Security

How does bad password policy like this even happen?

Just when you think you've seen the worst case of bad authentication policy you'll ever see, you'll stumble across something even more surprising and unfathomable.

Nelnet, for those who aren't aware, is the "National Education Loan Network". These are guys who manage student loans -- which means they manage information related to people's educational history and loan status. The Website takes credit card numbers for automated payments, for an example of the sort of sensitive information Nelnet handles online.

Imagine my surprise when I saw this on a page at the Nelnet Website:

Nelnet Password Requirements (cropped)

In case you can't view the image, cropped from a screenshot, the following is a quote of the above list of the requirements for passwords at Nelnet:

  • It is case sensitive
  • It can't contain special characters (?&%$#@+=!'~, etc.)
  • It can't contain your user name
  • It can't contain two separated numbers (i.e., Abc12ef34 would be invalid)
  • It can't contain "Nelnet" or "Password"

I mentioned some choice parts of that list of restrictions on passwords to fellow TechRepublic Weblogger Sterling Camden (who writes for the IT Consultant Weblog). In the ensuing discussion, he said "I've seen some sites that don't allow more than 6 characters for a password, no numbers or special characters." As he put it, some Web developers are "too paranoid of SQL-injection to even know how it works". The easy lesson to take from this is that, knowing in a vague sense something about a particular threat to security without actually understanding it, one might make the mistake of artificially limiting users to only very weak passwords -- thus reducing effective security overall.

As I observed, in that same discussion, I can almost understand how some sites end up restricting passwords to short strings of alphanumeric passwords, or possibly even just alphabetic characters -- and possibly without case sensitivity. A very poor developer may just not know how to write code that can handle case sensitive code that contains more than alphanumeric characters in a given development environment. I'm not saying that there's anything good about it, but at least I can understand how it might happen.

What I don't understand is how that fourth restriction on passwords at Nelnet, "It can't contain two separated numbers", happened. What kind of bizarre kludge of code on the back end would result in someone deciding it's too difficult or dangerous to parse numbers separated by letters in a password? Is there some code in there that actually attaches numbers to the edges of a password string? Is that restriction a very simpleminded (and prone to failure) attempt to "force" people to do something cleverer than 1337speak? I'm really having a difficult time coming up with an explanation for how this happened that is even remotely believable. Am I overlooking something obvious?

After I ranted briefly at him about how bizarre the back-end code for password validation at Nelnet must be, Sterling said "I bet the validation code for that one is a candidate for the DailyWTF." I'd bet he's right.

Oh, but wait -- it gets better. See, this absurd state of affairs is an improvement over previous conditions at Nelnet. Not long ago, users didn't choose usernames at Nelnet. No, they had to use their Social Security Numbers as user IDs. For those of you who are not entirely clear on the concept, user IDs should never be sensitive information -- and, though banks, schools, and every other large institution in the world seems to want to demand your SSN every few minutes, it really should be treated as sensitive information. It can be used to commit identity fraud very easily.

Think about the fact that all these places demanding your SSN for identity validation leads to it being trivial for someone to impersonate you. The kind of people who would commit identity fraud can target one place where it's easy to acquire your SSN, then use it somewhere else to get access to something they shouldn't be able to access.

Productivity is not about speed. It's about velocity. You can be fast, but if you're going in the wrong direction, you're not helping anyone.

Those are the words of Phillip J. Haack, and they seem relevant. I guess the fact Nelnet no longer uses SSNs as login IDs means things are moving in the right direction. They just aren't moving fast enough. That's at least better than moving very quickly in the wrong direction.

I just hope Nelnet doesn't do all its password validation with JavaScript on the client.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

58 comments
fdcampbell
fdcampbell

What right does anyone have to dictate the format of my password? It strictly for my use and protection. If I want to use a single letter (or my first name)as my password, why should anyone care? More "nanny state" protection.............

