Sophos Cloud Optix
Earlier today, fellow Naked Security writer Graham Cluley pointed me at a fantastic April Fool’s story.
AT&T, the tall tale told, had introduced a policy that prohibited passwords that “contain obscene language.”
There was even a handy screenshot to add some vernal veracity (or autumnal authenticity in the Southern Hemisphere):
“Very droll,” I thought.
After all, it surely wasn’t true, since:
- How would they tell? (Computers aren’t yet that smart at understanding the nuances of human language.)
- Why would they care? (Passwords aren’t for other people to know.)
- Who would ever see it? (Passwords aren’t stored in plaintext. They’re salted and hashed.)
In short, unless a human, fluent in dozens of languages, were to review your choice, there wouldn’t be much hope of reliably and usefully detecting a password couched in obscene terms.
Anyway, no human except you is ever going to see your password in cleartext, and even you will probably only ever see it as a series of **** characters in a password entry dialog.
But it looks as though this is a true-but-wacky story rather than an April Fool.
Some of AT&T’s other limitations make sense, such as preventing your username and password from being the same, and checking against a list of commonly-used bad choices to urge you in the right direction when picking a new password.
For web-based logins, much of that sort of validation can be done in client-side JavaScript, so that poorly-chosen passwords never leave your browser but are rejected (presumably with some helpful explanation) straight off the bat.
But how, and for that matter why, would you go about weeding out every password that might contain obscene language?
Would you back yourself to write computer software that could sensibly detect text that “offends against moral principles” or is “repugnant”, in the no-nonsense terminology of the New Oxford American Dictionary?
Or would place names like Scunth0rp3 and M1dd13s3x fall feebly foul of the regulations, as they used to in the early days of naive obscenity filters?
→ Those are poor choices for passwords, if only because they’re words from a dictionary, or at least from a gazeteer. But they should fail on those grounds, not because they fall foul of some kind of substring or regular expression match against swear-words.
The problem is, of course, that a “no obscene language” rule introduces more concerns that it will ever solve, including the following:
- The more extensive the server-side obscenity checking, the more likely it is that the plaintext of your password will needlessly be written to disk or sent off to other run-time verification scripts.
- The desire to have visually inoffensive passwords raises the concern that the intention is to store them reversibly, accessible to support staff for password recovery purposes, rather than salted and hashed for safety.
- Many strong and randomly generated passwords will be rejected because they contain some sort of potential “obscenity”, thus needlessly reducing the available password entropy and assisting password crackers to skip over known-prohibited combinations.
In fact, a Twitter network engineer claims to have spotted this AT&T limitation when a randomly-generated password was rejected:
In short, it’s good to prevent your users from choosing obviously-risky passwords such as letmein and pa$$word.
But rules that illogically reject a potentially large swathe of letter and number combinations serve only to reduce the range of otherwise-excellent passwords available for use, and to simplify the task of password crackers in pre-filtering their own lists of password candidates.
And there’s that nagging suspicion that the requirement for “obscenity-free” passwords implies that someone else might see them some day and be outraged, or that they might end up mailed to you in plaintext and blocked by a naive spam filter somewhere on the way.
And that shouldn’t be possible, since your password shouldn’t be stored reversibly in the first place.
Hopefully their system for checking it's an actual rude word and not a string of characters somewhere is better than years ago. I remember looking for information about the movie Elvira – Mistress Of The Dark in google where it also suggested looking up Cassandra Peterson. I searched that and got news stories and websites about rape which was distrubing. I realised what it done when I looked at the letters as strings and noticed where some letters fall in order in the name cassandRA PEterson. Google has been round for years and is pretty refined but it still loves asking me.. do you mean.. suggesting things when I haven't mispelt what I'm searching for.
Unless someone at AT&T is screening the passwords I can't see it working. The bigger worry there isn't rude passwords, but someone seeing them to screen everyone's password. Lets hope they don't start doing it to place names being offensive too as Twatt or Ramsbottom will get denied too.
Way back in the day, a bunch of us were playing a war themed text-based adventure game together. One of its challenges was to get across a river, and nothing we could think of was working, usually because the game wasn't recognizing the ideas we were typing in.
Finally, one of us, for lack of anything better to try, typed in "CONFESS TO WAR CRIMES."
And rather than the game saying "I don't understand" — our protagonist promptly died.
We were baffled. There was *no way* the game designers would anticipate that phrase… was there?
I don't know how we figured it out, but we finally realized that in that phrase appeared the letters S, W, I and M in order. And swimming across the river was indeed one of the reliable ways to get yourself killed.
Imagine if AT&T's prudish password parser was that restrictive!
I’m amazed that any text adventure with a parser that unsophisticated was playable at all!
An obscene password is no bad thing. At least you're not going to divulge it in exchange for a chocolate bar to someone doing a survey on Paddington Station. How about if we change the rule to say that passwords are banned which, when salted and hashed, yield an obscene word? 😉
So did anyone ask AT&T what's up with this?
AT&T didn't comment to Nak Sec, but did send a comment to Ars Technica (who wrote this story up, too) saying:
—cut here–
To protect our customers, AT&T maintains a list of words that cannot be used as passwords because they are too commonly used, and therefore too easily guessed by third parties. That list includes, among thousands of other words, several that are obscene. They are therefore excluded from use in passwords not because they are obscene, but because they are commonly used. That said, the password instructions indicating that we don't allow obscene words to be used in passwords are unclear, so we are working to clarify them. Obscene or not, we recommend customers avoid common words when creating passwords.
