Slashdot Asks: Are Password Rules Bullshit? (codinghorror.com) 132
Here's what Jeff Atwood, a founder of Stack Overflow thinks: Password rules are bullshit. They don't work.
They heavily penalize your ideal audience, people that use real random password generators. Hey, guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
They frustrate average users, who then become uncooperative and use "creative" workarounds that make their passwords less secure.
Are often wrong, in the sense that they are grossly incomplete and/or insane.
Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation. It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules". What do you think?
Yes.
That's not necessarily true.
When you set your password, they could extract various 4-character permutations, and store a salted hash of those characters along with their positions within the password.
They're basically making a number of smaller passwords out of the alphabet you supplied via the characters in your password. Then they can salt, hash, and store these small passwords just like
Possible? Yes.
Likely? No.
In the goal of increased security, it's exceedingly unlikely that a larger bank is storing anything password related in plain text. Banks are beyond that stuff these days. Procedures and software are audited, etc etc - nobody but mom and pop sites would be able to fly under the radar of the harm to reputation that would occur if it turned out that your bank passwords were being stored in plaintext.
This could provide a new attack vector, reducing the brute force surface area. Each of those 4-character permutations has a much smaller permutation set (each about 4.5 million for 20 special characters). So it would take about 90 million guesses to crack all 20 subpasswords, as opposed to 9 x 10^22 guesses to crack a 12-character password.
But we don't even need to try 20 subpasswords, using an even distribution of characters to create the subpasswords, then for a 12 character password it would only need
Things you should never use as a password:
1) Your first pet's name
2) The street you grew up on
3) The model of your first car
Things banks use for "security questions":
see above.
That why I always use Password123
Why couldn't they hash & store each character separately - so it's effectively multiple short passwords?
Yes, except for length requirements.
Yes.
You are wrong. The correct answer is NO.... Well maybe that's not the right answer either...
Ok.. It depends.... Password rules, like anything, when used within reason CAN increase security. The question is what constitutes "within reason". Keeping folks from choosing common an easily guessed passwords on a system you need to be somewhat secure is a good thing... Making passwords so complex users need to write them down is not a good thing. So it depends. Depends on the security needs of the system and
Don't know (Score:5, Insightful)
"Slashdot Asks: Are Password Rules Bullshit?"
I don't know. But headlines with "Bullshit" and "?" are.
title ought to have been "Password rules are bullshit"
"Slashdot asks: Password rules are bullshit"
?
Betteridge be damned - This doesn't fit "Any headline that ends in a question mark can be answered by the word no." Phrasing the headline as a question in this case was entirely appropriate, since it was an invitation for input on a contested issue rather than a simple news announcement. "Jeff Atwood says password rules are bullshit" would have been just fine but would have set a different tone. Simply titling TFA "Password rules are bullshit" would be presenting
Customer Psychology (Score:4, Interesting)
The problem is now that the bullshit rules are now expected by customers. When we did our last major UX review, we didn't have those rules in place. Adding them made our customers overall feel more confident in our platform.
Re:Customer Psychology (Score:5, Funny)
Pick a strength at random.
That must be how they work. There's one site I use where I paste generated passwords in when creating new accounts. Sometimes a really strong password shows up as really weak. If I remove it and paste it again, sometimes it's strong. Sometimes I have to paste it into the "Repeat password" box first to clear out the "weak" designation.
I saw the exact opposite in the right situation.
I was using an automobile forum that was apparently part of a much, much larger automobile forums company. The company got hacked and apparently their password database was compromised, so as a reaction they now required their users to have twelve character complex passwords, changed monthly. Because they, not the users, screwed up.
I stopped bothering going to them. I am not going to put up with those kinds of password requirements to talk about skidplates
Of course you are right - but how to make it stop (Score:2)
Just say no to most of the things that require a password. Most of them are worthless anyway.
Only post anonymously to
/..
Quit forums and registration-only websites. You'll find you're getting more free time and less Internet-induced anxiety.
Scuttle your StackOverflow account. It's taken over by H1Bs.
