Lol, please fuck off with this shit admins

Did that picture need to be so huge? No. You stupid fuck.

This can't be real.

how does one fuck up like this?

>the password is not case sensitive
so they store it in fucking plain text on a database with case-insensitive collation

>The password is not case-sensitive
This is almost as worrying as the 8 chars

>he cannot take screenshots
kys retard

It keeps the paycheck of the support department smaller because normies don't get their accounts stolen as often.

>i remember reading a paper stating that the most effective passwords were comprised of several common words
Ages ago mind you, the first brute force cracking software did just that, tried words in different combinations.

Guess what happens to my password every month at my job?
Hint: we don't have "no identical consecutive characters" rule

On purpose.

Or they upcase it before applying sha256 and storing the result.

I too remember reading that xkcd.

You add a digit / letter?

Passwords that are not case sensitive are usually converted to phonepad numbers first so users can enter them for automated phone services.

Try swapping A with 2 (or some other applicable letter if you don't have an A in your password) the next time you log into an account with this restriction and it should work.

> admins.
Real admins use LDAP.

Or they normalize case before hashing. Either way it is stupid.

>8 characters
>converted to phonepad numbers
Thats... less than 27 bits of entropy.

written down these numbers on sticky note and put up my monitor

3255346456456

you'll never guess the logic behind the actual password

I note stuff like PINs down like that
a bunch of random numbers, followed by the pin at the very end

This methodology to craft "secure" passwords has been officially deprecated by NIST recently.

>schneier.com/blog/archives/2017/10/changes_in_pass.html

As Bruce hints, we shouldn't fix the users but fix the systems (aka: users are idiots, if you force them to pick non-memorable passwords they'll store it in .txt on the desktop or they'll user $n1gg3rj3w$ for every other account they create)

Passwords managers (officially endorsed by NIST) like keepassxc can craft passphrases from your dictionary of choice (you can install as many dictionaries you want). KeepassHttp-connector works like a charm in Firefox 57.

>3255346456456
>you'll never guess the logic behind the actual password
Don't care. No dubs.

Just use song lyrics. One line of lyrics with 1! at the end per password cycle. One song should be good for a couple of years.

I just recycle the Chamillionaire chorus phrase by phrase

welcome to taleo and the retarded policies they allow employers to set

>oh, let's check every fucking checkbox in the settings just because!

This is the SAP Support Portal. My opinions do not reflect those of my employer.

The Support Portal as a web page appears to be one cohesive web service. It isn't. It's a ton of SAP systems in the backend. Some of these systems are on modern releases, and some of them are on ancient releases. Bear in mind the overall application core is more than 40 years old.

As of SAP BASIS 620, passwords had to be 3-8 characters (eight was the limit), were converted to uppercase, and were hashed via MD5. The next release (640) allowed for support of passwords up to forty characters with much fewer restrictions and hashed via SHA-1, but a backwards compatibility shim was maintained so you could set newer systems to treat passwords the same way (so if the newer system A connected to system B, the user's password would work on the older system).

Some of the Support Portal is on very old releases, although it has mostly been migrated. As of November 4th, users will be able to set passwords up to 40 characters, although a small handful will need to set a separate 8 character password for certain legacy applications (mainly backend shit that connects directly without a browser).

We encourage everyone to log on via X.509 client certificates with 2048 bit keys anyways, both for ease of logon and security.

tl;dr Legacy is a fucking bitch in the enterprise world, and that restriction will be gone in a week.

It's real, but going away. SAP systems before BASIS 620 (BASIS referring to the applciation server core version) could not handle passwords of more than 8 characters (among other restrictions like the case insensitivity). These systems are finally almost retired and users will be able to set passwords case sensitive up to 40 characters as of Nov 4th.

When you run ancient software releases that you don't even support customers running for some of your own highly customized software shit and you want the user to have one consistent logon (username/password) for all parts of your support portal.

Ancient software release from the 90s in some backend systems, the SAP Remote Function Call (RFC) library on older versions normalizes passwords to uppercase before sending. The system itself on those older versions hashes the password with MD5. Newer versions don't normalize the password, can be up to 40 chars, and hash via SHA-1.

