Either my name, my password or my soul is invalid – but which?

Devising complex new passwords is character-building


Something for the Weekend, Sir? Try as I might, it won't go in.

I have entered pretty much everything else so far but this time I'm getting a definitive "no". I respect that, of course, but it leaves me jolly frustrated. Despite all my powers of persuasion, I'm left standing in the cold with one hand on my lock.

Yes, lock. The site keeps rejecting my password, you see.

Hang on, maybe the password isn't the problem, maybe it's my username. It's difficult to tell because whatever I'm doing wrong is triggering some uppity JavaScript message coloured a demonstratively angry red to tell me my "username and/or password is not recognised".

Growing bored of retyping likely alternative usernames and/or passwords repeatedly in various combinations, I begin typing random characters and/or bollocks into both fields just to see if this produces a different kind of response. Maybe the error message will get angrier and/or redder?

By the way, I haven't forgotten my login credentials: I am registering with a new service as a new user but for some reason it doesn't like what I'm typing. Who knows, perhaps it doesn't like the way I'm typing. I try typing lightly. I try typing forcefully. I try typing while hunched and laughing maniacally. I try typing with big campy flourishes. (I bet you wish I'd captured all this on my webcam.) No luck.

Ah now, I seem to remember something like this happening while working on-site at one of my old newspaper clients. It was one of those places where the CTO would be systematically replaced every year and each fresh-faced, middle-aged jock would insist on heaving his seniority-enhanced paunch into everyone's faces for a few weeks upon arrival before getting everything wrong, messing everything up and eventually being systematically replaced 11 months later.

One of these just-passing-through guys insisted on a hurried rejig of the Active Directory sign-ins to force us all to change our passwords on a monthly basis. Annoying, yes, but I was prepared to go with the flow in the interests of corporate security. Joking aside, this stuff matters when the livelihoods of thousands of staff worldwide are at stake.

For example, despite the valid criticism thrown at British banks for their historic laxity when it comes to personal login credentials, I give credit to Barclays for its recent TV campaign explaining how easy it is for customers to sabotage their own security via social media.

Youtube Video

Unfortunately, the AD changes at my client were rushed through by a harassed IT Support Desk still struggling with the public shame of being rechristened Customer Delight Providers by the latest short-term tenant of the glass office in the corner with the nice view over London. As well as expiring every calendar month, the passwords were now expected to have a minimum 12-character length and include at least two upper-case letters, two numbers, a special character, a Japanese hiragana, a Cyrillic consonant, a typographical thin space and any emoji representing a sexually suggestive root vegetable.

Oh, and the new password system had been set up to automatically reject – again without explaining why – recognisable strings resembling dates, surnames, local streets, Beatles song titles (I kid you not) and, worst of all, the names of all nearby pubs.

Not a problem, I hear you cry. Well, it is if no one got around to adding these rules into the New Password prompt. Again and again we'd type in new but not-quite-right passwords only to be told they were invalid – but not why. The poor sods on the ex-IT Support hotline spent the next 48 hours Providing non-stop Delight to their Customers until someone got around to updating the password prompt.

With this memory still stinging in my mind, I phone a friend for assistance. He tells me it's my own fault because my kind of email address is "wrong".

Er yeah OK bye. Idiot.

I should have known he'd come up with a daft suggestion like that. This is the bloke who would casually sabotage his own monthly New Password prompts by changing his password 11 times immediately and, for the twelfth, reset it to his old one again so he could carry on as before. He even kept his 11 non-passwords on a sticky note attached to his display bezel so that he could run through the same routine in the same order every month.

Why should I be surprised when research suggests that 45 per cent of infosec professionals, who really ought to know better, reuse the same passwords across multiple accounts? It's not a lack of awareness, it's a clear admission from within the security industry itself what a pain in the arse it is to sign in again and again dozens of times a day with different credentials.

And don't get me started on two-factor authentication, as this invariably means little more than two-password authentication: if you can bypass one, you can bypass another. This is especially so if the second factor is merely a detoured PIN sent to your smartphone: all a thief has to do is nick your phone and he sits and waits for the second password to light up in front of him.

Nor am I sure about biometric ID such as those built into EU passports to speed up airport security checks. If I'm facially scarred in a road accident, for example, my biometric passport will no longer work. I'd have to apply for a new one – by submitting a birth certificate, a utility bill and other such conventional, easily faked paperwork.

