LastPass feature request

Ghost in the Shell Laughing Man shirt
Ghost in the Shell Laughing Man shirt

There is no enforced standard for passwords for a web site, so they can be all over the place for requirements. Nor do sites typically explain what are the exact standards before a failure. And then most will state the minimum and types of characters. But, too many leave out the maximum number of characters allowed so I end up experimenting to figure out something as strong as I can get. One of my favorite blogs is Password Requirements Shaming.

Web sites almost certainly record the password to a variable. Hopefully they then encrypt it and store the hash instead of recording the password as plain text. I use LastPass’ password generator to create something typically 40 characters [1] long and try it. Almost always that results in an error that my password is too long and the limit is actually something shorter. There are some frustrations with how sites handle these cases:

  1. It would be nice if more sites would look at the passwords with JavaScript and report if it is too long or too short or have bad characters or do not match both locations. Very rarely do they check that it is too long. Most just check that they match. Letting me know before I submit it, keeps me from wasting my time.
  2. In HTML, maxlength defines how many characters the input element will accept. I sometimes look at the HTML to select what password length to generate, but there is no guarantee that the maxlength is reflective of what will work. It fails to help so much I have gotten out of the habit.

Arbitrariness with password policies probably makes people tend to more insecure practices through simplification. This is The Paradox of Choice.

It occurred to me that LastPass developers could solve this problem for me. If LastPass knew the password requirements for a site, then it could preset the generator to the maximum length that will fit. When I go to create a password for a site, then it could work the first time instead of taking 2-5 tries to find something that finally works. Most users are lazy and would not change the preset, so passwords would tend to be the stronger. [2]

Admittedly, it usually works on the second try once I’ve nailed down the maximum number of characters allowed.

[1] Originally I would try 50 characters, but I eventually relaxed that down a bit. Occasionally, I go through brief periods where I just try 30 or 32.

[2] See Nudge: Improving Decisions About Health, Wealth, and Happiness for how organ donation rates work for how t his would work.

Scary Password Policy

Doing a training thing for work next week. The training coordinator sent an email to 25 of us about how to access the learning portal. The username is email and password is a single word with an exclamation point. My first instinct was get in ASAP and change the password since so many other people have access to my password.

Only.

There is no link. I click and click and clink. I cannot find it.

Finally, I look at the source code and notice features in it that reveal this portal is running on WordPress. So, I added “wp-admin/profile.php” to the URL and get a 404. I added it to the domain and bingo, I was at my own profile. So, I used the WordPress password feature to generate a strong password and change it.

I wonder how many people have taken training from these people and bothered to change the password?

Posting To Your WP From Foreign Sites

(This assumes a WordPress.org site not one on Wordress.com hosting.)

Placing your username and password in the database of third party sites is not very good. If the account provided is the WordPress administrator account, then that means credentials for the most important account are potentially exposed. The password is going to be kept in the clear or in a form decryption is easy so it can be used to post to WordPress.

Better instead is to create a limited user with the Author role for this purpose. These accounts are so easy to create that I make one for every site I use to post to this blog. If any of these sites are hacked or the credentials otherwise given to others, then the potential damage is just the posts belonging to that user.

One stumbling block for this is WordPress.org installs want a unique email address for each account. A workaround I use is either generating email accounts via my hosting provider or the +anything for Gmail.

Also, it makes easy identifying the posts which came from the foreign source. My Goodreads posts are an example where that site is setup to post for an account I specially created for that purpose.

Protected Post Password

I imported all my LiveJournal posts here. Other than posting pictures to there from Flickr, I don’t really use LJ anymore. I rarely even read my friends’ blogs there. Too bad. I still have the teeshirt.

Most of my LJ posts are protected. For this site, I’d rather have them set to private. So the section of WordPress (Tools > Import > LiveJournal) saying this seemed relevant:

If you have any entries on LiveJournal which are marked as private, they will be password-protected when they are imported so that only people who know the password can see them.

If you don’t enter a password, ALL ENTRIES from your LiveJournal will be imported as public posts in WordPress.

Password protected seemed better than not, so I set a 30 character long password, and the form accepted all 30. When the password didn’t work, I logged in as the administrator user and looked at Publish > Visibility >

In my opinion, web forms in general should prevent the user from entering more characters than the application or database will take. Passwords are very exact, so forms for creating them definitely should not allow extraneous characters.