Edit: @Successful_Try543@feddit.org solved it. It says “one special character”. Not “at least one”.

  • addie@feddit.uk
    link
    fedilink
    arrow-up
    6
    ·
    2 months ago

    Well now. When we’ve been enforcing password requirements at work, we’ve had to enforce a bizarre combination of “you must have a certain level of complexity”, but also, “you must be slightly vague about what the requirements actually are, because otherwise it lets an attacker tune a dictionary attack against you”. Which just strikes me as a way to piss off our users, but security team say it’s a requirement, therefore, it’s a requirement, no arguing.

    “One” special character is crazy; I’d have guessed that was a catch-all for the other strange password requirements:

    • can’t have the same character more than twice in a row
    • can’t be one of the ten-thousand most popular passwords (which is mostly a big list of swears in russian)
    • all whitespace must be condensed into a single character before checking against the other rules

    We’ve had customers’ own security teams asking us if we can enforce “no right click” / “no autocomplete” to stop their users in-house doing such things; I’ve been trying to push back on that as a security misfeature, but you can’t question the cult thinking.

      • addie@feddit.uk
        link
        fedilink
        arrow-up
        5
        ·
        2 months ago

        Because if you disable browser autocomplete, what’s obviously going to happen is that everyone will have a text file open with every single one of their passwords in so that they can copy-paste them in. So prevent that. But what happens if you prevent that is that everyone will choose terrible, weak passwords instead. Something like September2025! probably meets the ‘complexity’ requirement…