[It's time for my Bi-Annual Password rant... you know the one where I
yell at us programmers for building systems that don't allow someone to
enter a unicode or ascii character in a password. This is also
the rant where others tell me that I shouldn't use weird characters in
my password because it's easier to type an extra character...]
I have a piece of software that I'm trying to install on my box at
home... I will leave the company's name out of it but they sell a
product that tracks bug defects (which works) and this is a new 2005
version that includes a few more things that should help me ship on
schedule (there I have avoided using any of their product's
name). I'm using their free personal edition cause... well, I'm
just 1 guy... no need to buy one of their team editions (when they offer a single user for free).
Anyway, I have their
vs.net add-in installed and the next step is to get their
database creation tool to do it's magic so I can start using the
tool... The problem is that I can't get the database to install
(which is not the point of this post). In the process of trying
to do so I decided to create a specific SQL User (SA type) to try the
install.... since it's a temporary user I like to add a special unicode
character (I've adopted unicode since we last ranted on this
subject)... the way you do this (or at least that I do it) is that I
hold down alt and type 4 digits on my number pad plus some normal
password I use... is this really, really secure... maybe (if you can
find a password cracker to look for it... you won't be dictionarying me
anytime soon that is for sure). I especially like to do this with
temporary users because I usually give them elevated priviledges and
then kill them later.. if the password is ridiculous I can let the user
exist for a little bit (either on purpose or accidentally).
So I create a really ugly looking password with unicode char(s) [ok,
you got me it's one unicode char]... I go to type this password in and
it refuses to accept the unicode character... come on! I should
be able to type in any character I want for a password... it's better
for everyone's overall security! And don't ask for the SA
password of my SQL Server and then tell me that I should probably
delete the account after you use it (this is in their troubleshooting
doc)!!!!
While I'm on the subject, I like to use phrases sometimes for my
passwords. that means spaces, numbers, and any kind of punctuation (I
can't tell you how many web sites I've been on that won't allow spaces
in passwords). In fact I think I'm going to start embarassing
people on this one. I need to be able to type any character in a
password... it makes it harder for someone to break in. I know
that the argument is going to be that they (the company with the web
site/service) have a really good security system that monitors failed
logins... the problem is that I don't trust you (and I don't really
know how secure your web site is). Please let me choose a secure
enough password that noone is going to take a dictionary cracker to
it...
[End rant for another 6 months or until I start embarassing people and I will... you have been warned]