KenOB
KenOB

I've seen a parameter for "adjacent digits" on an iSeries (AS/400). The parameter is called QPWDLMTAJC (Limit adjacent digits in password). As you said, it's designed to prevent users from entering a birthday or ssn as their password. BTW, the default value on an iSeries is off (allow adjacent digits).

mdiaz
mdiaz

nice article. My gripe is when you create a password and then get a popup: it's too short (but they don't tell how long it's supposed to be in the first place, OR A CHARACTER MAX!) or do a passord that's numeric and get a popup - you have to have at least 1 letter but again, they don't tell ya up front. WTF??? is it SO HARD to give a web user a simple clue? It just seems like sloppy programming. I cancelled a credit card because logging into their site to pay the bill was such a pain... (take note Citi)

crapper
crapper

How many other companies are in exactly the same boat, having used SSN as a User ID until just recently- there are state laws that allow the use of SSN as long as the connection is SSL and there is another piece of data to go along with the validation. What is wrong with those stupid state officials who are so unhip as to allow this? Snark Snark.

seanferd
seanferd

I'm no code monkey, but I don't get that at all. Could it be a transcription error? I especially like sites that suggest a strong pwd, but give you no indication as to what characters are valid, or even what a valid number of characters might be. On one site. I weakened the pwd five or six times until it was accepted. No indication in the (non-obvious)error messages as to what was invalid, or what might work, either.

Ed Woychowsky
Ed Woychowsky

It started-out relatively normal: - Greater than 6 characters - At least 1 uppercase character - At least 1 digit - At least 1 special character - No password could be a valid word From that point on it entered the Twilight Zone: - No two characters could be repeated in a password - No character could ever be used in the same position in subsequent passwords Needless to say that people wrote passwords down.

w2ktechman
w2ktechman

Discover card's website (for their secure online transaction) will not allow a greater than 6 character password, and special characters are not allowed either. All this from a company that has all over the place 'shop securely online'!!!

apotheon
apotheon

My surprise at the Nelnet Website's password policy isn't so much at its poor security characteristics. I've seen worse, in that regard. No -- I'm more flabbergasted by how [b]weird[/b] it is. Have you seen anything weirder for password policy?

jsaubert
jsaubert

The password is NOT in place for your protection. If fact the password is in place to protect your company. As much as I hate nanny rules, they are there because people act like tempermental 3-year-olds. It only takes one person's password to disable layers and layers of protection.

Sterling chip Camden
Sterling chip Camden

is when you jump through all the hoops and do everything they want, and then the password doesn't work so you end up calling someone to sort things out.

Tony Hopkinson
Tony Hopkinson

You'll be pleased to know you have not beaten at least two people to my dumbest post of the year nomination. Congratulations on both the achievement and the effort. SSN as data. SSN as ID. The clue is in the bit after as......

sleepin'dawg
sleepin'dawg

with security conciousness, or perhaps I should say unconciousness, such as yours, you and your system are truly headed for trouble. Maybe not right away but definitely soon, if it isn't already happening and you're just too dumb and stunned to recognize it. We just love to see a twit, like you, tripping over his own dick. Smarten up a$$wipe!!! You obviously have no idea of what you're talking about. [b]Dawg[/b] ]:)

seanferd
seanferd

In the earlier days of SS, the numbers weren't supposed to be used for anything else. Now we know what happens when no one sticks to rules like that, but very few even care.

Sterling chip Camden
Sterling chip Camden

But your handle gives a good indication of the quality of your comment. Since when has the law or the practice of government agencies ever provided a good model for security?

apotheon
apotheon

Being allowed by law to do something doesn't mean it's something that should be done. You, apparently, don't have anything even approaching a security mindset.

w2ktechman
w2ktechman

I have run into users in the past that use the 'example' password for their password :^0

n4aof
n4aof

Two of my pet peeves are: 1. Totally trivial systems (such as reading a public news website) that force users to pick a good password and 2. Government systems that all use the same regulation about how complex a password must be, and then each come up with different and totally incompatible rules to implement that regulation. One Observation: As password rules increase in complexity beyond a reasonable point, the actual security provided by the passwords quickly begins to deminish. This is especially true in office environments that force users to "remember" multiple complex passwords. The ridiculous level of paranoia about the possibility of a 'dictionary attack' yields some interesting password rules, such as one system that had all usual ones: case sensitive, minimum 8 characters, at least two upper case, at least two lower case, at least two numbers, at least two special characters -- then added NO VOWELS.

KenOB
KenOB

Each year our policies and procedures are audited by an outside firm. Each year they "tighten" the password policy to the point where we could walk up to almost any desk and locate a post-it note in the top drawer, under the keyboard or attached to the side of the monitor. We revised our password policies immediately!

