Password Power Rankings: a Look At the Practices of 40+ Popular Websites (helpnetsecurity.com) 127
Orome1 shares a report from Help Net Security: Nothing should be more important for these sites and apps than the security of the users who keep them in business. Unfortunately, Dashlane found that that 46% of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements. The most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane's tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter "a" on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5. Here's a screenshot of how each consumer/enterprise website performed.
Uh (Score:5, Interesting)
Didn't we just have a (absolutely stupid) story about how password complexity rules are bad?
Which is it?
(Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)
Re: (Score:3)
more2rival+Relish
Re: (Score:2)
They don't even prevent the dumbest of passwords from being used. password becomes Password1!
And worse, it becomes more difficult to use those highly random generated passwords available from password managers.
Re: (Score:3)
This!, I'm getting tired of being told that / isn't a special character, or that my truly random password only had 1 uppercase and 2 numbers, but needs 2 uppercase and 3 numbers, or that my random password can't have the same character twice in a row, etc.
Re:Uh (Score:5, Funny)
minimum length
What would be cool is minimum keystrokes instead. That way one could have a couple backspace in the password. Try to rainbow table that!
Re: (Score:1)
Long time ago on some kinds of Unix (not Linux) systems it was possible to embed control characters or backspaces in your local account password. You could, in fact, do what you say!
I've never seen any kind of web site that would accept such a thing though.
Re: (Score:3)
It would require probably less than 5 lines of JS to actually allow tabs, backspace and other special characters in a password (or otherwise text) field. And the transmission to the backend has been figured out since decades now. You can actually encode those the way you want, even left up down and right arrows and other special keys that do not have an ASCII counterpart (think caps lock, Scroll Lock and such and even mouse events !)
The biggest issue here is that you're diverging from a perfectly universal
Re: (Score:3)
Yes, you could do it on a PR1ME... could also embed backspaces in messages to other users which would then crawl backwards across the screen deleting themselves...ah...the 1980s
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:3)
Re: (Score:3)
It's not a problem to rainbow table that. What kills rainbow tables is strong salting.
Re: (Score:3)
brute force is mitigated by account lockout. If someone has a local copy of your password hashes, restricting the available passwords is only going to help a brute force attack.
Re: (Score:2)
brute force is mitigated by account lockout.
What mitigates the denial of service caused by account lockout?
Re: (Score:2)
Send the user an email with an unlock link in it.
Passwordless login, except to your e-mail (Score:2)
That's fine for passwords that don't affect the path to e-mail. In fact, some sites embrace passwordless login through one-time tokens sent through e-mail [sitepoint.com]. But it wouldn't work for the password to the user's Internet connection (PPPoE, RADIUS, subscription hotspot with a captive portal, etc.) or to the user's e-mail itself.
Nor does it work if your site has a lot of users such as jondeanmack [slashdot.org], who expects to be able to register without providing a means of password recovery.
Re: (Score:2)
whitelist real IPs from logs or when they call in to complain.
That's still a DoS against the department that responds to "call in to complain."
Usernames aren't supposed to be secret (Score:2)
That'd be difficult on sites that use a username as part of a user's public identity. For example, someone who reads the comments of all stories on the front page of Slashdot can see the usernames of all logged-in users who have commented on those stories.
Re:Uh (Score:5, Insightful)
Didn't we just have a (absolutely stupid) story about how password complexity rules are bad? Which is it?
(Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)
To clarify, the author of complex password policies that have lasted 15+ years had regret for one reason; the rules were too complex for users. In other words, he underestimated just how stupid and ignorant the masses are.
Force complex passwords? Users write them down. Every time. And "hide" them in the same stupid place.
Don't force complex passwords? Users create shitty passwords, and the Top 10 Shitty Passwords in 2017 are the same Top 10 Shitty Passwords used in 1987.
Force password changes? Users change from Password1 to Password2. You'll be able to guess their password 5 years from now.
Don't force password changes? Users never change them. Ever. Even if they are a victim of hacking or identity theft, they insist on keeping the same shitty password they used in high school. If you forced them to change it, they would have to write it down.