The rate limiting is aggressive. Five consecutive logon attempts from any source will lock the user, until one of the administrators at a company contacts for an unlock. And that's not five attempts in a time period, that's five logon attempts in a row, even if they occur days apart.

Nothing to do with phone related services in this instance.

Why do you know the teacher's passwords?

You're replying to someone who said teachers were the worst in reference to picking shitty passwords and writing them on post-its. Plain sight...

Back in HS, our IT guy was an idiot and had the staff wifi locked down with a single password. The nigger chem teacher wrote down the password from the email on a post-it in plain sight. Half the students were on the staff wifi later that day.

When I was in HS all of the wifi was WEP encrypted with a single pre-shared key (not 802.1X). Dumb level of security.

Yep same here was pretty stupid. Would've been better to use the user accounts of the students/teachers.

OP1saF4g#ot!

I'm guessing the APs were too old to support it. This was 2007-2008 in a public school (albeit one in a pretty wealthy area).

Went to college later that year and the wifi was WEP Enterprise, which was unsupported on Android and barely worked on iOS 3.x, and only if you made a mobileconfig file in the iPhone configuration utility.

By 2009 they had rolled out a new SSID with WPA2 enterprise.

No they were newer Cisco ones. Hell my college have the same looking models atm and verify with our accounts. I think our IT guy was just retarded or lazy.
Interesting.

>changing bank password
>Must be maximum of 16 characters long
Eat my fucking shit

>impose so many restrictions you actually shrink the search space substantially

>Must be maximum of 16 characters long
Shit like that makes me worry it might be being kept as plaintext in an sql database
I dont know any other reason itd have a limit like that

>Try swapping A with 2
Why not just hex my shit up senpai?

Please optimize your pictures before uploading them to Sup Forums.

every thread some shitter comes in here and says this in verbatim and then someone posts the xkcd comic. gtfo newfag

the way that libraries in the system process that data before, say, hashing it can be a cause. even in older SAP versions where passwords were 8 chars max and case insensitive (convert to uppercase at the time they reached the server), they were still hashed via MD5 and stored that way in the database

Adding even a small, easy-to-remember variation would surely be enough to defeat dictionary attacks.

For instance the password to my Spotify account is:
S@telliteCareer,Revocation

Good luck with that

>a mixed dictionary attack would take 796 seconds to crack your password
I won't be needing luck.

Which service are you using to determine that?

I personally use magic cards and their costs.

Snapcaster.1U
Deceiver.2U
Splinter.2RR
Remand.1U

It's a nice system.

I remember signing up for some Microsoft shit for university and it wouldn't let me chose a password longer than 13 characters

>teachers are the worst

you can say that again

>implying those aren't good guidelines for a secure password to force dumb fucks to use something other than p1a2s3s4w5o6r7d8 or their kids name or ihatemyboss.

>Implying Sup Forums has any real admin lurkers

>Yep, or people re-using old passwords i.e
>Company1
>Company2
>etc etc
lel this is exactly what we do at my IT job since we need to change our admin passwords every 30 days. We handle HIGHLY confidential data as well
Nobody gives a shit

This cannot be real

>BigGuy.4u

thanks user for my new password

that leave 7.32x10^12 possible combos
if the restrictions were not applied (except the lenght) you could have 2.81x10^14
congratulations passwords are now 39 times weaker

>demand the user create an obnoxious password in the name of "security"
>store password on server as plain text

No one is stealing user data by attacking single accounts. They go for databases and pull everything at once. No matter how much of the burden is pushed onto the user you can't compensate for pajeet network admins.

You mean you read a fucking four-panel internet comic lmao

Dilbert knew this long ago (1998)

>cannot be one of your 5 previous passwords

Heh, my brother worked in military intelligence and said they had policies like that and it resulted in people just appending a number on the end of their password and just incrementing it.

It's a song.

translation:
>We don't bother with proper hashing and use shitty lazy methods like just a plain sha1 sum.

my utilities company requires me to have a password between 6-9 characters, fuck them