Guys, does anyone know the answer?
get more than 3 of the same type of character in a row from EN Bilgi.
What passwords can I use?
What passwords can I use?
The following list contains the password rules for the Claims Online System:
Use unusual passwords. Never use familiar names such as the names of your children or the name of your company as passwords. WCB's Web Security Policy makes the following points about password properties:
Your initial password will be a randomly generated, 6-character password.
You must change this initial password the first time you log on to the system.
The following table describes the rules for subsequent passwords:
Your password cannot...
Must be between 6 and 16 characters in length and must be different from the previous 4 passwords you have used for this system.
Be equal to patterns consisting of 6 keys in a row on the keyboard (e.g., qwerty, asdfgh, etc.) or their capitalizations or shift representations.
Can be of mixed case (e.g., A and a) and can contain special characters (not including spaces).
Contain more than 3 identical consecutive characters in any position from the previous password.
Must contain a combination of at least two alphabetic, numeric, or special characters (e.g. 12345a, pswd#r, etc.).
Contain more than 2 consecutive identical characters.
Be of license plate number or postal code format.
Knowledge Base Categories
Claims Online Content Type Online Services Role Employers
Your Quick Links
By completing this form, you consent to receive e-mail messages from The Workers Compensation Board of Manitoba. You may unsubscribe at any time. Workers Compensation Board of Manitoba 333 Broadway Winnipeg, MB R3C 4W3 Canada [email protected]
San Diego State University
Early Start at San Diego State University
Your permanent password must fit these specific guidelines that help keep your password secure:
Passwords must be at least eight (8) and not more than twenty (20) characters long.
Passwords must contain at least three (3) of the following four (4) types of characters:
uppercase letters (A-Z)
lowercase letters (a-z)
punctuation characters (!,@,#,etc.)
Passwords must not contain a sequence of one (1) type of character that is more than three (3) characters long. For example: abcd, ABCD, 1234, and [email protected]#$ are all invalid sequences.
Passwords must not contain spaces or non-printable characters.
*"not more than 2 identical characters in a row"? WTF? Stop with this nonsense.*...
kitd on Feb 2, 2015 | parent | context | favorite | on: Authentication Cheat Sheet
This is OT, but there's an interesting snippet in "The Secret Life of Bletchley Park"  about decoding Enigma messages used by the Italian Navy in the Med.
One of the female operators had a set of messages from one Italian operator who sent a message once a week on a regular basis. They had determined that the first letter was an 'L'. She looked at the keyboard, saw that 'L' was neatly placed under the right hand and guessed that he was sending a test message consisting of nothing but 'L's tapped out in quick succession. Voila! She hit the jackpot.
From this insight, all dial wirings and movements of the Italian machines could be quickly deduced.
So, repetitive plain text a security issue.
Zikes on Feb 2, 2015 | next [–]
That's a vulnerability for cyphers and has no application to modern password systems. If a password were all Ls up to the minimum then certainly that would be a bad idea, but having two Ls in a row because your password happens to contain or be a derivative of a word that has two Ls has no bearing on how secure the password is.
sha256(LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL+mysalt) = 57c70b4fddd06c94c9a7b41d9884591bb1d487fb78df723b11bc4892e879f46e
sha256(LRpSdU$EnD1ZrJJ2QyVHPycN*DZtrHm&YdH%%28f4ih+mysalt) = 29cd0708db0fb7350e17349012a6e728b357ef733e85f401fc757e6565ef5e80
Neither of those hashes would give an attacker the slightest bit of insight into the user's password even if the attacker suspected the first letter of each were an L.
hackuser on Feb 2, 2015 | parent | next [–]
> having two Ls in a row ... has no bearing on how secure the password is.
At least some password cracking programs are built to anticipate human tendencies, which I would guess includes repeating characters. If I were designing a password cracker, I would target human-created passwords and not random passwords. For example, I would have the program guess 123456 before it guesses R%Vg9~\
Zikes on Feb 2, 2015 | root | parent | next [–]
The other complexity rules rule that out, though.
If I have a password 10 characters long with at least one uppercase, one lowercase, 1 digit, and 1 special character then having one of those repeated won't make it any less secure. Rigidly enforcing that rule doesn't make sense, it's saying that "R%Vg9~\LL" is secure than "R%Vg9~\".
nkozyra on Feb 2, 2015 | prev | next [–]
Sure, but in analyzing a password for acceptable entropy, one should be smart enough to dilineate between:
LLLLLLLLLL and 8x~3uLLx&#@_o
But most people who write password analysis are doing some really quick and dirty checks like [name/email not in password], [password exceeds X chars], [password contains at least 1 of these chars], etc. If you're going to introduce some other check, it should have the nuance to provide some allowances. I've had my auto-generated, 20-char digit/char/symbol PW from keepass get rejected for such things.
muaddirac on Feb 2, 2015 | parent | next [–]
> I've had my auto-generated, 20-char digit/char/symbol PW from keepass get rejected for such things.
Huge pet peeve of mine. Really? "(uJgP6h9=8Uc6x?}#B6Q" isn't enough for you?
curun1r on Feb 2, 2015 | root | parent | next [–]
> Really? "(uJgP6h9=8Uc6x?}#B6Q" isn't enough for you?
Not after you've posted it on HN. That's only half joking...the biggest vulnerability in any password system is the humans involved. Security advisors should design around the natural behavior of their users, not try to force users into acting unnaturally. Otherwise, users will figure out how to introduce vulnerabilities that get around the constraints imposed upon them (the oft-cited writing passwords down).
pluma on Feb 2, 2015 | root | parent | next [–]
Memo: ATTN All Employees
The password "(uJgP6h9=8Uc6x?}#B6Q" (no quotation marks) has been scientifically determined to be the most complex password. Please make sure to change every password to this new password within 24 hours.
Signed, The Mgt.
yk on Feb 3, 2015 | root | parent | prev | next [–]
Obviously not, there is not e that could be replaced with a 3.
frandroid on Feb 2, 2015 | prev | next [–]
> One of the female operators had a set of messages from one Italian operator who sent a message once a week on a regular basis.
That was the most important mistake from the Italian operator.
> So, repetitive plain text can be a security issue.
The only thing that should be discouraged is that a password should contain only one repeated character, which is probably part of many dictionaries. Any variant (LLLLLLLLLLM) would pretty secure, the longer the better.
JshWright on Feb 2, 2015 | prev [–]
That doesn't mean constraints like 'no repeated characters' is a good idea. It gives the attacker significantly more information about the plaintext if they know they can rule out all strings with duplicated characters.
jpravetz on Feb 2, 2015 | parent [–]
And isn't mmmdG0tKtN#mmmmmmmmmmmmm more secure than dG0tKtN#mm?