Sorry, but it doesn't matter what NIST or any other standard recommends; All the password rules in the world won't prevent the masses from building a better idiot.
TL; DR - The problem isn't password policies; it's stupid users.
Re: (Score:3, Interesting)
> Force password changes? Users change from Password1 to Password2. You'll be able to guess their password 5 years from now.
That is why I append a 4 digit to the passphrase, of the format MMYY, of when the password expires as a mnemonic for when it expires.
Your crappy "password1" becomes "password0817"
Good luck guessing the first part -- the pass phrase, along with the second part -- when it expires.
> The problem isn't password policies;
Incorrect. I've seen sites where they had a maximum password len
Re: (Score:1)
> Force password changes? Users change from Password1 to Password2. You'll be able to guess their password 5 years from now.
That is why I append a 4 digit to the passphrase, of the format MMYY, of when the password expires as a mnemonic for when it expires.
Your crappy "password1" becomes "password0817"
Good luck guessing the first part -- the pass phrase, along with the second part -- when it expires.
> The problem isn't password policies;
Incorrect. I've seen sites where they had a maximum password length, usually like 8 characters. Seriously, WTF. You are _intentionally_ making your passwords insecure???
My internet banking site makes you have an 8 character password, using numbers and uppercase letters. You can't have 7 characters, you can't have 9. It has to be 8. Furthermore, your "username" is 6 digits, no more, no less.
Re: (Score:1)
Have you considered changing banks?
Re: (Score:2)
Re: (Score:1)
Guess that depends on how much you value your money. Personally, especially considering how much so many here harp on personally responsiblity, I'd rather not take the chance. Afterall, if you know your banks practices are weak, doesn't the onous fall on you?
ATM fees, postage, and money order fees (Score:3)
Have you considered changing banks?
Yes. But when only one bank has ATMs within cycling distance, that makes every other bank much more expensive: withdrawing cash costs ATM fees, depositing checks costs postage, and depositing cash costs postage plus money order fees. In the city where and years when I attended college, there was only one bank.
Re: (Score:3)
I've seen sites where they had a maximum password length, usually like 8 characters. Seriously, WTF. You are _intentionally_ making your passwords insecure???
I know a specific bank that has the following password rules for their online banking:
- must be all numeric
- must be between 4 and 6 digits long
And this is a BANK!!!!
Even better was when they sent out a newsletter which included a section on "staying safe online" which specified that you should always use a strong password of greater than 8 characters mixed upper and lowercase with numbers and symbols. I found that pretty ironic from a bank that won't let you use those very passwords on their own site.
Stupid Admins (Score:5, Insightful)
You can rant about stupid users all you want, they are the users you have. If you have rules that are not reasonably executable by the average user, then your rule is stupid.
Re: (Score:2)
You can rant about stupid users all you want, they are the users you have. If you have rules that are not reasonably executable by the average user, then your rule is stupid.
Cars have seat belts, and yet there are drivers that fail to use them. If drivers are too fucking stupid to protect themselves and understand the value of a seat belt, then they get what they deserve.
Computers have passwords, and yet there are users who fail to protect them. If users are too fucking stupid to protect themselves and understand the value of protecting their identity online, then they get what they deserve.
Re: (Score:1)
One thing to keep in mind that password database breeches give you password hashes (most of the time). So, the attacker still has to (1) figure out the salt for the hash (2) salt and hash potential password and (3) compare the hash to the hash in their breech list. Only when the two hashes match do they have a good idea (after all, the hashes can match because of a hash collision, theoretically) of what the password is.
Re: (Score:1)
...So, the attacker still has to (1) figure out the salt for the hash...
You don't need to figure out the salt for the hash. In most password storage methods the salt is stored as a base64 encoded value along with the hashed password. If it isn't stored with the password then you are using 1 common salt for all passwords.
Re: (Score:2)
If it isn't stored with the password then you are using 1 common salt for all passwords.
Or the salt and hash are stored in separate tables on physically separate machines.
