14

Today, on an official government website, I came across the following password rules:

"Your password has to be at least 8 characters long. It can't have any blank spaces. It has to use characters from at least three of the following sets:"

  • Upper case letters A-Z
  • Lower case letters a-z
  • Numerals 0-9
  • Special characters #?!@$%^&*-
  • Your password can't start with #.

Perhaps I'm massively overthinking this, but what's the rationale behind not allowing passwords to start with a '#'? This screams improper handling of passwords to me. Assuming the passwords are actually properly stored, why would it matter? Why specifically '#' and not any other of the permitted special characters?

Hazsi
  • 141
  • 1
  • 3
  • 8
    There is no security reason for such restriction. It may be caused by opinion of the person who decided that. It may be caused by some tradition in a specific region like USA. And so on. You should ask on that site about this requirement. Here you will get only opinion based answers. That's why I suggest to close the question. – mentallurg Apr 23 '23 at 11:18
  • 8
    Only rule I know is you're not allowed to end your password with "; drop table PASSWORD :) – Harper - Reinstate Monica Apr 23 '23 at 23:35
  • Its possible the passwords like #this where all generating the same hash and thus caused the admin to notice (hence the restriction). However, a password like#this whie generating a diff hash than an empty string might have the same hash as like or like#th. Might be worth testing ... and reporting to the admin if you find something. – CaffeineAddiction Apr 24 '23 at 00:51
  • 5
    #hashtags #are #everywhere #nowadays #so #they #are #as #insecure #as #words #in #a #dictionary - #safepasswords – Thomas Weller Apr 24 '23 at 07:08
  • 2
    @ThomasWeller while preventing hashtags is an interesting thought, how is that any different from, you know, just using dictionary words? And how much of a "problem" is there for using a hashtag format in a password? – schroeder Apr 24 '23 at 08:16
  • 1
    @ThomasWeller - I'd also argue the common mypassword! with exclamation mark at the end should be banned for this reason. - I'd argue this is a poor encoding practice – lupe Apr 24 '23 at 11:15
  • 5
    Speaking as someone who spent 7 years working for government...the answer is almost certainly "because the system was written 10-20 years ago by Ted the office guy cosplaying as an IT pro because they couldn't afford a real one back then and they can't now either". Government salaries are rigidly controlled and difficult to update to react to changing market conditions, even if they have multi-million dollar budgets in that department they quite likely aren't allowed to spend it on personnel. – Jared Smith Apr 24 '23 at 13:53
  • 1
    Shell scripts treat lines that start with # as comments. Possibly related? – Mooing Duck Apr 24 '23 at 16:01
  • @MooingDuck interesting thought – schroeder Apr 24 '23 at 16:42

2 Answers2

31

Perhaps I'm massively overthinking this, but what's the rationale behind not allowing passwords to start with a '#'? This screams improper handling of passwords to me.

There is no other reason than bad handling. This may of course be due to some legacy system that doesn't handle this, but there's no security reason to disallow that character as first digit.

vidarlo
  • 16,078
  • 2
  • 46
  • 59
  • 3
    Note the other completely banned special character; '+'. I'll bet there is or was a mainframe in that system somewhere. – Skrrp Apr 23 '23 at 22:36
  • 13
    Or the rule was legacy and was simply copied because nobody actually documents why the rule was made in the first place. – Nelson Apr 24 '23 at 03:50
  • @Skrrp it's not clear it is banned, just that it's not a member of a required set - along with "_='/~\£µ€ and many more, plenty of which can be entered easily from many keyboard layouts. – Chris H Apr 24 '23 at 12:45
  • 1
    @user253751 Skrrp was referring to +, which doesn't appear in the question thus we have nothing clear either way. The requirement reads "has to use characters from at least three of the following sets"; characters not in those sets are neither required nor banned by the text. And if + was banned, my other examples would be too, while Skrrp wrote "the other completely banned..." – Chris H Apr 24 '23 at 15:06
20

Password rules are notorious for often containing all kinds of bizarre restrictions, as this site shows. The rule might exist for any of the following reasons.

  • It could be a historical artifact. Maybe at some point in the past, there was an issue with the hash character, or somebody thought there was a problem, so the rule was added as a workaround and never reconsidered since.
  • It could be an arbitrary decision. I've seen people in various communities ask, for example, how to reject passwords which start with a digit. They didn't do this solve any actual problem. They just somehow decided that passwords should follow a certain pattern.
  • In the worst case, there is in fact a problem with handling passwords. This would indicate a fundamentally broken system, because the only legitimate thing to do with a password is hash it with a specialized algorithm like bcrypt, scrypt or Argon2, none of which has any issues with the hash character. Plaintext passwords absolutely do not belong into a file, a database, a shell command or any other context where special characters might matter.
Ja1024
  • 5,769
  • 14
  • 21