For professional work, use other means of authentication such as crypto keys. Manage professional accounts with password manager and 2fa.
Use long passphrases and 2fa for local logins. Scrap stuff like "clou
Make sure the creases in your aluminum hat are sharp and at a 60 degree angle.
Let me see what I type (Score:5, Insightful)
Also, please for god's sake let me see what I type. I have 99% of my passwords in a password manager, but not all of them, and sometimes i'm on a different device where I don't feel like logging into it if i actually know the password. Sometimes its the login of the machine itself, so unless I'm using a dongle for loging in, I'll have to type the password.
if I can't see it, and god forbid we're on mobile, I'll have to make it significantly simpler to ensure I don't fat finger shit 19 times.
That's especially true with devices. I already mentionned mobile, but game consoles, smart thermostat, and all the IoT bullshit (some are actually useful). They force me to type my password blindfolded on unfamiliar input devices. If my password is 25 characters, I'm going to make mistakes. Let me see them please.
Also, please for god's sake let me see what I type.
^^^^ This this this.
I use some long password phrases and I occasionally make a mistake when entering them. If I was able to see the characters I'd be able to correct my typo. This is especially annoying when using the craptastic user-hostile user interfaces on TVs where you have to dick around with the remote, slowly bumping along from letter to letter at a snail's pace.
So does Android.
Obligatory XKCD (Score:3, Informative)
https://www.xkcd.com/936/ [xkcd.com]
I remain in disagreement that that is the best approach. It gives you needlessly large amounts of typing for little entropy. Acronym passwords are better - think of a sentence and a rule for turning it into a password (the simplest just being using the first letter or two letters of each word).
Sentences are easy to remember than four random words, the resultant passwords are shorter, and while the search space can certainly be reduced by statistical means, it's not nearly as much as with four random words. Aka, if the last letters the person typed in were "stapl", what do you think the next letter is going to be?
It's worth pointing out that XKCD's pretense that four random words are easy to memorize was based on them choosing four easy to memorize words. If I just have
/usr/share/dict/words pull up random words for me, here's the first five passwords it comes up with:
cytopharynx Gasperoni gastroplasty revolutionising
reacidifying bosom-breathing sipers down-in-the-mouth
text-writer clubbed midfields Shuqualak
Malkite phthisiology BLM improbabilize
weaves Whiggamore unspirally Exod
Yeah, best of luck with that. By contrast, if I convert the previous sentence into an acronym password, I may get something like (depending on what rules I use):
Y,bolwt.
.... etc. Choose your own rules. But you won't forget "Yeah, best of luck with that"
Yebeofluwith
yEbE0FlUw1tH
Most of them are (Score:1)
Arbitrary constraints on passwords, with no math justification, actually reduces password complexity.
Most people reuse passwords, which is a weakness beyond the control of silly "password rules".
No matter how complex^W annoying the rules are, incompetent implementations store the passwords in plaintext.
Your typical web service security is next to non-existent and you dare imposing "password rules" on me?
it results in people rotating between the same 3 or 4 passwords for everything
And when I was required to change my password every 60 days, only one character changed (rotating across the keyboard's home row) so it was not much more entropy. Still, it beats writing it on a post-it.
Mysterious rules are worse (Score:2)
I don't mind too much the simple ones like must have a symbol, one uppercase, and a number and a minimum of x characters. Those are fine because I can click those buttons in Keepass to generate a password with or without those options.
The ones that piss me off are ones that only allow/require a very small set of symbols, so I have to generate it and tweak it.
The other big thing that makes me angry is when their password requirements are hidden. You just have to keep typing in passwords until their validat
Set the appropriate options in KeePass that include a minimal superset of the permitted symbols, then click on the "Preview" button. You'll get a thirty sample passwords, at least one of which should fit the requirements - copy and paste it. If not, switch out of the Preview tab and back to get another set until you do get one that works with whatever subset of special characters
What is truly bullshit... (Score:2)
...is the fact that we supposedly have all these methods of forcing users to create more secure passwords, and yet those "top 10 worst passwords" lists that come out every year haven't really changed in fucking decades.