Perhaps we need to go full-DNA, as nothing short of being bitten by a radioactive spider or being locked in an Intrinsic Field Subtractor is going to alter the arrangement of my chromosomes. Take a swab, darling! Need a specimen to unlock the door? No problem! From where? Ooh missus. Love is the key, I suppose...

Demonstrations of commercial DNA identity products such as Parabon's Snapshot certainly look like they can work magic. Or too much like magic?

Nope, I'm no Doctor Manhattan. I certainly don't fancy standing at passport control after a vacation on Mars sporting an ultra-violet tan, rippling thermodynamic muscles and my knob hanging out.

With a sigh, I turn back to my website sign-up. Hmm. A thought. Why not?

I type in a different email address for my login ID. This works and the registration process is soon completed. It turns out my friend was sort-of correct: there is nothing wrong with my usual email address except that the online service I have been trying to register with has been designed not to recognise strings of fewer than four characters before the '@'. Nor will it accept any kind of ID other than an email address.

In other words, it wasn't that my username and/or password was invalid. It's that the site is mistaken and/or fucked. ®

Youtube Video

Alistair Dabbs
Alistair Dabbs is a freelance technology tart, juggling tech journalism, training and digital publishing. He apologises to new and recently conscripted readers for not uploading any more photos of himself holding things against his face for your amusement, as he did last week. But if you're really patient, he might concoct a complete My Guy-style photostory from the dungeons of El Reg after the August break. It depends on various factors (at least two). @alidabbs

Other stories you might like

  • Florida's content-moderation law kept on ice, likely unconstitutional, court says
    So cool you're into free speech because that includes taking down misinformation

    While the US Supreme Court considers an emergency petition to reinstate a preliminary injunction against Texas' social media law HB 20, the US Eleventh Circuit Court of Appeals on Monday partially upheld a similar injunction against Florida's social media law, SB 7072.

    Both Florida and Texas last year passed laws that impose content moderation restrictions, editorial disclosure obligations, and user-data access requirements on large online social networks. The Republican governors of both states justified the laws by claiming that social media sites have been trying to censor conservative voices, an allegation that has not been supported by evidence.

    Multiple studies addressing this issue say right-wing folk aren't being censored. They have found that social media sites try to take down or block misinformation, which researchers say is more common from right-leaning sources.

    Continue reading
  • US-APAC trade deal leaves out Taiwan, military defense not ruled out
    All fun and games until the chip factories are in the crosshairs

    US President Joe Biden has heralded an Indo-Pacific trade deal signed by several nations that do not include Taiwan. At the same time, Biden warned China that America would help defend Taiwan from attack; it is home to a critical slice of the global chip industry, after all. 

    The agreement, known as the Indo-Pacific Economic Framework (IPEF), is still in its infancy, with today's announcement enabling the United States and the other 12 participating countries to begin negotiating "rules of the road that ensure [US businesses] can compete in the Indo-Pacific," the White House said. 

    Along with America, other IPEF signatories are Australia, Brunei, India, Indonesia, Japan, South Korea, Malaysia, New Zealand, the Philippines, Singapore, Thailand and Vietnam. Combined, the White House said, the 13 countries participating in the IPEF make up 40 percent of the global economy. 

    Continue reading
  • 381,000-plus Kubernetes API servers 'exposed to internet'
    Firewall isn't a made-up word from the Hackers movie, people

    A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they're potentially vulnerable to abuse.

    Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network.

    "While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface," Shadowserver's team stressed in a write-up. "They also allow for information leakage on version and build."

    Continue reading
  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading
  • To multicloud, or not: Former PayPal head of engineering weighs in
    Not everyone needs it, but those who do need to consider 3 things, says Asim Razzaq

    The push is on to get every enterprise thinking they're missing out on the next big thing if they don't adopt a multicloud strategy.

    That shove in the multicloud direction appears to be working. More than 75 percent of businesses are now using multiple cloud providers, according to Gartner. That includes some big companies, like Boeing, which recently chose to spread its bets across AWS, Google Cloud and Azure as it continues to eliminate old legacy systems. 

    There are plenty of reasons to choose to go with multiple cloud providers, but Asim Razzaq, CEO and founder at cloud cost management company Yotascale, told The Register that choosing whether or not to invest in a multicloud architecture all comes down to three things: How many different compute needs a business has, budget, and the need for redundancy. 

    Continue reading

Biting the hand that feeds IT © 1998–2022