Sterling chip Camden
Sterling chip Camden

in subsequent passwords, then pretty soon you run out of possibilities. If you can only use the ANSI characters 32-127, then you can have at most 96 passwords before you've run out of options for the first character. This promotes useless strategies like the following series of passwords: abcdefA1# bcdefA1#g cdefA1#gh ...

shardeth-15902278
shardeth-15902278

how much easier they are making a brute force attack by implementing all those restrictions for 'forcing people to use "strong" passwords'. Just what you described there takes the possible combinations on an 8 character password from roughly 722 Trillion to a little less than 4 trillion. They've saved the guy trying to break in a great deal of work.

jpowers
jpowers

with special characters, numbers, and case.

mamies
mamies

had their REMOTE DESKTOP LOGINS as the persons username such as mine is mamies and the password was also mamies. Then for more insecurity the website actually told you how to access the site. It had all the details involved to connect to the server and then it also told you that the password was the same as the username and how they got the username. If you knew an employee you could access their network. The scary thing is after i recommended changing it they ignored me and i believe its still like it is. I can not say where the website is located as it may threaten the company

Ron_007
Ron_007

so where did the 4 digit ATM PIN come from. I found the answer in this article: http://www.matasano.com/log/892/why-are-atm-pins-4-digits-long/ The answer is because the inventor of the ATM asked his wife how many characters she could remember ... 4. Just last week I got a notice from my credit card company (V??A). The proudly announced the rollout of their new "Chip" enabled card that would no longer require that I sign my name. I could use my sooper secure, 4 numeric digit PIN! Oh, goody ... how about generating 1 time card validation numbers.

SObaldrick
SObaldrick

.. that I have worked with, is logging in to the network to receive a message saying that your password will expire in X days. Exactly why does one need to know this? Les.

rscholz
rscholz

i had a brief stint of consulting to these guys out of their (newly acquired) Princeton (nj) office (they had acquired a company called peterson's who i was contracted with). In my few dealings with their admin and development staff it was quickly apparent they were parallelized by micro management and short on sr. developers, it was quite remarkable they managed to maintain a production website at all, their poor server implementation and coding choices were incredibly outdated. i also had the pleasure of meeting the nelnet management, they left the impression they had just come off their last jobs as sr enron executives. lol

AlexNagy
AlexNagy

You think that is weird, XDrive, apparently owned and operated by AOL, allows you to use your AOL username to sign up for an account, but only if your password isn't longer then six characters (AIM allows up to 10, IIRC).

sleepin'dawg
sleepin'dawg

can be found in most governmental organizations. Mind you, some private enterprises don't lag far behind in the idiocy sweepstakes. Now that's funny; why did TR suddenly come to mind? Nah, surely that's gotta be purely coincedental. :^0 http://tinyurl.com/6nemk5 [b]Dawg[/b] ]:)

Tony Hopkinson
Tony Hopkinson

They have two (or more presumably numeric check in there, to stop some subsequent piece of code blowing chunks with index out of bounds or an AV.... Some poor arse had to add a quick check and invent the constraint instead of fixing it.

TonytheTiger
TonytheTiger

but we have 4 different systems with 4 different sets of requirements Windows -- the usual... 3 of the 4 character types, length at least 8. Can't contain user or company name. Expires in 90 days. Lotus notes -- same as Windows, except no expiration (most users change it at the same time they change Windows though, so they can synchronize). Mainframe -- Must be exactly 8 characters. Must begin and end with a letter. Must contain at least 2 letters, 1 number, and 1 of 2 special characters. No double characters (AA11@@BB). Upper and lower case treated the same. User ID format is different than Windows too (xxxyy# xxx is department, yy is initials, and # is a digit). Expires in 30 days. Two internal apps use the Mainframe User ID but different password rules. Exactly 6 OR exactly 8 unique characters, 3 of the 4 types. Expires 90 days. One internal app uses Windows user name, but is wide open on the password except it will accept numbers and letters only. Never expires (at least it hasn't in the last 10 years). Windows remembers 4 previous passwords, the others remember 1. I didn't make it up, I just have to live with it. [Added:] Oh, and a little over a quarter of our users will call with a password problem in any given week :(

jsaubert
jsaubert

We've had some fairly funky password rules (and even funkier code to back it up) over the years. Most of those have gone by the wayside as updates have come along. My favorite was "no dictionary words spelled backwards" ... forwards was ok though, it caused havoc on words like dog/god and level. Bad passwords and people sharing password is a big issue for us. We've wanted to go biometric for about two years now. But being in the public sector we barely have enough scraped together to replace the last of the 9 year old CRT monitors this coming year.