Re: (Score:2)
What pompous horseshit. Most passwords are discovered by leaks or hacks into hosting companies, not by watching over a user's shoulder or listening in on transmissions.
Most password databases that are hacked are full of weak passwords that are easily cracked. Those passwords are weak because users are too fucking stupid to remember strong passwords. Systems have to be purposely weakened because of stupid users.
I stand by my original statement.
THE solution: expiry depends on complexity (Score:5, Interesting)
Hi
you chose a password, there is a calculation performed how long a brute force/dictionary attack will take.
Your password will expire after this time.
Calculate the time using this calculator (take the botnet time): https://password.kaspersky.com... [kaspersky.com]
thisisanicepassword => 3 days
this is a nice password => 40 years (maybe maximize on a top limit)
12345678 => 1 second
one two three four => 3 years
correcthorsebatterystaple => 5 years (hmm, maybe they should add that to an exception list)
h4Z7p8d0 => 51 seconds
h4Z7p8d0x3 => 2 hours
h4Z7p8d0x3w1 => 6 days
h4Z7p8d0x3w1bd => 2 years
Re: (Score:3, Informative)
To clarify, the author of complex password policies that have lasted 15+ years had regret for one reason; the rules were too complex for users. In other words, he underestimated just how stupid and ignorant the masses are.
Force complex passwords? Users write them down. Every time. And "hide" them in the same stupid place.
I'm registered at more than 50 sites (including work). How do you expect a sane person to remember that number of reasonably strong passwords? And change them at regular intervals?
My point is that the strong password system may work well if you have a small number of passwords, but once the number of passwords increase beyond maybe a handful, the password system breaks. The problem is not stupid users; the problem is the notion of requiring users to remember many passwords. Something better is sorely needed
Re: (Score:2)
A password stored in a password manager's file is only as strong as the file's master password. And don't password managers that synchronize new or changed passwords between machines cost money?
Re: (Score:2)
Yes, but remembering one secure password is a lot easier than remembering fifty.
As far as I know, yes, though using a sync solution like Dropbox shouldn't be a problem if your password table is properly encrypted. (Especially if there's a separate keyfile that you don't include on shared storage and instead copy to
Merge conflicts; keyfiles on mobile (Score:2)
using a sync solution like Dropbox shouldn't be a problem
What I fear is that I would add two passwords on separate machines, and then the ownCloud or Dropbox client gets a merge conflict when it sees that both versions of the password vault file have changed.
Especially if there's a separate keyfile that you don't include on shared storage and instead copy to every client device manually.
How is that done on mobile, especially when iOS didn't have a user-accessible file system last I checked?
Re: (Score:2)
Corollary: a halfway decent password kept in a secure place is one that the same idiot will lose. I run into this with my IT customers all the time.
Re: (Score:2)
Re: (Score:2)
And of course there's the sheer stupidity of storing all your passwords in one place, especially one accessible by multiple devices over the internet....
Re:Uh (Score:5, Insightful)
Tell me oh massive brained one, how many passwords do you hold in your head? And how many will you still know in a year's time when you haven't used some of them for a while? Also, how many do you think you'll be able to hold in your head when you're 60? 70?
Passwords are a terrible solution for security, and a solution that we've never as a species had to deal with before. Remembering something that has absolutely no margin for error is hard for squishy brained organisms to do. Password managers are a solution but not exactly a widely spread well-known one, and they have their own issues.
Also, in your better-than-thou rant you haven't taking into account that worldwide security measures have to *work with stupid people too*. Someone who isn't too clever deserves decent security too, not just you and your Mensa brethren.
Re: (Score:2)
There was one website that I only needed to visit once a year to download my annual tax form, their passwords expired in some time less than one year, so every time I visited my password was expired and needed to be reset.
So... you need to choose a hard password, that you will use exactly once, a year from when you choose it. ha!
Re: (Score:3)
I remember reading an article once that was talking about how important your email password (and security of whatever email provider you have) is. It's basically the easy backdoor to almost everything we have online because pretty much everything uses email as a forgot password - so if someone gets into your email they can reset absolutely everything. Scary as fuck... and yet that's one of the ones that many probably don't usually use the crazy-complex passwords for because 'it's just email'.
