Password Strength Meters on Websites Are Doing a Terrible Job (theregister.co.uk) 148
An anonymous reader shares a report on The Register: Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley revisited his examination of five popular password meters and found they failed to prevent users from entering the world's worst passwords. "You can't trust password strength meters on websites," Stockley says. "The passwords I used in the test are all, deliberately, absolutely dreadful ... they're chosen from a list of the 10,000 most common passwords and have characteristics I thought the password strength meters might overrate." The basis for his argument is that the meters rate character complexity but fail to identify those combinations that can be guessed outright such as popular passwords or those based on cliches.
well... (Score:2)
Re:well... (Score:5, Informative)
It depends on what you call technically strong. As https://www.xkcd.com/936/ [xkcd.com] indicates, it is not intuitively clear which passwords are strong. Humans have a terrible instinct when it comes to entropy in data and therefore need to be guided in choosing a password. This often results in a check for length(which is a good thing), but also requirements for capitals, numbers and special characters(which is often used poorly). The result is that people will use passwords like Welcome0! which can be figured out by many people simultaneously and therefore is a weak password.
The 'technical' strength of a password is connected to its entropy. Using a password that satisfies some byzantine requirement, but contains not enough entropy is also weak in the technical sense. "Correct horse battery staple"-like passwords are strong, "Correct horse battery staple" itself is incredibly weak, thanks to mr. Monroe.
Re: (Score:3)
The result is that people will use passwords like Welcome0! which can be figured out by many people simultaneously and therefore is a weak password.
/me changes all his passwords to Welcome1@
Re: (Score:2)
Humans have a terrible instinct when it comes to entropy in data and therefore need to be guided in choosing a password. This often results in a check for length(which is a good thing), but also requirements for capitals, numbers and special characters(which is often used poorly).
The humans who are poor at math are terrible anyway however most password strength meters are just as bad if not worse.
I use a random number generator to create hexadecimal passwords assuming that each character is worth 4 bits of entropy. So with 128 bits or more of entropy in my password, guess how many password strength meters say it is too weak - all of them.
Re: (Score:2)
Using a dictionary and 2-3-4-5 word phrases is much more useful.
If you really must, use "Correct%Horse$Battery#Staple" and just put "%$#" on the post-it stuck to your keyboard - but XKCD is basically correct - we're telling people to use Pa55w0rdZ that are easy for machines to crack and difficult for humans to remember (and generate).
Can't passwords just die? When you only had a couple of passwords and "fludbunk37" was sufficiently strong they were fine, but now I've got dozens of passwords like "UoFytNd7vB9qqK". Now- since I'm completely reliant on my computer to rem
My code is called (Score:4, Funny)
populate_mah_rainbow_tables.js
Humor aside, people should never, ever, ever never type their real password into a site "checking strength". My humor has a whole lot of reality involved.
Re: (Score:2)
Many web sites have a built-in "strength verifier" tool as you create your account. For instance, I saw one inside cPanel the other day while creating a new user for a database. Yeah, going to a third party is a terrible idea, but I think this is about the built-in tool on the site you're genuinely using.
Re:well... (Score:4, Insightful)
The problem is one of usability.
Imagine a good password checker, which can actually does do some proper calculation of entropy.
User types in password "Password1".
Checker reports "password not strong enough".
The user says "Welll... it contains 8 chars, a capital and a number, that's usually enough" and tries "Password_1".
Checker reports "password not strong enough".
"Uhm... what more do I need to do?" the user thinks, "It doesn't tell me what's missing" and tries "ThisIsMyPassword_1!"
Checker reports "password not strong enough".
User gives up and signs up for a competitor's service.
The problem isn't that improving password checkers is hard (it's not), the problem it's nearly impossible to giving the user feedback that actually helps them.
I made a password generator which tries to do some sort of entropy calculation: http://random.toyls.com/ [toyls.com].
When I tried to implement the same calculation for a password checker on a website, I ran into exactly these kind of usability problems.
Explaining you need 8 characters, atleast 1 capital and 1 digit is easy. Explaining a more involved algorithm is not.
Re: (Score:2)
The problem isn't that improving password checkers is hard
It actually is kind of hard. There is no way to "calculate entropy" when you don't know how the password was generated in the first place. I could be using completely random ASCII generator and there is some chance that I will get the password "password", which regardless is not a good password. There were some papers at USENIX this year about password strength meters where they use machine learning to judge the strength of a password but, no, it is not exactly easy.