Obviously neither has the mentality towards online security.
Why you ask? I don't know. Ignorance? Stupidity? Don't give a shit? Doesn't even matter why anymore. Rather obvious nothing will change.
How about this reason: I don't care for the account in the first place.
Simple scenario: I want to use a website once, but it requires me to "register an account". Why? No idea. I have absolutely no need for one and don't care if it's "hacked". For all I want, you can throw it away immediately. So I'm going to register the following account.
Username: johndoe123
email: johndoe@mailinator.com
password: 123456
Go ahead, "hack" my password, reuse my account, whatever. I don't care.
Once the site gets breached, I'm a
Indeed. I have a password that I use for all of the diverse sites that I don't give a rat's arse about. What's someone going to do if they compromise it, make fake posts as me? Ooh, shudder.
Think... (Score:2)
When my passwords get pwned, at least I can change them. When my biometrics get hacked? I'm SOL.
Why do I even NEED a password? (Score:1)
Two factor authentication is a thing.
If they require a special character and uppercase in their passwords, I usually add something like ";DROP TABLE users;" to the end of my password -- that'll show 'em.
I still haven't figured out why somebody's blog needs 16-character passwords with a dozen rules and the IRS settles for a five-digit PIN code....
They are as implemented (Score:3)
The idea of a password rule, as in some set of checks to make sure it meets a certain level of security, is a good one. However it needs to be something complex like entropy calculation. A password can have lots of entropy, and thus be strong (meaning hard to guess/crack) in a number of ways. A truly random set of characters has lots of entropy per character, but a phrase can have plenty, even though it has much less per character and can be easier to remember.
It shouldn't be some hardass thing of "you have to have 3 of 4 groups, no repeating characters, etc, etc". If you want an all numeric password, that's fine, it'll just need to be longer. Test based on actual entropy, not arbitrary bullshit.
Or, if you really care about security, start doing two factor. It always amuses me when some place has ultra-bitchy password rules but has no options to use even weak two factor auth. They care about security, apparently, but not enough to do anything that might be really useful.
My Personal Rule (Score:2)
Password rules insanity (Score:1)
Where I work at we have both password rules AND mandatory password change every month... MONTH! Who the hell comes up with these stupid arbitrary ideas about security?
Who? Probably someone who doesn't use a computer.
Arrgh, what a system. Now you probably have people writing down their passwords, and storing them in their wallet or purse, or worse, the traditional "under the keyboard". Then the IT department is probably spending a lot of time resetting passwords when the people who do it correctly forget their password. Over and over
ITSM checkbox auditors. "Having a password policy" is a checkbox they can tick off, "having a password rotation policy" is another one.
Nobody asks if that makes sense. What matters is that you implement it. And these are quick wins, because it's trivial to implement.
On another note, there is one site I never seem to access when I have the ability to save it into a password manager. Meaning, every single time I use the site (finance related to boot), I must reset my password. I expect this to raise alarm, but so far nothing.
You forgot your special character and 8 digits
Jan!2017! Feb!2017! Mar!2017!
Re: (Score:2)
Mixed upper and lower case
Includes Numbers
Only one month of the year includes a dictionary word
But only 7 characters....REJECTED
Password rules aren't consistent (Score:2)
The password rules wouldn't be quite so annoying if they could agree on a common set of rules. Website A wants caps, numbers and no special characters. Website B wants special characters, caps and numbers. This means more passwords, more permutations of passwords and the end result is worse security because of all the problems with forgetting passwords. I don't know that there is an easy solution but a start would be to have the same password rules everywhere whenever possible and they should follow wha
Yes (Score:2)
Length is good but complexity doesn't really help if you have a good lockout policy and good monitoring.
Complexity rules just mean that a) people write it on a sticky note and stick it to their monitor or b) constant password resets / helpdesk calls.
No, They are Not Bullshit (Score:1)
Do we have to continue having this bullshit debate?
"password" has an entropy of 28.7 bits and will be cracked more or less instantly
Now, let's require one capital and one number:
"Password1" has an entropy of 40.4 bits and is 3326 times stronger.