Re: (Score:2)
Yup, I have a lot of sites where my password is simply to hit the "forgot password" link. There's no point in even trying to remember the password on any site where the password expiry is more frequent than my visits to the site, or where I visit the site less frequently than once every 6 months or so. I'll use a strong password, that I can re-type once when entering it, after that it's gone from my memory.
Re: (Score:2)
so every time I visited my password was expired and needed to be reset.
Some sites are in fact using passwordless login [auth0.com], which is equivalent to resetting the password on every login.
Re: (Score:2)
Tell me oh massive brained one, how many passwords do you hold in your head? And how many will you still know in a year's time when you haven't used some of them for a while? Also, how many do you think you'll be able to hold in your head when you're 60? 70?
I only know one insanely long passphrase. The rest of my passwords are unknown to me. Yes, that's correct, I don't know them. They are randomly generated and I max out the system limit every time I generate one. I use a password manager. Before they came along, I regularly managed a dozen different systems, so I got used to remembering several usernames and passwords.
Passwords are a terrible solution for security, and a solution that we've never as a species had to deal with before. Remembering something that has absolutely no margin for error is hard for squishy brained organisms to do.
OK, let's just stop with the species bullshit as if comparing our challenges to caveman ancestors is relevant. The concept of a password
Re: (Score:2)
If your password policies fail to account for reality, then they're the problem. Thus, password policies are the problem, because clearly they don't account for reality.
Re: (Score:2)
If your password policies fail to account for reality, then they're the problem. Thus, password policies are the problem, because clearly they don't account for reality.
The reality is privacy and security is often compromised because of shitty passwords. This fact is broadcast almost every single day when we hear of everything from stolen celebrity pictures to theft of IP.
The average user takes the time and effort to lock doors and set alarms to prevent their house or car from being broken into, but then uses the same shitty password across all banks and social media, and ignores all advice to the contrary.
I'd say the problem is stupidly obvious, and was summarized in my
That requires JavaScript (Score:2)
There are two kinds of web-based random string generators: those that generate the password on the server and therefore allow the operator of the site to see every string that is generated, and those that generate the password on the client and therefore require the user to add the site to the browser's whitelist for running JavaScript.
Re: (Score:2)
(Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)
No they are not. Checking over a list of common passwords is.
Half of the time the rule abiding password just has an uppercase first letter and a number or symbol at the end. Yeah, it adds a bit or two of entropy but it isn't worth the annoyance.
Re: (Score:2)
(Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)
(Hint: Two-factor authentication is so dramatically more secure that you're far better off implementing it and letting people choose the passwords they want.)
Twitter's 2FA is expensive (Score:2)
Hint: Two-factor authentication is so dramatically more secure that you're far better off implementing it
Unless it's Twitter, which allows only the login method that's most expensive per use for many U.S. users.
Re: (Score:2)
Didn't we just have a (absolutely stupid) story about how password complexity rules are bad?
No, we didn't. We got a story about how one particular guide to making strong passwords wasn't good advice after all, according to the author. That advice guided people to making short passwords that included a capital, a lowercase letter, a digit and a special character, or variations thereof, and the author conceded that allowing long multi-word passwords is actually stronger than the short obfuscated ones that he recommended many years ago.
This story is that some sites allow you to give yourself a ridicu
Re: (Score:2)
Traditional Complexity rules ARE bad. Dashlane has a product to sell, and I'm beginning to think dashlane themself is a bad actor, because of the PR promoting whatever they think websites should enforce upon their users to encourage them to use Dashlane's password manager product.
Re: (Score:2)
Traditional Complexity rules ARE bad.
Would it be bad to retain the "must contain a letter" rule if the password is long enough? This RC car shop [philshobbyshop.com] has these rules: 8-15 characters with at least 1 letter and 1 digit, or 16+ characters with at least 1 letter.
Re: (Score:2)
Would it be bad to retain the "must contain a letter" rule if the password is long enough?
Yes, because strong passwords don't need to use a letter, And if you estimate entropy PROPERLY, then
there's no reason for the restriction --- it's just spurious.
