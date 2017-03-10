Slashdot Asks: Are Password Rules Bullshit? (codinghorror.com) 28
Here's what Jeff Atwood, a founder of Stack Overflow thinks: Password rules are bullshit. They don't work.
They heavily penalize your ideal audience, people that use real random password generators. Hey, guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
They frustrate average users, who then become uncooperative and use "creative" workarounds that make their passwords less secure.
Are often wrong, in the sense that they are grossly incomplete and/or insane.
Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation. It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules". What do you think?
In your face Betteridge! (Score:4, Insightful)
Yes.
Don't know (Score:2, Insightful)
"Slashdot Asks: Are Password Rules Bullshit?"
I don't know. But headlines with "Bullshit" and "?" are.
Re: (Score:2)
title ought to have been "Password rules are bullshit"
Customer Psychology (Score:4, Interesting)
The problem is now that the bullshit rules are now expected by customers. When we did our last major UX review, we didn't have those rules in place. Adding them made our customers overall feel more confident in our platform.
Re: (Score:3)
Of course you are right - but how to make it stop (Score:2)
Let me see what I type (Score:5, Insightful)
Also, please for god's sake let me see what I type. I have 99% of my passwords in a password manager, but not all of them, and sometimes i'm on a different device where I don't feel like logging into it if i actually know the password. Sometimes its the login of the machine itself, so unless I'm using a dongle for loging in, I'll have to type the password.
if I can't see it, and god forbid we're on mobile, I'll have to make it significantly simpler to ensure I don't fat finger shit 19 times.
That's especially true with devices. I already mentionned mobile, but game consoles, smart thermostat, and all the IoT bullshit (some are actually useful). They force me to type my password blindfolded on unfamiliar input devices. If my password is 25 characters, I'm going to make mistakes. Let me see them please.
Re: (Score:2)
Also, please for god's sake let me see what I type.
^^^^ This this this.
I use some long password phrases and I occasionally make a mistake when entering them. If I was able to see the characters I'd be able to correct my typo. This is especially annoying when using the craptastic user-hostile user interfaces on TVs where you have to dick around with the remote, slowly bumping along from letter to letter at a snail's pace.
Most of them are (Score:1)
Arbitrary constraints on passwords, with no math justification, actually reduces password complexity.
Most people reuse passwords, which is a weakness beyond the control of silly "password rules".
No matter how complex^W annoying the rules are, incompetent implementations store the passwords in plaintext.
Your typical web service security is next to non-existent and you dare imposing "password rules" on me?
Mysterious rules are worse (Score:1)
I don't mind too much the simple ones like must have a symbol, one uppercase, and a number and a minimum of x characters. Those are fine because I can click those buttons in Keepass to generate a password with or without those options.
The ones that piss me off are ones that only allow/require a very small set of symbols, so I have to generate it and tweak it.
The other big thing that makes me angry is when their password requirements are hidden. You just have to keep typing in passwords until their validat
What is truly bullshit... (Score:2)
...is the fact that we supposedly have all these methods of forcing users to create more secure passwords, and yet those "top 10 worst passwords" lists that come out every year haven't really changed in fucking decades.
Obviously neither has the mentality towards online security.
Why you ask? I don't know. Ignorance? Stupidity? Don't give a shit? Doesn't even matter why anymore. Rather obvious nothing will change.
Think... (Score:2)
Why do I even NEED a password? (Score:1)
They are as implemented (Score:2)
The idea of a password rule, as in some set of checks to make sure it meets a certain level of security, is a good one. However it needs to be something complex like entropy calculation. A password can have lots of entropy, and thus be strong (meaning hard to guess/crack) in a number of ways. A truly random set of characters has lots of entropy per character, but a phrase can have plenty, even though it has much less per character and can be easier to remember.
It shouldn't be some hardass thing of "you have
Password rules insanity (Score:1)
Password rules aren't consistent (Score:2)
The password rules wouldn't be quite so annoying if they could agree on a common set of rules. Website A wants caps, numbers and no special characters. Website B wants special characters, caps and numbers. This means more passwords, more permutations of passwords and the end result is worse security because of all the problems with forgetting passwords. I don't know that there is an easy solution but a start would be to have the same password rules everywhere whenever possible and they should follow wha
Yes (Score:2)
Length is good but complexity doesn't really help if you have a good lockout policy and good monitoring.
Complexity rules just mean that a) people write it on a sticky note and stick it to their monitor or b) constant password resets / helpdesk calls.
Dana Carvey's son, is that you? (Score:2)
Are you really Dana Carney's son?
https://youtu.be/tN-LJ7w5pwQ?t=51s
Provides Info to Crackers (Score:2)