Re: (Score:2)
Making a "perfect" version of anything is hard. Making a password strength checker that is (far!) better than the common "atleast 8 chars, 1 caps, 1 digit" isn't.
Re: (Score:2)
User types in password "1518af791aace80b4b06f6cde0d4a12a"
Checker reports "password not strong enough"
Re: (Score:2)
I remember my old college Vax system would throw an error if your password was in the dictionary. The strength meter does not have to exclusively say "weak" and leave it at that, it could say "do not, under any circumstances, allow 'password' to be in your password, you idiot" and then there's no confusion at all.
The Vax system failed in that respect, in that the error it returned was pretty confusing. I do not remember the details after this long, but it was missing some helpful words and came out like: "P
Re: (Score:2)
True, but sometimes the result is hilarious. I started using base64(random(32 bytes)) as password for some sites, and it seems 256 bits of entropy give me only a 'medium' level of security.
The JavaScript probably figured out that your RNG wasn't properly seeded.
What if... (Score:1)
... a password is tecnically strong, yet popular?
Re: (Score:2)
Once it is popular the technical strength becomes irrelevant.
Re: (Score:2)
The strength of a password is is difficulty to guess. A popular password cannot be strong.
What is misleading is that for the last 15 years now, stupid security has been around and promoting password with special characters, numbers, uppercase, ... touting those as "Strong" passwords. WEll, that would be true if they were random. But they are not.
If your brute force cracker is as stupid as those meters, yes, it will be hard to find Password1!. But if you're running a list of common password or using stat
Re: (Score:2)
Oblig (Score:2, Insightful)
Yeah (Score:1)
Tr0ub4d0r&3 passed with flying colors at http://www.passwordmeter.com/ [passwordmeter.com]. That (and its close variants) really should be in the "common passwords/automatic fail" bin for all password checkers.
On the other hand, the same site gave correctâhorseâbatteryâstaple a score of only 25%, which means "this is a weak password."
Re: (Score:2)
That one has always bothered me. The logic is all fucky
The first example, Tr0ub4dor, assumes that the attacker can guess random words, and get a "warmer ... colder" reading, until they guess Troubador (which a dictionary attack probably wouldn't, cuz it's spelled Troubadour, but I digress) and then just make common substitutions from there
In the second example, why do all 4 random words have the same amount of entropy? Sure, in a dictionary attack, each word is equally difficult to guess, but now we assume
Re: (Score:1)
>"... the attack knows to randomly mix 4 dictionary words?"
Munroe did it that way to minimize his estimate of strength to make his point more resistant to quibbling. He grants that if his method is commonly used, the crackers will include attacks that guess four common words. He also underestimates the number of words in the pool at 2048 - it is easy to double or quadruple that. Many people misunderstand his point, and think that the strength of four random words is based on its length in characters (whi
Re: (Score:2)
Except that reducing the scope by such a drastic and arbitrary amount makes it less resistant to quibbling.
Sure, his point is valid if you only know ~2000 words. There are more than 2000 unique words in this comments section
To further invite more quibbling: was Troubador in the list? I don't think so... it was worth 5 more points of entropy by qualifying as "uncommon." Apparently there exists a separate arbitrarily small dictionary of uncommon words in addition to the arbitrarily small dictionary of comm
Re: (Score:1)
The 4 random words are random, i.e. taken randomly from a dictionary of 2048 common words.
Re: (Score:2)
The Second Edition of the 20-volume Oxford English Dictionary contains full entries for 171,476 words in current use, and 47,156 obsolete words. To this may be added around 9,500 derivative words included as subentries.
You're right, it's easy to double or triple his pool. Or centuple. He's off by a factor of roughly 110 (or 84 if you only count full entries, but lets not split hairs).
Not sure if that changes the outcome or not.
Re: Oblig (Score:1)
The Diceware.com word list has 7776 entries, all short for easier entry. Chosen randomly with dice that's 12.9 bit of entropy per word.
Hashes can't protect WEAK passwords from offline (Score:2)
> properly encrypt/salt the database to protect against offline attacks
Strong hashes, properly salted, ARE important*. However protection from offline attacks requires BOTH a strong salted hash (~encryption) AND a strong password.
A good hash means that given the hash, you can't get the password BY REVERSING THE HASH. However, if you can GUESS the password, there's no need to reverse the hash; you just guessed the password correctly.
