Funky password rules

Skip to first unread message

Alan Karp

Mar 17, 2023, 7:52:59 PM3/17/23
to <>
I finished going through the 292 sites included at  SitePassword can generate a legal password for all but 5 of them if you try a few nicknames.  One of the 5 gives you a password that you can't change, but SitePassword can handle that case thanks to Crock.

The appendix I wrote is below.

Alan Karp

Appendix 2: Computing a Valid Password

Many sites forbid using your name, user name, “common” words, keyboard sequences (qwerty, asdf) as part of your password, or a repeat of a previously used or similar password.  The chances of SitePassword generating such a password is vanishingly small.  The main requirement SitePassword doesn’t consider is rules that disallow sequences and repeats.  In these cases changing the site’s nickname will generate an acceptable password with high probability.

There is a list of 292 sites that have particularly dubious password rules.  Given the ability to generate a new password by trying a different nickname, SitePassword can generate a legal password in a few tries for all but 5 sites.  

  • Easybank passwords must start with 5 numbers, which SitePassword is unlikely to generate.  
  • Intellink disallows passwords that have any three characters or three numbers in a row, e.g., axqSalKd3239x is not acceptable.  SitePassword is unlikely to generate an acceptable password.
  • ME Bank passwords consist of all numbers, but a given digit can appear no more than 5 times.  There is only a modest probability that SitePassword will compute an acceptable 20-digit password.
  • Onleihe: Your password is your birthday, and you can’t change it.  SitePassword can store that password but clearly isn’t going to calculate it. 
  • Vancity Credit Union: Your password is all digits and must start with a 0.  SitePassword will calculate a valid password for 10% of the nicknames you try.

Rob Meijer

Mar 18, 2023, 4:09:39 AM3/18/23
to Design
For three of these, ZeroVault could have generated these passwords.

Have a look how a ZeroVault config would fix these three.

Basically it maps a domain to a mapping for generated passwords and generated account names. A mapping links a structure to a collection of alphabets.

Basically the 'structure' defines for every character in the account name or password from what alphabet it should be picked.

So for example this config defined that for the domain '' passwords have the same length as default passwords but should start with an uppercase character.  

In this example the mappings for username generation are more relevant to allowing to generate passwords for three of your problem points.  The user001 for example tries to use a structure of vowels and consonants that comes close to looking like a non-random blob of alphanumerics, and then closes with three numbers.

"user001" : {
"alphabets" : ["lc","lv","nm"],
"structure" : "01001010010222"

The alphabets used are lower case consonants (0), lower case vowels (1) and numbers (2).

So a generated username using the structure '01001010010222" might look something like:
dyfanokpir749 or kirtulerkaz294

If you add something similar, you should ba able to fix it for three of your use cases.

You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

Alan Karp

Mar 18, 2023, 9:00:28 PM3/18/23
An interesting approach, but I don't know how to incorporate it without creating special cases for those websites.

Alan Karp

Douglas Crockford

Mar 19, 2023, 9:39:56 AM3/19/23
to friam
Is there a set of special characters that are accepted by (nearly) every site?

Alan Karp

Mar 19, 2023, 1:01:18 PM3/19/23
On Sun, Mar 19, 2023 at 6:39 AM Douglas Crockford <> wrote:
Is there a set of special characters that are accepted by (nearly) every site?

No.  In fact, many sites don't accept any special characters.

Alan Karp
Reply all
Reply to author
0 new messages