fdcampbell
fdcampbell

"It only takes one person's password to disable layers and layers of protection." This statement is not credible. Safe to say that 1000's of passwords a day are cracked by hackers. Any system this vulnerable to a cracked user password would have long since been trashed. A skilled cryptographer can crack virutally any password, if motivated. If my passwords get out it may cause me a brief problem but, in the grand scale, it effects few others. Now, if I can just stop the Russians from distributing spam using my email address......

apotheon
apotheon

The name "crapper", the tenor and content of the comment, and the "member since" date all add up to a reasonable suspicion that "crapper" is a ( troll + sock puppet ) account.

Sterling chip Camden
Sterling chip Camden

Anything the system suggests by way of example username followed by the number 1 'password'

Neon Samurai
Neon Samurai

There are a few sites I keep ending up on through internet searches that basically go along the lines of "here's what you want, but you don't get to see it until you say the magic word." If it's a website that allows members to post, that's nothing trivial. Part of the magic is how trivial posting anything to a website apears though it's anything but. I think the issue with passwords is really a matter of user practices more than anything. Users should have complex and bareily memorable passwords but they should also use an encrypted password manager to store those. No two systems with the same password and no password under 20 characters (I'm living it so I know it can be a pain at first). These same users who write down all there passwords on a post it beside there monitor would never dream of leaving the car key in the car door or house key in the front door. It seems like utter madness to even consider a cheap four dropper key lock from the budget end of the spectrum; there's sterios to be protected after all. Why then is it ok for these users to choose four dropper passwords or leave there computer keys taped to the side of the monitor? It takes very little effort to use a password manager and if I forget my workstation password, there is always another staffer around that knows me (authentication) and will let me pop open my password manager on there machine to remind myself. There are cases where the software as a hard coded limitation to character length which pretty much sets your maximum but where a strong password can be used, there isn't a reason not to use one. Dictonary attack is pretty ugly on it's own. Dictionary all you like. It's the more intelligent attacks I have issue with such as rainbow tables. With that, your looking at ten character passwords in under five minutes.

Dumphrey
Dumphrey

or just the next 2 or 3?

Dumphrey
Dumphrey

successful frequency analysis of the hash which can be sniffed. While a weak password will always be weak, a weak implementation of an encryption scheme will let you go around instead of through in spite of a good password. And 4 trillion is still a lot. At 2000 passwords a second, that s a max of 23,148 days of brute force, roughly 63 years. So in reality ~32 years to break the key.

w2ktechman
w2ktechman

but allowed a long PW. Hmmm, now which one was it that only allowed 6 characters and no specials??

GSG
GSG

We worked with several vendors (healthcare systems) that had a standard password that they preloaded that had full admin rights. This user id and password was used for every single customer. I was on a site visit to another healthcare system where the vendor was showing us the new product and was bragging to us and about 10 other customers about how secure it was. I told the guy that I bet I could hack it. He bet me I couldn't. Of course, being a salesman, he didn't know about the userid and password. I had full admin access to their system in under a minute, and had created a user account for me with full rights, etc... That was a good day. We also specify in our contracts now that we control all user ids and passwords including the vendor ones used for support so that we don't have this problem.

w2ktechman
w2ktechman

WOW, what morons are running that?

seanferd
seanferd

That sounds just about right. Never heard that particular origin, but generically that it was what people could remember.

The Scummy One
The Scummy One

It is notifying you when you need to change your PW. That way, if you are taking lots of time off, you were warned. Also, for those that like to schedule it out, its good to know! Personally, I schedule it out for the Monday before it expires, that way I have a week of typing it, and remembering it.

