Texas Attorney General Password Rules (opens in new tab)

(portal.cs.oag.state.tx.us)

13 pointsvaluegram11y ago14 comments

14 comments

They're not necessarily storing passwords in the clear (though the Texas Secretary of State does[1], so it wouldn't surprise me).

For example, when updating a password on Facebook, they check to see if your new password is similar to your previous one by creating several variants of the new password, hashing them, and seeing if the hash matches any of your old password hashes.

[1] http://plaintextoffenders.com/post/68152196480/sos-state-tx-...

Brandon011y ago

Do you have a source on the Facebook statement? I would be interested in hearing how they create the variants.

88e282102ae2e5b11y ago

Ostensibly this is from a FB engineer, in retrospect I realize I don't know how to verify that: http://security.stackexchange.com/questions/53481/does-faceb...

cpncrunch11y ago

Unfortunately these asinine password requirements occur quite often. It's basically an indication that the site itself has poor security, and they're requiring a strong password to mitigate that risk. Also, if they are storing the password in plain-text, then it doesn't really matter how many fucking special characters your users have in their passwords :)

Also, users will just write down the password.

StefanKarpinski11y ago

Writing down passwords isn't necessarily bad [1].

[1] https://www.schneier.com/blog/archives/2005/06/write_down_yo...

cheald11y ago

It's kind of a fun working out how many passwords that is.

So letters + numbers + 3 special characters. Our first and last positions can't be special characters, and we can't have the same letters concurrently, so we're in the ballpark of:

62^2 * 64^6 = 264,157,668,573,184 passwords

However, passwords must contain a letter, number, and special character. This means that we can eliminate the entire letters + numbers set, the numbers + specials set, and the letters + specials set:

(62^2 * 64^6) - (62 * 61^7) - (10^2 * 12^6) - (52^2 * 54^6) = 2,261,873,997,098 - Did I get that math right?

That's still a decently large space, but it's small enough to be attackable even if the passwords are hashed.

namlem11y ago

Two trillion? That's pitiful. That could be cracked even if it's hashed with a slow algorithm.

Shivetya11y ago

assuming you have unrestricted access to the user information, which to me usually means I already have unfettered access to your system, why would I need passwords?

Do many systems allow nearly unlimited attempts? Is this common on some platforms? For all except the most locked down users; single task; it pretty much is three strikes your out, call to fix your access.

thyrsus11y ago

They're storing passwords in the clear, otherwise they wouldn't be able to enforce the "cannot be too similar" rule.

waqf11y ago

Not necessarily — if you require the user to type in "old password" and "new password" when they change their password then you have both passwords in cleartext at once and can check for similarity.

You wouldn't be able to enforce "cannot be similar to the previous 8 passwords" like that, but they don't.

byoung211y ago

The EXACTLY 8 characters worries me, because it suggests that they are storing the password in plaintext in an 8 character column.

titusjohnson11y ago

Probably stored in 9, 8-character columns, labeled "last_password_1", "last_password_2", etc, given #10.

steve_g11y ago

One 72 character column. Why make it complicated!

IvyMike11y ago

> If you have user ID or password problems, use the following address (place in the “To” field) to send an e-mail requesting assistance: websec.adminp@cs.oag.state.tx.us

This poor guy.

j / k navigate · click thread line to collapse

14 comments

88e282102ae2e5b11y ago

They're not necessarily storing passwords in the clear (though the Texas Secretary of State does[1], so it wouldn't surprise me).

[1] http://plaintextoffenders.com/post/68152196480/sos-state-tx-...

Brandon011y ago

Do you have a source on the Facebook statement? I would be interested in hearing how they create the variants.

88e282102ae2e5b11y ago

Ostensibly this is from a FB engineer, in retrospect I realize I don't know how to verify that: http://security.stackexchange.com/questions/53481/does-faceb...

cpncrunch11y ago

Also, users will just write down the password.

StefanKarpinski11y ago

Writing down passwords isn't necessarily bad [1].

[1] https://www.schneier.com/blog/archives/2005/06/write_down_yo...

cheald11y ago

It's kind of a fun working out how many passwords that is.

So letters + numbers + 3 special characters. Our first and last positions can't be special characters, and we can't have the same letters concurrently, so we're in the ballpark of:

62^2 * 64^6 = 264,157,668,573,184 passwords

(62^2 * 64^6) - (62 * 61^7) - (10^2 * 12^6) - (52^2 * 54^6) = 2,261,873,997,098 - Did I get that math right?

That's still a decently large space, but it's small enough to be attackable even if the passwords are hashed.

namlem11y ago

Two trillion? That's pitiful. That could be cracked even if it's hashed with a slow algorithm.

Shivetya11y ago

assuming you have unrestricted access to the user information, which to me usually means I already have unfettered access to your system, why would I need passwords?

thyrsus11y ago

They're storing passwords in the clear, otherwise they wouldn't be able to enforce the "cannot be too similar" rule.

waqf11y ago

You wouldn't be able to enforce "cannot be similar to the previous 8 passwords" like that, but they don't.

byoung211y ago

The EXACTLY 8 characters worries me, because it suggests that they are storing the password in plaintext in an 8 character column.

titusjohnson11y ago

Probably stored in 9, 8-character columns, labeled "last_password_1", "last_password_2", etc, given #10.

steve_g11y ago

One 72 character column. Why make it complicated!

IvyMike11y ago

> If you have user ID or password problems, use the following address (place in the “To” field) to send an e-mail requesting assistance: websec.adminp@cs.oag.state.tx.us

This poor guy.

j / k navigate · click thread line to collapse