50

In configuring a new system today (Juniper Space, Linux-based Network Management platform), I came across a bizarre password requirement that I'm curious about. Upon logging into the web UI with the default credentials, I was prompted to change the password, which is good, and I went to do, but my randomly generated password was rejected because the last character was a number. This struck me as all the more strange, given that the password I provided for the command line interface ended in a number, and it was accepted.

change default password screenclip

In my experience, password requirements like this generally have some underlying reasoning behind them, like Q and Z not being present on old telephone keypads, or legacy systems compatibility or just plain poor systems/policies/whatever. I'm having a much more difficult time explaining this particular policy with any of those explanations, though.

Does anyone have any insight into the reasoning behind a password policy that would prohibit a numeric last character?

HopelessN00b
  • 3,385
  • 1
  • 19
  • 27
  • 19
    Because the creator of this password format lacked the foresight to see that they created the same rule in reverse. Instead of password1!, they've created 1password! – Mark Buffalo Oct 14 '16 at 20:53
  • 5
    6 character minimum with at least 1 numeral and 1 lowercase letter. _6 character?_ No uppercase requirement(was list truncated)? As others have noted, "last character is a numeral" is a very common pattern, especially when a numeral requirement is imposed or passwords must be changed regularly, but prohibition for that reason is awfully sophisticated given the password length (only 6) and that no uppercase letters are required. – BillR Oct 15 '16 at 10:43
  • Linux? That looks like ... Java. – Michael Hampton Oct 15 '16 at 23:20
  • 1
    @MichaelHampton Yeah, for the web UI. For some reason, most Linux-based appliances don't use .NET for their web UIs. :) – HopelessN00b Oct 16 '16 at 00:11
  • That's a long list of password rules to follow. – Aloha Oct 16 '16 at 05:05
  • @MichaelHampton There's no reason why it can't be both. – user207421 Oct 17 '16 at 02:46

3 Answers3

54

It's likely an effort to discourage passwords that fit common formats or character masks. If a password policy requires use of a number many people will chose to put their number at the end of a word or words. Here are a couple examples from corporate environments:

Attackers like this user habit because it makes their hybrid password cracking or guessing attacks easier. They can focus on combining word lists with numbers added to the end rather than a more time consuming brute force approach.

So some organizations implement a policy like this in an attempt to improve security by getting users to put their numbers is a less predictable place. It sounds like in your situation they're not combining this with any other complexity checking and instead rejecting all passwords that end in a number, regardless of how random they are otherwise. That's not a very good way to implement this type of checking, but they're not alone in taking this approach.