Now, let's required at least 12 characters:
"Password1dogs" has an entropy of 61.9 bits and is 9,867,243,735 stronger than "password."
Now, let's require one special character and forbid using repeating characters:
"Pa%sword1dogs" has an entropy of 63.4 bits and is 27,9
First, system designers tend to be clueless about security needs of their own system.I want my bank to require strong passwords. I don't need some discussion forum about, I don't know, aquarium cleaning or salt shaker collecting to need a 10 digit password with numbers, letters, and punctuation marks. It's annoying.
Second, human beings aren't digital storage units. The harder the password to unlock, the more likely we are to either use the same password everywhere, significantly reducing
The bullshit is not in the passwords, the bullshit is in the people. Or rather, demanding that people remember that character salad.
Yes, those passwords are great. Especially "&2lkjf(82ld0*@#jmG73". Awesome, strong and secure. And now have a person remember this. No chance. None. Zero. Zip. Maybe there's some dedicated aspies that can, but most of the people you have in your office will look at you like you asked them to do a multidimensional integral in their head. Or they'll question your sanity.
What
Already posted in this thread, but worth repeating given the above:
correcthorsebatterystaple [xkcd.com]
Wrong metric (Score:2)
Do we have to continue having this bullshit debate?
"password" has an entropy of 28.7 bits and will be cracked more or less instantly
entropy is the wrong metric here
hsorgsrx has the same entropy (8 lower case letters), but won't be cracked BEFORE the actual brute force attack (where entropy matters) is launched. Your 10 year old kid would probably try typing "password" manually before even thinking of which automated tool to use....
Dana Carvey's son, is that you? (Score:2)
Are you really Dana Carney's son?
https://youtu.be/tN-LJ7w5pwQ?t=51s
Provides Info to Crackers (Score:4, Insightful)
Not just composition rules... (Score:3)
It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules".
But you repeat yourself....
Also in there:
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically) and SHOULD only require a change if the subscriber requests a change or there is evidence of compromise of the authenticator.
Holy crap, sanity!
Also need to scrap the minimum change interval some things impose (you *can't* change your password, even if you know you exposed it to someone accidently).
I'd also want to be very careful about account lockout policies. Yes, they are a tool to rate limit an attacker, but they are *also* a vector to DoS an account by locking it out on purpose.
That last problem can easily be thwarted. Take your average user and let him enter his username and password. How long does it take him? 2 seconds if he's fast. 5 seconds if his name is long and he's a slow typist. So simply implement it in such a way that between two tries you have, from the start, a 2 second delay. That means at best 30 attempts a minute, 180 attempts an hour, 43.200 attempts a day.
Even if you know that the password is four letters long and only lowercase, you'd need about a week to brute
The Only Rules (Score:2)
I might accept is that if the language the app is written in has certain key delimeters (% sign, period for PHP, # for ColdFusion) I could see blocking those in passwords to reduce the risk of an injection attack.
Rules ==(people)== insecurity (Score:1)
I fully support Jeff's opinion there. All of the systems I have seen that implement strict rules have people invent easy-to-remember, yet extremely to guess passwords that pass the rules. It is my firm belief that password rules make passwords way more insecure.
These rules helped me (Score:1)
And then there are the sites. . . . (Score:3)
. . .
.that don't tell you their password rules, only that your password doesn't fit them. This is especially irritating for the sites that require complex passwords and have short (i.e. 3 fails) lockouts. . . .
It's a fair concern, but I'm going to revolt it (Score:2)
It's a valid argument that holds weight, and I'd even take it a step further than the how involved with general users going around the rules to keep making new passwords is really... scary, predictable and in the exploding age of AI, machine learning and modeling, these rules, are indeed, a joke. For instance...
Just what I observe and know to be true: I can't tell you how many people who don't even know what 5cr1p7 k1dd13 language blantantly substitute all the letters of S, E, A, I, T and B for 5, 3, 4, 1
Rainbow tables (Score:2)
I keep thinking about. . . (Score:2)
. . .
.the original Facebook technique of using "Chuck Norris" as a password [gizmodo.com].
