Make something idiot-proof…

Security
5 Comments

… and they will build a better idiot.

Honestly, there are days when I feel like people do things with my software just to dick with me. For years we didn’t enforce password complexity on ExchangeDefender, ergo 99.999% of the passwords at ExchangeDefender are “password”, “Password”, “Password1”, “P@55w0rd“, “P@ssw0rd“, “password123”, “1qa2ws” or “2ws3ed” and can be cracked by a three year old.

So I set out to write a password complexity procedure the other day, enforcing the standard MCSE complexity: at least 7 in length with the mix of three of the four options: lowercase char, uppercase char, integer, special character. So today I power on my laptop to see just how complex the passwords being generated are, thinking that people are starting to use passphrases, etc.

What I found made me scream out “Fuuuuuuuuuuuuuuuccckkk me, WHY!?$!@#” out loud. The password?

Abcd1234

Why, for the love of god, would anyone do that? Did they just look at the new password complexity alert and thought…

“Screw Vlad. What is the LEAST complex password I can come up with given the current restraints. Let’s see… how do I make this work… something everyone uses…. something sequential… start it at the beginning of that sequence. Oh, and I’ll capitalize the A for take that complexity Vlad, you Asshole.”

Thanks… whoever that was (anonymously logged)… I think my next method will check for password complexity and instead of throwing an alert or UAC or any of that annoying stuff that they can live with I will shoot back a 4096/1024bit key as their new password. “Dear Customer, The password you requested did not meet our password complexity requirements. Here is a 4096 char password to use from now on.”

Or sell them AuthAnvil….

I just don’t get it. Why spend all this money on perimeter security and protect it with a sequential password that can be guessed by a 3 year old?

5 Responses to Make something idiot-proof…

  1. Gregory Lemmon says:

    That is priceless…..and for everything else there is Mastercard!

  2. Nick Adamson says:

    LOL! People will do whatever they can to get away with things. Not very many people seem to realize that passphrases are so easy to remember…

  3. HandyAndy says:

    Remember not everyone who uses ED uses LA and therefore they don’t complex passwords. There is nothing to crack if you are just using ED.

    Besides whoever cam up with Abcd1234 was actually gingin you an extra digit more than you asked for :>)

  4. HandyAndy says:

    Now to go take some typing lessons

  5. --david says:

    HELMET: We have the combination.

    SKROOB: Great. Now we can take every last breath fresh air from planet Druidia. What’s the combination?

    SANDURZ: One, two, three, four, five.

    SKROOB: One, two, three, four, five? That’s amazing. I’ve got the same combination on my luggage.

Comments are closed.