PwdRsch
  • 8,361
  • 1
  • 28
  • 35
  • 3
    Then people attacking a Juniper Space system will have an easier job because they know which masks are forbidden... – a25bedc5-3d09-41b8-82fb-ea6c353d75ae Oct 15 '16 at 14:30
  • 3
    @a25bedc5-3d09-41b8-82fb-ea6c353d75ae: It was thirty years ago that I first heard the argument, “Any rule that restricts passwords, shrinks the space of valid passwords, and therefore makes brute-force attack easier.” But that’s wrong; the job of the attacker who is guessing passwords is *not* made easier by knowing that he doesn’t need to check whether my password is “scott”, it is not made easier by knowing that he doesn’t need to check whether anybody is using a dictionary word as a password, etc. … (Cont’d) – Scott - Слава Україні Oct 15 '16 at 21:08
  • 19
    (Cont’d) …  The point is, when a password pattern is *disproportionally* popular (much more popular than it would be if passwords were chosen randomly), then that pattern becomes low-hanging fruit for the attacker.  By banning the users from that comfort zone, you force them to disperse and use more of the space of possible passwords, and thus become a harder target.  That said, I agree that this rule is somewhat silly.  A better rule might be, “Must contain at least one digit *at a position other than the last character*.”  That would allow “corrc3t8” while still prohibiting “crorcet1”. – Scott - Слава Україні Oct 15 '16 at 21:08
  • 4
    @a25bed To make Scott's point in fewer words: when limiting the combinatorial search space also limits the usefulness of a dictionary or pattern attack, the _real_ search space (i.e. the one an attacker would actually bother to check - no smart attacker guesses randomly) increases in size. Obviously there's a limit to point and purpose, though. No comment on the security of OP's specific situation. –  Oct 15 '16 at 22:43
  • I bet that almost all of the cracked passwords matching a four-digit pattern in the NetSPI report (e.g. ULLLDDDD) are actually ULLL19DD or ULLL20DD :) – Hagen von Eitzen Oct 16 '16 at 13:13
  • Inflexible checks are pretty common. I once was changing my password on a popular service and tried to use a 5-word Diceware password with 4 random words and the fifth being the name of the site, and it was automatically rejected because it contained the name of the site (without a description of why except, quote, “that password is too easy to guess”). I removed the word (reducing the entropy!) and it happily accepted it. – Soren Bjornstad Oct 16 '16 at 18:56
  • 4
    @Scott "at least one digit at a position other than the last character" still allows for `Scott1985` (guessing your year of birth here). – SQB Oct 16 '16 at 19:31
  • @SorenBjornstad That is to prevent people from entering `MyDefaultPasswordForSiteName`. Should the site ever have its passwords cracked, the attacker now knows the passwords that user will likely have used for _ThatSite_, _TheOtherSite_, and _ThatSocialNetworkSite_. – SQB Oct 16 '16 at 19:33
  • @SQB: True, but *(string-of-letters)* + *(one digit)* (e.g., `money1` or `password1`) is a disproportionally popular password pattern.  Just getting users to avoid that is a small improvement.  Yes, *(string-of-letters)* + *(string-of-digits)* is a problem, too, especially *(string-of-letters)* + *YYYY*, and prohibiting that (e.g., with a rule like “Must contain at least one digit *followed by a non-digit*”) would be even better.  The point is to force users out of their comfort zone without arbitrarily prohibiting (halfway) decent choices.  … (Cont’d) – Scott - Слава Україні Oct 16 '16 at 21:23
  • (Cont’d) …  (Of course, if the fifth rule were “Must not ***contain*** the Login ID”, as it should be, then `Scott1904` would be disallowed.) – Scott - Слава Україні Oct 16 '16 at 21:24
  • 2
    @SQB: given that Scott "first heard the argument thirty years ago", 1985 would have made him a fearsomely prodigious techno-baby... – JDL Oct 17 '16 at 10:30
  • 2
    @JDL He did say "heard", not "understood". – Dawood ibn Kareem Oct 19 '16 at 02:57
  • @Scott The negligible entropy from dispersion of bad passwords (99% of users will add an 'a' after the number) is negated by also banning good passwords. Here's some better advice: Don't restrict the password format, but do block the most common passwords, or better yet, block all [compromised passwords](https://haveibeenpwned.com/Passwords). – Fax Oct 02 '20 at 14:00
28

From experience, the Must not reuse previous 6 passwords rule may cause users to employ a password rotation scheme in which the current password cycles through something-that-fits-the-other-rules1 through something-that-fits-the-other-rules7, to make it easier on themselves when obeying the Must change password every 90 days rule that is common in corporate use.

Password cracking tools could use knowledge of this habit in devising passwords to guess.

The Must not contain number as the last character rule could be an attempt to circumvent such schemes to force users to choose new passwords that are significantly different from their old ones.

shoover
  • 381
  • 2
  • 5
  • 17
    Makes sense, but then the user will just be creative: Winter2016a -> NoYetSpring2016a -> Spring2016a -> Summer2016a -> NotYetAutumn2016a -> Autumn2016a -> Winter2017a -> ... – grochmal Oct 14 '16 at 22:29
  • 3
    I once worked in a place where people routinely added the month to passwords, as they were forced to change them every month. Eg. swordfish01 (in January), swordfish02 (in February) and so on. Made it easy to remember the password! – Nick Gammon Oct 14 '16 at 22:38
  • 4
    @grochmal, but that's a lot less predictable and thus harder to guess, so it's not really a problem. – jcaron Oct 14 '16 at 23:03
-4

Because programmers think about programming computers and not about how real people operate. They find themselves where they can wield arbitrary power, so they do, while forgetting what the real problem is. In this case the problem is "make the system safe in spite of people's natural behavior".

"Make the rules for passwords really complicated; make them change them every week" -- pretty much guarantees you can find the password on a Post-It note stuck on the monitor.