[eam]

I also hate ADP's password requirements:

> Your password must be 8 to 20 characters and may include upper or lowercase letters (A-Z and a-z), numbers (0-9), spaces (except at the beginning or end), and special characters. You must use at least one letter and one number. You cannot use the same character in four or more consecutive positions (for example, AAAa is valid, but AAAA is not valid) and you cannot use four or more sequential characters, in ascending or descending order, in a row (for example, ABCD and 4321 are not allowed).

It almost feels like a riddle...

Because I have to choose a complicated password that I can't remember, every single time I go back (maybe twice a month) I pretty much have to use the password reset functionality and make another non-memorable password. Even setting up the password takes some thinking as you can read the requirements that you have to conform with. Ugh. It's pretty annoying.

[peterwwillis]

This brings up one of many interesting paradoxes of browsers. They can save passwords by default, but they won't generate strong passwords for you by default. (If your browser has a password generator you have to manually enable it)

[bdibs]

Safari on MacOS will suggest/generate fairly strong passwords as soon as you're on a password field:

https://i.gyazo.com/92fc8a49323dffbd22ff34c2ccbea0b0.png

[oh_sigh]

Chrome generates strong passwords for you. I only wish there was a simple pass/fail test js function websites could use to tell chrome whether or not the auto generated password fits their ridiculous rules.

[corndoge]

$ pwgen -sy 20

$ pass insert adp

[forgottenacc57]

http://www.openwall.com/lists/oss-security/2012/01/17/5

[nerdponx]

I wonder if someone has done a similar analysis of HSXKPasswd. https://github.com/bbusschots/hsxkpasswd

[falcolas]

Note the "pronounceable" caveat in the original message. Still important to note, but the implementation above is not at risk.

[corndoge]

mind the options

http://www.openwall.com/lists/john-users/2010/12/07/3

[Shivetya]

password rules have gone a bit absurd in my environment where they are considering doubling the twenty character requirement which already leads to people doing cut and paste. another option has been people storing them on their phones

with cloud computing a security company recently has shown us if they can find a hole to get the files where systems store such information they can reverse most. there is a dearth of knowledge out there how each platform stores such data and finding an in is incredibly easy at the majority of companies