<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">So now password guidelines can be part of recon!<br><div><br></div><div> It truly amazes my how blindingly stupid some password requirements are.<div>The other day I had to register on a site that requires a digit intra alpha characters but allowed you to stupidly use your account name with interior characters replaced with digits. And this was a financial institution! Glad the assets are protected by federal insurance.</div><div><br><div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Charisse Castagnoli</div><div><a href="mailto:charisse@charissec.com">charisse@charissec.com</a></div><div><br></div><div><br></div><div><br></div></div></span><br class="Apple-interchange-newline"></span><br class="Apple-interchange-newline">
</div>
<br><div><div>On Nov 7, 2013, at 1:01 PM, William Arbaugh wrote:</div><br class="Apple-interchange-newline"><div>According to the Defense Finance and Accounting Service (DFAS), you shouldn't use vowels in your password!<br><br>The DFAS web site myinvoice.csd.disa.mil is instituting new password requirements starting tomorrow. The details can be found at the site (if you're willing to read a PDF hosted by DOD that is).<br><br>DFAS brings us two significant improvements to password/PIN security by forbidding the use of vowels, and requiring that password/PINs be EXACTLY 15 characters long (no more, no less). I'd guess that the first requirement is to prevent people from using dictionary words. The second requirement is probably due to some obscure issue with their use of an Oracle Java front-end.<br><br>This is from a web site that until recently ( and I believe still does) required the use of IE and Java 6. Logging in use to require clicking through no less than 3-4 security warning pop-ups.<br>_______________________________________________<br>Dailydave mailing list<br><a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>https://lists.immunityinc.com/mailman/listinfo/dailydave<br><br></div></div><br></div></div></body></html>