* On Linux, you can get a strong salted sha256 hash by using crypt()
Re: (Score:2)
I love Randall Munroe as much as the next guy, but that comic is no longer correct [schneier.com]. Please don't take it seriously
Re: (Score:2)
While he might be correct, he loses point here:
There's still one scheme that works. Back in 2008, I described the "Schneier scheme":
"Try my method, that's named after my name, I promise it's the only method that works. And it's on the website that's myname.com."
That's one step shy of a buzzfeed headline: "Fool hackers with this one neat trick"
Re: (Score:1)
You always assume that the cracker knows your trick. It seems that Schneier doesn't grasp the concept of entropy. 44 bits are 44 bits.
Re: (Score:1)
Re: (Score:2)
Re:Oblig... for the AC (Score:1)
https://xkcd.com/1053/ [xkcd.com]
Re: (Score:2)
Diet coke and Mentos? :)
Water is wet, fire is a chemical reaction... (Score:2)
What sucks is this obviously lulls people into thinking they've got a great password when a password like "1PaR0fSt1nkYS0cks!" while it'll get a strong rating... isn't strong...
Re: (Score:1)
Was that in a TV show or something? It seems reasonably secure against naive brute force.
Re: (Score:2)
... when a password like "1PaR0fSt1nkYS0cks!" while it'll get a strong rating... isn't strong...
Actually that seems like a fairly decent password. 18 chars long, with numbers, upper- and lower-case letters and a punctuation character.
Yes, it could be better, but it won't be guessed by a brute-force dictionary attack and the length alone is going to defeat a lot of password cracking scripts.
Re: (Score:1)
Numbers and upper- and lowercase letters and puntuation are not needed. Just add another word: "onepairofbluestinkysocks" has as much entropy (or more) as "1PaR0fSt1nkYS0cks!"
Anyway, grammatical sentences need to be much longer to have 44 bits of entropy.
Re: (Score:2)
Darnit, now I need to change my passwords...thanks alot for publishing my awesome password.
The problem with these meters (Score:1)
Re: (Score:2)
If the password is long and uses a lot of characters, it be harder to remember, which leads to it being written down.
Not really. Think of a phrase and use an algorithm.
(leaving spaces for clarity)
Mets Rule Yankees Drool are 20 characters - that's pretty strong in and of itself
substitute $ for s, 3 for e, and 0 for o and you have
met$rul3yank33$dr00l is easy to remember, easy to type and is pretty damn safe.
Re: (Score:2)
This is basically what I do, but with a theme: my phrase is always a line that I would have delivered in a movie, had I been a character in that movie. I can leave myself hints like "Heat" or "12 Monkeys" and because the line doesn't appear in the movie, even feeding the whole damn screenplay into a brute-force program won't work.
Re: (Score:1)
I contest that it is easy to remember, easy to type, and safe.
* Your proposed password is not safe because it is vulnerable to a dictionary attack. Modern dictionary attacks use common substitutions like these.
* It is not easy to remember because you need to remember the substitution pattern you used
* It is not easy to type because no one ever types those words except in this password.
'mets rule yankees drool because I grew up watching the mets with my dad and we had a lot of fun' would be safer, easy to ty
Re: (Score:2)
The issue here is knowing who your attacker is. If the attacker are random (albeit professional) thieves then what you need to do is make your password too difficult to bother.
They will run the passwords through a bunch of attempts. After a while they will get to a point of diminishing returns and give up. I'm pretty damn sure that 20 characters (even if they are in a dictionary) will pass do just fine. (To
Re: (Score:2)
If there's some minimum threshold of complexity, which is often tied to the meters, that reduces entropy.
Ding.
Limiting the space of possibilities reduces the entropy every time.
Re: (Score:2)
the opposite can be true too, my intranet systems at work are firewalled off from the general internet so nobody cares how well a rainbow table in east asia can work on our passwords, but coworkers or customers seeing our passwords is a serious matter.
Except for the one that doesn't (Score:5, Informative)
At first I was all like, so the security expert can tell me that some of these password meters rate things like "p@ssword" as secure when they're obviously not, but they're not /quite/ expert enough to come up with a better tool that can more accurately gauge password strength?!@
Then I read the article; lo and behold, the author actually points out an open source tool called zxcvbn [github.com] by Dropbox that is actually good at it (or at least, doesn't suck on the harsh battery of tests that these products were subject to (basically just running five passwords through six different meters).
tldr: use zxcvbn
Re: (Score:1)
Re: (Score:1)
not to mention that now everyone knows it!