Because NOTHING can defeat Chuck Norris (grin)
Most password rules are bullshit (Score:3)
Even aside of the obligatory xkcd comic that will certainly still surface, password rules are at best useless. At worst they lead to behaviour that is detrimental to security.
So how long do they now have to be? 12 characters at least, no words from a dictionary, containing all sorts of numbers, special characters, upper/lower case, no semblance to any passwords used within the last 60 years... resulting in such great passwords as f$nUkw1dfvM(qkI and so on.
How to remember that? Not at all. What do people do? They write it down. If you're a lucky CISO, they put the post-it into their wallet. If you're not, you find it under their keyboard.
Sure, you can demand that they don't write it down. Then be prepared to drown your support in calls from users that have to get their passwords reset twice a day. Once when they come in, once when they return from their lunch break.
And all that because we are lazy. Yes, we. The company security. We brush off our business, i.e. securing access, onto the user. And why the fuck do we get away with that? Please tell me. It's OUR job to make machines secure, not the user's.
Security is best when you achieve total security without the user even noticing you're there. Perfect security means that little, better even no, user interaction is required. The less the user could possibly fuck up, the better for your security. And yes, that is possible. Replace a "what you know" security model with a "what you have" one, i.e. hand key cards to your personnel. If you really feel like it, augment it with a 4 digit pin they can set. That's already enough.
But brushing off security onto your user and putting insane demands on him is unacceptable.
3 Tries? (Score:2)
For God's Sake, it DEPENDS (Score:2)
I'm furious when certain newspapers or other non-important or non-financial websites force me to use combinations of letters, symbols, capitals and numbers. They are actually trying to make sure I don't give my password to other people to read their content, they aren't protecting ME from anything. That forces me to either a) disclose my important password techniques, or b) create an even more difficult to remember password for a site that's considerably less important than my bank, etc. Worst case are (a
The standard rules are stupid but... (Score:2)
A minimum length, a maximum age, and a requirement to include upper, lower, and a special character are good things.
Length, case, and special characters all massively increase the search space and help to defeat brute forcing and rainbow tables.
People who insist on stupid passwords like, "OM#*&!N!lkjasdf_###7" are the problem. Such passwords are difficult to remember (or type!) and easy to crack. Use a normal sentence (or two short ones) with a proper noun somewhere in it and use normal punctuation.
Random Password (Score:2)
"123" is also a legitimate result of a random character generator. It is a bad password no matter how you come up with it.
Password Strength is Meaningless (Score:2)
Either the site restricts the number of incorrect guesses, in which case "123abc" is a safe password, or no password is really safe. If the site allows a botnet to hammer the site with trillions upon trillions of password guesses a second, no password is safe.
They are "follow-the-ritual" without understanding (Score:2)
I have been annoyed by this for a long, long time. Put in a 100bit+ entropy password and the moron that implemented this has his software claim that your password is "insecure". Seriously, all lowercase letters and digits at random is about 5.2 bit/character in entropy. Lowercase letters, digits and a special symbol (and who does not just append a "!") and an uppercase letter (and who does not simply make that the first) is, *ta-da* 5.2bit/charabter entropy! Of course, making random places uppercase or a ra
Security levels (Score:2)
The problem isn't password rules. The problem is the idea of security levels.
For a site like
/. or soylentnews.org, just about any password should be allowable. This is a password you will likely use on lots of different sites. Also, the password should never expire. Account should be locked if a thousand bad passwords in a row are tried. The password reset should go to your email, and you should not have the ability to change your email address (but you can add a secondary email address) for a month a
I remember CompuServe (Score:1)
On Macs, the default passwords generated by the macOS PW generator in the KeyChain app are two words with some numbers or symbols between and around them. This is close to ideal, because it is unpredictable enough to help fight off brute forcing, but memorable enough so the password can be typed in without a PW manager.
Rules are good (Score:1)
2 and 3 are among the possible random prime 512-bit prime numbers, but any good "random 512-bit prime number" rule for crypto should reject these outright. Likewise, a random password generator that purports to create "reasonably secure" passwords should filter out anything known to be in password-cracking dictionaries or anything that is easy to derive from them (p@ssword1, passw0rd2, etc.).
