it as a service using the very non-discoverable API: var provider = new SimpleModelBinderProvider( typeof ( string ),  new StringTrimmingModelBinder()); GlobalConfiguration.Configuration.Services.Insert( typeof (ModelBinderProvider),  0,  provider); As a side note, I have no idea how you're supposed to find out how to register a model binder without opening up Bing and Googling it. Anyway, this worked great when the parameters to the action were actually strings but doesn't work with complex types as parameters. Now, I'v...
Read more

Importing shape files into SQL Server 2012

In a project we needed a set of boundaries in order to answer domain questions such as:   Which services that we know about can provide activity a at point p? The services we were interested in happened to coincide with the administrative boundaries of a country. For example, states and towns. I might blog about how we linked the services in our database to their boundaries later but the first challenge was getting some spatial data into a database to start messing around with. The first tool I discovered was  http://www.sharpgis.net/page/SQL-Server-2008-Spatial-Tools.aspx . It looked like it would do everything I needed... However Australia and the UK provide their data in different coordinate systems. Data for the UK is available through the Ordinance Survey and uses the British Grid System funnily enough, Australia doesn't use the  British  grid! I decided to use the excellent  dotspatial  to spin up my own quick and dirty importer that wo...
Read more