Re: (Score:2)
When I last evaluated zxcvbn (2 years ago) it was, however, a denial of service waiting to happen: it tries to estimate entropy by brute forcing its way through a bunch of different strategies for predicting structures in passwords. At the time it was possible to let a single (server-side) check take minutes of CPU time by carefully constructing your password. It may have improved, but I'd be careful if you really want to deploy it. Preferably use some client-side port; at least that way you just chase awa
Re: (Score:2)
What do you mean, "use some client-side port"? The original zxcvbn is written in JavaScript. It's already usable client-side without porting.
Managed Risk (Score:2)
A lock only keeps an honest man honest. Same goes for a password. While a more complex password will do the job much better, as does a better lock, neither will keep out someone who wants to get in. Rather than meaningless password strength meters next to the password box, there should be some graphic that helps create or suggests stronger passwords. It may not prevent them from using more common passwords or phrases but it might better get their attention. On the other hand, some people just don't care eno
Enforced Weakness (Score:2)
Some of these "password requirements" actively force weaker passwords, in that they enforce a maximum length! I've seen some that force a 12 character maximum, making the xkcd 4 common word technique unusable, especially since they often stupidly require mixed case and a numeric and a special char.
Re: (Score:3)
Some of these "password requirements" actively force weaker passwords, in that they enforce a maximum length! I've seen some that force a 12 character maximum, making the xkcd 4 common word technique unusable, especially since they often stupidly require mixed case and a numeric and a special char.
My personal favorite was the bank that required my password to have exactly one number, at least one upper case character and exactly one special character. With a maximum length of 8 characters.
Chuck Norris. . . (Score:1)
. . . .uses his name as a password. Because NOTHING can break Chuck Norris. . . .
Length damn it! (Score:5, Interesting)
I spent 15 years developing and writing password / pass phrase security tools used on a huge number of web sites. I analyzed millions of brute force and dictionary attempts, as well as the offline tools.
In my professional opinion, where strength meters and password policies most often fail is that they greatly underestimate the importance of length. I recently encountered a site which required:
8-12 characters
Must include upper and lower case
Must include digits
Must include punctuation
Well we've all been taught since 1st grade or so that punctuation goes at the end of a sentence, and the first letter is capitalized, so most passwords on the system are of the form:
Capital lower lower lower lower lower lower digit punctuation.
Since the whole password is 8-12 characters, to get the digit and punctuation at the end you need a word that is 6-10 letters. Passwords are pretty predictable on that system. According to their policies, these are a good passwords:
Password1!
Passw0rd!
But this is a horrible password, that anybody can guess:
YRNKBV JSYZCXPRM ZOXADEKO JARQYTLY
OFOFBQ VKGDOSUE XFEUJQOHG TZBVHQIA WSBQHKVD SPIODPL
Allow and encourage long pass phrases. (Also encourage the term "pass phrase", not "password".) Making your pass phrase a tiny bit longer adds much more security than switching the number 0 for the letter O.
Ever heard of 2048 bit security? Or 1024 bit keys? That's how security professionals talk about strength - X number of bits. Those numbers refer to the LENGTH of the keys (passwords). That's what's most important above all.
See also:
http://imgs.xkcd.com/comics/pa... [xkcd.com]
Re: (Score:3)
Human factors and industrial engineering turns out to be important when working on systems used by humans.
This is the biggest argument for open source software. Security software is important software. It should work, do so correctly and be able to survive audit or exposure. Do you re-implement printf(3) to write a web page? (Usually no, but I've seen some interesting stuff. Ask a veteran C pro
Re:Length damn it! (Score:4, Insightful)
What's worse are the "hint" questions, like "What elementary school did you go to?" or "What city did you live in when you were 10?"
The answers can often be uncovered with a little detective work.
So when they ask me shit like "What elementary school did you go to?", I put something like, "Jm36*gdt22(ILD$".
No amount of detective work is going to "uncover" that.
Re: (Score:2)
I can't tell you the number of problems I run into trying to fill in the answers to those question when dealing with login security.
I went to two elementary schools, had 3 pets as a kid, etc. Even when I know the right one, I forget exactly how I might have filled it in, capitalized it, etc.