—cut here—
It certainly *isn't* clear what AT&T means, since the instructions in the image above clearly say that passwords "can't contain obscene language."
That' s not at all the same thing as the remark to Ars Technica saying "several [words] that are obscene" are disallowed "not because they are obscene, but because they are commonly used."
We shall have to wait to see what comes of AT&T "working to clarify" this – in particular, whether the ban on obscenity was ever related to plaintext storage of the passwords and the issue of repeating potentially offensive or embarrassing stuff over the phone.
If AT&T *doesn't* store the passwords and thus has no fear of obscenities being exposed, it would do well to say something like:
"We don't store the actual text of your password. We store what's known as a cryptographic hash instead. So we don't really care what your password looks like. But passwords that include many common words, including obscenities, or variants (e.g. pa$$w0rd), will be rejected because they're just too easy to guess."
There are probably times when you have to call AT&T on the phone and give them your password for some reason, and they don't want you spouting obscenities at their reps. (Or at least you won't have an excuse.)
Good luck calling ATT on the phone. Unless you have at least 15 minutes you want to burn and don't mind the wait, then go ahead and call ATT.
You'll love going in circles, talking with an electronic secretary before finally getting someone on the line who might speaking English in a passing manner.
Under no circumstance should someone in a call centre EVER ask for your password.
If you suspect that might be the case, the best choice of password would be, "what is your password" so that when the operators asks, 'what is your password" you can correctly respond "what is your password" – let hilarity commence!
(less subtle readers may with to suggest more obtuse options.
"I'm sorry, could you repeat that?"
"My password is obscene"
Perhaps all passwords should contain obscene words, that would make it harder to social engineer passwords out of employees over the phone. IT also might make people start to use longer passphrases to take advantage of the possible therapeutic benefit of venting though aptly describing a personal peeve when logging in. The most common password might finally change to something different, like "putthef$&|<inglidonthetoothpaste".
AT&T is clearly sticking its nose in where it shouldn't on this one, for all the reasons you've noted. It's ridiculous, silly, stupid and … worrisome.
I think AT&T will have you verbally verify your password when you phone in for help. I know Sprint does (or did last time I called them, which admittedly was more than two years ago). This does of course mean they have to keep a cleartext copy of the password around to show the person answering your call.
Then they're doing it wrong. Verbal passwords don't need high password entropy as you can't brute-force them the same way you can with online passwords. Worse, in selecting a password for speaking, you're going to try to avoid many of the rules of best practice for typed passwords, because how do you read out "IP4%88&m4k0" down the phone line?
Horses for courses, as they say.
You read that out as "Capital i as in ink, capital p as in Paul, the number 4, the percent symbol, the number 8, etc, etc." Customer service professionals should be trained to use either police or military codes such as "Adam, Boy, Charles…" or "Alpha, Bravo, Charlie…", for both customer service and to communicate uncommon names to each other. How else could they ask someone in another department to look up something on "Mr. Brian Moczygemba's payment information, please." So any commonly used word you give them to indicate the letter should, I repeat SHOULD, work across international boundaries. So even if a password might be offensive to another person, you should not be speaking the word anyway, you should be spelling it as I indicated above. Delta October Game is not the same as speaking the word "DOG".
However, I still agree with cassandratoday about "Did anyone ask AT&T what's up with this?"
See my reply to @cassandratoday above…
For some reason I am reminded of the story of the British bank who rejected a customer's "pants" password:
http://nakedsecurity.sophos.com/2008/08/29/lloyds…
Excellent post! Next time you cover this sort of thing please be sure to knock web sites that reject passwords greater than 10 characters as "too long". Or don't except every common symbol. The non-techie community hates passwords enough, don't reject a password for reasons having nothing to do with security…
I recall I spent many minutes figuring out why I couldn't register on a site (ironically, a software dev site), and only a phone call revealed it was my surname that was being objected to
Ever had to ask a user their password over the phone for whatever reason? Or give yours? I wouldn't be surprise if that's the reasoning. (The debate on whether anyone *should* ever need that is another story.)
USPS filters their passwords. Try to create an account or change your password to a choice four letter word and see what happens
https://www.usps.com
If AT&T's excuse for excluding "obscene" passwords is that the user might have to speak it over the phone to a service rep, then the entire system is a FAIL. That's what multiple security questions are for, and those questions (and their answers) should be stored separate from the passwords. No one (except the user) should ever know or see a password.
Why the heck is anyone (even AI software) reading any passwords anyway? Testing to meet requirements such as length and mix of case, numbers, letters, symbols, I can get, but reading the words? These are not status license plates for cars, their freaking PASSWORDS! Though anyone stupid enough to use guessable expletives, such as one might think up when they can't remember their password, gets what they deserve anyway.
So, Paul / Graham, as per cassandratoday; has anyone (tried) to do a follow up with AT&T??
If they were able to tell whether the obscenity checking is done server or client side would be a big step forward.
I'm not going to hold my breathe though.
As for the 15 minutes mentioned by gregbacon, that's peanuts. You don't how well off you are.
See my reply to @cassandratoday above…
It would be nice if AT&T were to clarify that the passwords aren't stored, which is what they seem to have suggested so far.
That list of passwords that they can’t have would be huge, as every country has its own set and even different areas will have different obscene language.
You are also allowing passwords to be 2 out of the 4 character sets not 3 and a min of 6. Why not up these before controlling what words in the password people can have?
Yep. There's a big difference between "obscene language" and "contains an embedded swear word" 🙂
Presumably they don't hash passwords because of the drug reference …