Like any access-control system, a password should be "hard to compromise, but easy for you to use when you need it"
I'd enforce a phrase (Score:2)
Password Guessing hasn't been the problem! (Score:2)
Think of the big breaches, which I tracked until about five years ago... In the Zappos [zappos.com] breach, hackers broke into their system and stole their database. They didnt guess passwords, just stole them.
In May 2005, GMail was hacked... via JavaScr [darknet.org.uk]
Utter bullshit (Score:2)
Reset passwords, doubly so.
Indicators instead of rules (Score:2)
Yes, password rules are BS. My bank requires me to have a password that contains uppercase, lowercase, numbers and at least two symbols. All of which is rendered pointless by limiting the password length to 8 chars. Luckily I have 2 factor auth, but still.
Weak/strong password strength indicators, on the other hand, can be useful if done properly (and harmful when done by people with no grasp of combinatorics). Many people have no idea what counts as a strong enough password nowadays, so even a simple indica
Passwords (Score:2)
My first act upon entering my last workplace:
- Remove enforced 30-day password resets that could only be done via IT (500+ users means two tickets a day, at least, were just password resets - and imagine what that does to remote workers who then can't get into remote desktop or email to request a password change anyway!)
- Remove "password history" requirements that were onerous and made people invent - and therefore forget/lose - passwords all the damn time or just use numbers tacked on the end.
- Remove all
Password should expire after a reasonable time. (Score:1)
If a poorly-salted password database is compromised today but the breach isn't discovered until this time next year, a 1-year-expiration would mean everyone's password would have expired or been changed already by the time the breach is announced.
Personally, I would tie expiration to complexity: I would allow trivial passwords like "password" with a 1-hour expiration, slightly-less-trivial passwords with an expiration between an hour and a week, moderately-strong passwords with longer expiration times, str
No, but improvements are still possible (Score:2)
The #1 rule, about password length, is supported by the article. If you randomly generated a low-complexity password, you should re-roll, and the article supports this with a new rule based on an entropy calculation hidden to the user. The complaint that the rules frustrate those who pick weak passwords is not fixed by the new proposed replacement rules in the article (hidden entropy calculations and checks against common passwords).
Agree and disagree with NISTs "rules". (Score:2)
Completely agree random letter/number/symbol requirements and periodic expiration are extraordinarily lame.
Requiring people to change their passwords often for no reason just encourages them to cheat by necessity of being human in some way.
Stupid complexity requirements that don't understand objective function is maximizing entropy at the least expense to human people actively makes outcomes worse for everyone. The real world outcome of most of these systems is symbols and numbers are typically placed at t
When you think about it... (Score:2)
by enforcing one of those stupid "passwords must contain..." rules, you're actually mathematically reducing the number of possible variations for a given password length, and also making it far MORE predictable, not less.
ASCII (Score:2)
All my password have at least one ASCII character which needs the Alt-### to generate. Such as ôA]£ï
It is near impossible to create a sensible password strategy that satisfies the three core demands: Easy to remember, hard to guess, hard to brute force.
Go ahead and define one. And then sell it, good money will certainly be paid for something like this.
That depends on the situation. In most circumstances, you're right. If you have no control over the servers (read: If you're dependent on a supplier) you might want to implement a changing policy, especially if you can't rely on them reporting a data breach reliably and in a timely manner.
Not true. Password rotation generally ensures that the passwords that clever-but-unwise people put into scripts cannot simply be picked off filesystems and used to access systems. And while many people tack on an extra date-or-number to an unchanging root password (your "poor passwords") to work around the rotation, people tend not to document their little pattern, but remember both the root password and their pr
There is nothing theoretically wrong with using patterns that will help you remember.... there are no constraints on the kinds of experiences a person may have had that might help them generate a password that only they might see the significance of.
Obviously if you know the ruleset that a person used in their pattern, then you can restrict your search and the password becomes easier to crack, because while the number of rules that person used to generate their password is probably relatively tiny so th