Re: (Score:2)
Always use the first for anything that you had multiple items. Only use proper capital case and the long form of a word. You live in Fort Worth, not Ft. Worth. Or Fon du Lac not fon du lac or Fon Du Lac. Your first pet was Mister Pickles.
Just always think, what's the most proper way of doing it. It's not hard here people.
Re: (Score:2)
So when they ask me shit like "What elementary school did you go to?", I put something like, "Jm36*gdt22(ILD$".
No amount of detective work is going to "uncover" that.
Well, that USED to be the case....
Re: (Score:3)
So when they ask me shit like "What elementary school did you go to?", I put something like, "Jm36*gdt22(ILD$".
No amount of detective work is going to "uncover" that.
Well, that USED to be the case....
It's true, I'm a proud graduate of Jm36*gdt22(ILD$ Elementary school.
Re: (Score:2)
And then there are the merchants who not only suddenly require security questions, but demand you change the questions every few months.
My usual answers rotate between obscenities. . . Because no matter what bits of my history you find. . . you can't predict the swear-word I'll use ( and considering I swear in a number of languages. . . .)
Re: (Score:2)
I don't know if you've noticed but a lot more online merchants are saving credit card details for repeat purchases. The rotating passwords are simply part of their security theater to meet the requirements of their insurance. They certainly do not give a shit about your account security.
That's a giant hole. Solution: Be Chelsea Clinton (Score:3)
Most of the celebrity hacks use exactly that vulnerability. How hard is it to find out what school Britney Spears went to, or what city she lived in?
I solution which still preserves the usefulness of the password reset questions is to answer them as if you were someone else. When it says "what high school did you go to?", pretend it says 'what high school did Chelsea Clinton go to?"
For example, if you wanted to password reset my account, you could easily find that that I went to a certain school. But that w
Re: (Score:2)
So when they ask me shit like "What elementary school did you go to?", I put something like, "Jm36*gdt22(ILD$".
That school sounds pretty impressive. I went to "6ca96b6a8aff8fc36ae0ad65cf');DROP TABLE Passwords;--".
Re: (Score:2)
I feel like that's judgmental to people that prefer girthier passwords so I just make the font size bigger.
I lean the other way. (Score:2)
In general (not talking about actual crypto here), the whole password/passcode policy thing is nothing more than a CYA and comfort food for the paper pushers.
You make a password more complex than 8 characters and a cap (or number or special)... you got the easiest password to break. The monitor post-it. Even if you have physical audits checking this, you end up with unlocked drawer post-its. Curtail that and so on, you eventually end up with fake tech support calls.
The human side basically cares less and
Re: (Score:2)
In general (not talking about actual crypto here), the whole password/passcode policy thing is nothing more than a CYA and comfort food for the paper pushers.
You make a password more complex than 8 characters and a cap (or number or special)... you got the easiest password to break. The monitor post-it.
But if you ignore the enforced artificial complexity and suggest pass phrases, you get easily remembered, but very strong passwords. For example, even assuming a brute force attacker limits their search space to 26 characters plus punctuation - and further limits it to common english words - if you have a pass phrase like "everyday for breakfast, my cat, muffin, enjoys eating tuna dipped in milk", the resulting Shannon entropy is 365 bits. By comparison, a keyboard-mashed password of "a8gh!#hZ0-" only has
Re: (Score:2)
True, pass phrases are easy to remember. But for most people, they are pretty hard to type out. Especially if they can't see the letters. Worse if on a mobile device.
My question is... what exactly are we protecting? We are using these over complex password systems that at the end achieve little in terms of security and protect the history of someone's water usage and payments. A pass phrase maybe have its uses, but I still think simple passwords for low value information and two factor for high value i
Re: (Score:2)
[...] most passwords on the system are of the form: Capital lower lower lower lower lower lower digit punctuation.
How do you know that ? Do you store the passwords as plain text ?
Re: (Score:2)
> How do you know that ?
>> I spent 15 years developing and writing password / pass phrase security tools used on a huge number of web sites. I analyzed millions
Fifteen years of forty hours a week (and sometimes sixty) analyzing passwords stored in plain text, cracking passwords, creating tools to reduce bad passwords, etc. That's 38,000 hours studying password use.
> Do you store the passwords as plain text ?
Once *I* show up, passwords normally end up as salted SHA2 before long. It was salted MD5
Your article explains why XKCD was right (Score:3)
The article you linked to strongly supports the opposite conclusion: that four unrelated words is quite unlikely to be cracked .
