{"id":8361,"date":"2016-07-01T20:05:49","date_gmt":"2016-07-02T04:05:49","guid":{"rendered":"http:\/\/www.oeconomist.com\/blogs\/daniel\/?p=8361"},"modified":"2021-05-31T05:37:47","modified_gmt":"2021-05-31T12:37:47","slug":"passcodes-redux","status":"publish","type":"post","link":"https:\/\/www.oeconomist.com\/blogs\/daniel\/?p=8361","title":{"rendered":"Passcodes Redux"},"content":{"rendered":"<p>To-day, I found myself unable to log-in to this &#39;blog.  I got a diagnostic that I were entering the wrong password.  I don't want to burden my readers with a detailed retelling, but what had <em>actually<\/em> happened was that an up-date of <a href=\"http:\/\/wordpress.org\/\">WordPress<\/a> rejected my password &mdash; it wasn't that I were entering the wrong password; it was that the password that I was entering was now prohibitted.<\/p> <p>On top of the login code misreporting the problem, the code for resetting the password wouldn't tell me <em>why<\/em> my password was being rejected.  But it was rejected for containing a particular <em>sub<\/em>-string; and when I removed that sub-string, the password was then accepted.<\/p> <p>If you understand passcodes (perhaps in part from reading <a href=\"?p=8197\">my previous entry in which they were discussed<\/a>), then you should see that there is something literally <em>stupid<\/em> in the <a href=\"https:\/\/wordpress.org\/download\/\">WordPress software<\/a>.  Let's say that the forbidden sub-string were <q><code>8675309<\/code><\/q> and that my password were <q><code>X.52341-hunao-8675309.Y<\/code><\/q>.  If I drop the <q><code>8675309<\/code><\/q>, the password becomes <q><code>X.52341-hunao-.Y<\/code><\/q>.  That is now accepted, though it is <em>less<\/em> secure!<\/p> <p>If a would-be intruder knew <em>where<\/em> in the original password  <q><code>8675309<\/code><\/q> appeared, <em>and<\/em> knew the length of the password, then the password would effectively be <span style=\"display: block ; margin-top: 0.5em ; margin-bottom: 0.5em ; text-align: center ;\"><var style=\"font-variant: small-caps ;\">p<\/var><sub>1<\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>2<\/sub>&#8230;<var style=\"font-variant: small-caps ;\">p<\/var><sub>14<\/sub><code>8675309<\/code><var style=\"font-variant: small-caps ;\">p<\/var><sub>22<\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>23<\/sub><\/span> where each <q><var style=\"font-variant: small-caps ;\">p<\/var><sub><var>i<\/var><\/sub><\/q> were an unknown character, and the <em>new<\/em> password would be <span style=\"display: block ; margin-top: 0.5em ; margin-bottom: 0.5em ; text-align: center ;\"><var style=\"font-variant: small-caps ;\">p<\/var><sub>1<\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>2<\/sub>&#8230;<var style=\"font-variant: small-caps ;\">p<\/var><sub>14<\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>22<\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>23<\/sub><\/span> so that the two passwords would be <em>equally secure!<\/em> (Either way, an intruder must find a sequence of sixteen unknown characters.) But, as it is, would-be intruders wouldn't be sure <em>that<\/em> the sub-string appeared, let alone <em>where<\/em> in the code it would appear, nor how long the password were.  One could, in fact, conceptualize the sub-string <q><code>8675309<\/code><\/q> as if it were a single character of extraordinary length (a <em>macro<\/em>-character) and of great popularity which character <em>might<\/em> appear within a string of equal or greater length, in which case prohibiting the sub-string would be rather like prohibiting the use of <q>E<\/q>.<\/p> <p>That's <em>not<\/em> to say that common sub-strings should <em>simply<\/em> be accepted as passwords or within passwords.  A great many systems have been hacked because someone foolishly used passwords such as <q><code>password<\/code><\/q>, <q><code>root<\/code><\/q>, or <q><code>batman<\/code><\/q>.  But, instead of rejecting a password because it <em>contained<\/em> a popular sub-string, the software could, for example, test to see whether the password would be secure if the sub-string were excised, in which case it should be at least slightly <em>more<\/em> secure if the sub-string were retained.<\/p> <p>(Note that this approach works with popular sub-strings of any length, including those of just one character!  In fact, when there is no upper-limit on the length of passcodes, they may be securely constructed of nothing <em>but<\/em> popular sub-strings each of which has multiple characters; a secure password could be made by concatenating ten or more of the one hundred most popular passcodes.  Mathematically, the problem of using just one <em>popular<\/em> passcode is fundamentally the same as that of using a <em>short<\/em> passcode!)<\/p> <p><em>Sometimes<\/em>, it's smart programming to write stupid programs, because the costs of designing, implementing, and maintaining more sophisticated software out-weigh the benefits.  But, here, the <a href=\"http:\/\/wordpress.org\/\">WordPress<\/a> programmers have opted for <em>cheap<\/em>ness in a way that needlessly thwarts and insults some users, and can actually make systems <em>less secure<\/em> in those cases. (And the poor diagnostics are simply inexcusable.)<\/p> ","protected":false},"excerpt":{"rendered":"To-day, I found myself unable to log-in to this &#39;blog. I got a diagnostic that I were entering the wrong password. I don't want to burden my readers with a detailed retelling, but what had actually happened was that an up-date of WordPress rejected my password &mdash; it wasn't that I were entering the wrong [&hellip;]","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"footnotes":""},"categories":[7,6,69,4],"tags":[1078,1080,325,744,1396,13],"class_list":["post-8361","post","type-post","status-publish","format-standard","hentry","category-blog-meta","category-commentary","category-information-technology","category-public","tag-cracking","tag-hacking","tag-passwords","tag-security","tag-user-identification","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/posts\/8361","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8361"}],"version-history":[{"count":1,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/posts\/8361\/revisions"}],"predecessor-version":[{"id":11744,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/posts\/8361\/revisions\/11744"}],"wp:attachment":[{"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8361"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}