Sterling chip Camden
Sterling chip Camden

I assume you meant "paralyzed", but your malapropism gave me an insight: micro-management, like parallel processing, can be very wasteful because you spend so much time synching. It can even lead to deadlock.

jsaubert
jsaubert

Cryptographers are a very minor issue compared with disgruntled or dishonest employees. Sabotage from within is the big problem with password security. If they got your password the worst they could do is still fairly bad; everything from just rearranging or deleting your files which is easily restored with a good backup to surfing pornographic web sites that could get you fired. However, imagine it was the head of payroll, they now have enough information to get access to your bank account if you have direct deposit (which lots of companies requite now) and in most cases your social security number or the password of someone in human resources, they can find out where your wife works, where your kids go to school and any other bit of personal information you might have there. Unfortunately most people use their fairly generic network password for everything that requires a logon. If you worked where I do you and you got the password of one of the records clerks, 911 dispatchers or booking officers? You could have access into the FBI's NCIC and modify records; run criminal histories on any one you want; see the drivers license of everyone in the state of Florida and have access to the personal information of hundreds of thousands of people in our own database. Granted, we've got a good bunch of people working here and we've never had any issues with passwords being misused like that, but lots of other agencies have and it's a real nightmare to sort out. ... thankfully the really skilled crackers and hackers are sticking to helping the Russians distribute spam! (^_^)

apotheon
apotheon

I wasn't aware of all that. Thanks for the information.

seanferd
seanferd

But they ran a massive and outright goofy campaign against some college kid who mocked Overstock and it's CEO P. Byrne, as well as promoting the "stock market conspiracy" ideas. I believe that was last year. Much of it ran through Overstock's antisocialmedia.net site, but it went rampaging through other fora as well.

apotheon
apotheon

I haven't seen Overstock.com shills' sock puppets, as far as I recall. Are they terribly common on the Web these days?

apotheon
apotheon

It's possible this is a Nelnet shill, I suppose, but I think it's more likely that "crapper" is a sock puppet for someone who just really dislikes me or a lot of what I have to say in general here at TR. . . . but it's not all about me. It could be a Nelnet sock puppet, or something else entirely. I think the [b]most likely[/b] possibility is that it's just some web developer who may or may not have another account here at TR, but doesn't want it to be associated with such vapid and rancorous troll-worthy behavior, whose major beef with my article is that (s)he has created authentication systems that use the SSN as a user name. Truth hurts, y'know -- and if you're so security-unconscious as to use the SSN as a username for site authentication on the Web, you might be inclined to lash out at anyone that points out what a bad idea it is. Notice that the entire brief rant was in response to my comments on the SSN, and ignored the rest of the article, after all. Maybe it's just the fifth user account for someone who has been banned for trolling four times already.

seanferd
seanferd

Overstock.com sock puppets.

Sterling chip Camden
Sterling chip Camden

... an effective sock puppet would don a more reasoned approach. But then, if Nelnet produces password rules with this sort of logic, maybe they're not up to the task of a logical defense, either.

Ed Woychowsky
Ed Woychowsky

It was all subsequent passwords, which made job hunting a viable option after five to ten years.

shardeth-15902278
shardeth-15902278

Many Brute force crackers were running close to 1 Million/sec on P4's in '05. That puts your mean crack time at roughly 23 days (vs ~4,000 days @ 700 trillion). edit: oops, I meant 700 trillion, not 7 trillion

mamies
mamies

but they swarn to date that they had never had a person hack their system. Although now they have changed their policy. As i see they dont have that information readily available to the public

rahouseholder
rahouseholder

Phrases are easier to remember than words. If they would allow us to use a phrase like "Ihave1redcar!" it would be so much easier for people to remember. Some places do allow short phrases but in my example, it is 13 characters long. A lot of places don't allow that many characters.

shermp
shermp

Those rules are strange and wrong. Just a guess, based on my experience as a Business Analyst - I bet the restrictions are based on a desire to limit helpdesk calls from people who have forgotten their passwords or need them reset due to too many mis-entrys. The difficulty with managing passwords is that a really good, strong, hard to break password is also one that's difficult to remember. Add that to the fact that most of us are dealing with multiple passwords for a variety of online accounts and the whole system's a mess. I have passwords for my bank account, my mortgage payment, an online check paying service, several e-tailers, not to mention work PC and home PC. I look forward to the adoption of biometrics.

Editor's Picks