First, it explains that most of the 15,000 passwords were 6-9 characters, so the cracker was able to break 7,000 of them in just a few minutes. It starts getting much harder (slower) after that. In mosts cases, 7,000 passwords is plenty for a single site. When a bad guy wants more passwords, typically they quickly crack 7,000 mlre easy ones from another site. They don't waste hou
Solve the damn problem already! (Score:2)
I really want to understand why tech companies are so incredibly inept when it comes to things of actual importance. This password problem should have been solved years ago. It's not that hard, for Pete's sake.
universal id number
pin code
biometric id (finger, hand, eye)
cell phone nfc
key fob
Industry consortium needs to get together to standardize on each of these and
Re: (Score:2)
Believe me they try.
- Universal id number : you have one on your passport... so what
- PIN code : aka very weak password
- Biometry : mostly useless online, useful for physical access checking only
- Cell phone : SMS second factor is very common with banks
- NFC : see key fob
- key fob : used a lot, including its mechanical counterpart called a key, can be stolen
None of these techs can replace passwords, but they can complement them.
Re: (Score:2)
You miss understand. It's not about using one of them. It's about using them in combinations. So lets say I want to log into Slashdot. Well that's low security, so an id code or biometric scan plus a pin is probably sufficient. On the other hand, my bank login will require id AND pin AND bio scan AND a nfc or fob.
Re:Solve the damn problem already- go passwordless (Score:1)
Re: (Score:2)
Your idea is valid as an alternative for the last option. I don't understand why no ever seems to understand that this is not a one or none contest. The idea is to use more than one or all of these in combinations as suites the security level.
- The mark of beast shit is utter nonsense. You use it all the time any way on your driver license.
- A pin is four to six digit code. It's not meant to be used alone.
- biometrics is one of the best components of authentication when establishing identity is important
- n
password production (Score:2)
You need to be stronger... but not that strong. (Score:2)
For me, the annoyance is worst when you are forbidden from making a truly secure password. I've seen sites which forbid more than 12 (or even 8) characters, forbid spaces (or all non-alphanumerics).
Back when I did IT support in the 80's, our minicomputer-based servers required six digits, and must be changed every 90 days (didn't check for repeats). I knew I could go to any admin's desk and have a good chance of logging in with SPRING, SUMMER, AUTUMN or WINTER. Later they changed it to 8 characters, so I
Best Password (Score:2)
2Password5Me
You have to understand the viral ecosystem here.. (Score:2)
People don't all independently come up with a plan of making up terrible password rules - it's just a difficult to extinguish meme propagated by clueless deal makers.
Many systems I've worked on have terrible password rules. Symbols and numbers, and requirements to change them all the time (thus guaranteeing they'll be written down)... but it was never really our decision. We had to follow the security document, and the security document had to have those rules, because we'd agreed to follow those rules in
Strength vs. suitability (Score:1)
It's fine to use a relatively-weak password for an "I don't care if this gets compromised" task.
An example would be a web site that let you upload a file but it would automatically be deleted an hour later, BUT you could delete it sooner if you created a password. Does it really matter if your password is relatively weak (but not something trivial, like "password")? As long as it's a one-off password that you don't use elsewhere, it's still "suitable" for the task.
What drives me insane: (Score:5, Insightful)
It's not the password strength meters that bother me. I generally just ignore those. What drives me utterly insane are the restrictions on my password. And these are far too common. The two biggies are:
1) Restricting what characters I may use in my password (no / or % or & or whatever) == Oh hai, We're not bothering to sanitize my inputs. We are a bunch of morons and you shouldn't use our site or service.
2) Restrictions on the maximum length of my password. == Oh hai, we're not bothering to hash your password but are, instead, just storing it in a fixed-length field somewhere. We're a bunch of morons and you shouldn't use our site or service.
What really Really REALLY drives me up the wall is that these sorts of restrictions seem to most often be present in places where security is most important and where I don't have the *choice* not to use their service. (My current employer's medical and 401k providers, for example.)
Re: (Score:2, Funny)
> 1) Restricting what characters I may use in my password (no / or % or & or whatever)
I recently signed up for a website where it said "special characters are ok". But no matter what I put I couldn't get the password to be accepted. Until I actually took OUT the special character &, and then it worked. (facepalm)
Re: (Score:1)
And companies should stop having people constantly change their passwords. The first time an employee will try and pick a good password, the second time they will say fu#k it and just use Commonword1! and then increment the number every 3 months.
