This is cache of http://pluralsight.com/blogs/keith/archive/2007/12/04/49349.aspx. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
Supporting Complex Passwords
2007-12-04 08:56:00 by Keith Brown in Security Briefs
 

It's ironic that only yesterday I posted about the dangers of using passwords for encryption. Well this morning another "feature" of passwords hit me square in the forehead. I tried to activate Windows Live OneCare (I've decided to give their family safety feature a try to limit where my little ones can surf on the net). Here's what I got when I supplied my Windows Live ID and password (please note I've changed my ID in this picture to protect the innocent, well, me):

As you can see, I have a strong (or at least a long) password. After spending about 15 minutes searching for a solution, I came across this post, which indicates that Windows Live OneCare Activation has problems with complex passwords. The solution? Go reset your password so that it uses only numbers and letters and is 8 characters or less.

One possibility is that the password for your LiveID is complex - meaning longer than 8 characters and composed of characters other than just letters and numbers. The activation system has reportedly had issues with this in the past. If that is the case for your ID, you may want to consider changing the password temporarily to see if it allows you to activate.

I'm sure you've seen this before. Many systems out there that deal with passwords assume that users will supply short, simple passwords, not randomly generated, strong passwords created by a tool. Or long pass phrases. But this is especially egregious since it encourages people to reduce the strength of the password that controls access to many different Microsoft properties.

I didn't have time to try to figure out exactly what this dialog is choking on, but when it chokes it happens so quickly that my guess is that some internal validation on the password is causing it to fail. It doesn't appear to be making a round-trip to Windows Live ID in order to validate the email or password. I temporarily changed my password to 7 character alpha-only, and it worked fine. And yes, I later reset my password to a random strong one that I store in Password Minder.

Take a lesson from this flawed implementation. Always, always assume that your users will supply long, random, passwords. Or even better, allow the user to supply a stronger form of authn!

 
Tags: passwords, complex passwords, complex, passwords hit, password temporarily, temporarily, password, strong passwords, password minder
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia