The FreeScan user registration is a joke!
In the form it states:
Create Password (8-12 characters)
I'm using a password vault software to store my passwords. It generates random ones on a button click. I clicked and got a nice 15 character password. The form gave me an error, which is obvious. There were too many characters. WHAT #1?! Yeah, sure. According to this security company it not ok to have proper passwords.
The fix for that is easy, just remove the last 3 charcters and it should comply with the length limitation. New try and:
Password must be more than 8 characters and must contain at least one number or special character.
WHAT #2?! My password has more than 8 characters. It has at least one number and special character.
Without compromising my security, I can reveal that the 15 character password I attempted to use was: l0olo;8^h!WGQQB
It should easily be acceptable in any policy. Funnily enough, similar random password is ok for this forum. WHAT #3?! Consistency?
Little bit of de-obfuscating their minified JS-code reveals, that the real password policy is checked with following regexp:
The cryptic string translates as:
- The password length is from 8 to 200 characters.
- There must be characters from two groups:
- alphabet: a-z A-Z
- numbers: 0-9 any of the following special characters: !@#$%^&*
It was the semicolon in my password. It is not in group of allowed special chars. WHAT #4?! If you require special chars, why your error message does not state that?
Qualsys: fix that, please.
Computer security enthusiast