Re: (Score:2)
The security community is finally warming up to that concept. E.g.,
https://www.wired.com/2016/03/want-safer-passwords-dont-change-often/
Re: (Score:1)
Re: (Score:2)
usually what happens is raw input is passed through some kind of OWASP filter or something similar which turns any naughty characters (sql injection or whatever) into something safe.. The only problem with that is that if you feed that into your hashing algorithm it ain't gonna match...
So whatcha do then smart guy? you encode it before it ever leaves the client, and then de-encoded it back to the naughty characters for purposes of hash comparison...
Or..
Re: (Score:2)
Tell me about it. My (now ex) medical insurance provider actually printed my online account password on each invoice -- for my convenience.
The really stupid thing is that they automatically signed me up for online billing, despite the fact I sent in my application via mail, so I couldn't even send my first payment. Naturally this meant I had no password set for my account, so I had to call them over the phone to activate it. Then I got my first invoice on paper through the mail and nearly hit the roof.
The most stupid web site feature (Score:1)
that I can think of, is the so-called "security questions" that will "help you recover if you forget your password"! Questions like, mother's maiden name, town where you were born, your first school, your first car etc. etc.
How bloody stupid can these idiots possibly get? If I wanted to hack somebody's account I'd head straight for the genealogy sites!
I DO NOT loose passcodes, nor can I remember them, because I use an encrypted passcode wallet and every passcode in there is long and completely random. When
Re: (Score:2)
or Facebook.
For example: (Score:2)
For giggles I just tried the top two hits in Google for "password strength meter".
http://www.passwordmeter.com/ [passwordmeter.com]
https://www.my1login.com/resou... [my1login.com]
I typed in "NCC-1701".
The first said it's a strong password with a score of 69%. The second said it was a medium password that would take 30 hours to crack. Making it "NCC-1701-d" upgraded it to very strong and 100% on the first and very strong at 112 years to crack on the second.
So yeah. Those meters are garbage. Don't trust them. Much better to generate rando
Use string manipulation and hashes (Score:2)
I wrote a toy demonstration at http://pgen.chalisque.org/ [chalisque.org] and explained at http://pgen.chalisque.org/abou... [chalisque.org]
Obviously you can use something slighly more elaborate, and given either bash and standard hashes (e.g. sha256), or javascript and cryptojs, you can roll your own string manipulation.
You basically have a secret phrase or two, something obvious related to the website in question (e.g. pw://domain.name/user.name/index), combine it to produce e.g. 'mypwmachine(SuperSecretPhrase-pw://domain.name/user.name
If I care enough (Score:2)
If I care enough about my password being hacked (if it effects me financially) I'll create a super impossible password to crack. ... of course, I never remember them and so have to get my password reset every time I visit that page.
strongest password ever (Score:1)
Re: (Score:2)
Just ban common passwords (Score:3)
The solution is to just ban common passwords. Start with a list of dictionary words and leaked credentials from other sites, and simply ban the use of said passwords for accounts on your site. That's what Arenanet does for Guild Wars 2. You also ban new passwords as too many people try using them. As for messaging, you just straight up tell the user "That password is too well-known. Try something more creative."
You don't even need to store the password to implement popularity-based bans. When a user enters a new password, hash it and store the hash in a table (just the password hash, not the associated account). Each time someone else uses that password, increment the count. When it hits N, just ban new uses of that password, and optionally force current users of that password change it on login (by checking the plaintext they just entered against the banned hashes). (Meanwhile, store a salted hash associated with the account id for login purposes, to make it harder to crack passwords if your hashes get leaked.)
Kaspersky's checker is quite intelligent (Score:2)
Way better than what you currently find on normal websites.
They should just make it easier to integrate the thing on your own webpage.
https://password.kaspersky.com... [kaspersky.com]
Re: (Score:1)
Re: (Score:2)
I think you got it wrong. The point here is that password meters are just enforcing stupid rules, they don't do any good and they provide a false sense of security. The password strength they show is based on the utterly stupid idea that human choose random passwords.
But humans are humans, not machines. Our brains are not designed to retain random passwords. So what happens ? People try to find a good password. But the meter says "no, not 32 characters long". So they just say "fuck, I'm not a machine", an