Computing emtropy "properly" (Score:2)
And if you estimate entropy PROPERLY
What's "properly"? Kolmogorov complexity isn't tractable to compute.
Re: (Score:2)
Does Kolmogorov complexity adequately describe what users actually choose as passwords when "complex" password rules are imposed? Most people will do something easy to remember involving pet and kid names mixed with birth dates and a few obvious special character substitutions, or variations on that theme. This should be your expectation when attempting to estimate the entropy in your passwords.
Re: (Score:2)
Heh, thank you for posting exactly what I intended to when I read this article, even including the "Uh." These people are quite clueless.
Re: (Score:2)
Why is this idiot at +5?
I wonder which one [github.com] he is responsible for.
Re: (Score:2)
Comparing against a blacklist of common passwords, and having a few modest length requirements (and maybe an entropy counter), are good rules. I'm not convinced that complexity rules are.
I used to work at GoDaddy. The security tutorial I had to pass on my first day actually recommended satisfying the "mixed-case/symbol" requirement by starting with an initial capital letter and ending with an exclamation p
Password character requirements are a bad thing (Score:1)
Re: (Score:1)
U2F to the rescue! (Score:5, Informative)
Re: (Score:2)
Now I'm wondering why Github didn't offer 2FA when I created my account.
Probably because you still need to generate a password in order to push [github.com].
Re: (Score:3)
U2F really does whip the proverbial llama's ass. I wouldn't say, though, that your password is 'not very important'.... your password is still your second factor for a lost/stolen U2F key.
It is slowly gaining market share. One major financial firm (Vanguard mutual funds/brokerage) has enabled U2F logins, hopefully more to follow.
Passwords not usually the only way in (Score:2, Informative)
Many websites have good password policies - however, too many of them have entirely vulnerable account/password recovery systems.
I am reminded of this story about a clever attacker who convinced GoDaddy to let them into the victim's account by means of the last four digits of a credit card number provided over the phone by PayPal's recovery process: https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd
Securing a site against password-based attacks is a solved problem. Figuring out what to
Don't make Netflix mess with my pants (Score:2)
Sure, the data has to be breeched first
Why does the data need to start wearing pants [wikipedia.org]?
Worst that can happen (Score:3)
If said someone reuses their password across sites, it can be real bad, but password formation rules are useless against that type of bad password management, you can have the strongest password ever create by man, if you use the same across all your accounts and one dumb webmaster decides to save password as plain text and get invaded, you are fucked the same way!
So children, use password managers, you can use the most simple of the passwords for your logins (albeit with a manager that would be dumb), as long as you use a different one for each.
It's the end of the world! (Score:2)
How could I ever avoid using 'a' as a password without a dozen BS rules that are different on every fucking site?
dashlane who (Score:2)
Sites "failed Dashlane's tests." Good for them. Recent analysis by real cryptographers shows that password rules are worse than no rules.
And now we have "Dashlane", a nobody who wants to "grade" sites on their "password creation policies."
https://xkcd.com/936/ [xkcd.com]
Bye Dashlane and stop it with your self-serving PR memos. You are a disservice to oxygen-breathing password-users.
E
Why is requiring alpha numeric important? (Score:4, Insightful)
Requiring UPPERCASE doubles the space while 0-9 only adds 10 digits. It would be better to require mixed CASE than to require digits.
Also, requiring a symbol then allowing ANY symbol would expand the space to typical symbols people use... probably only about 8 symbols cover 90% of passwords. A full brute force would expand to nearly all of unicode! Emjoii included.
Requiring a SPACE might only add 1 digit but it would hint to people to add a whole WORD and I bet you get more in practice than requiring digits.
Strength tests should include the domain name because I've seen some lists where the domain name was used. My own investigating found people will use dates, names, initials, their PIN #, phone, even part of their email address. That kind of easily guessed stuff does not show up in these checkers OR in the stats gathered from break ins. Sites really should not create an account password UNTIL you enter all your account information. The session ID is good enough for tracking logins it surely is good enough to setup an account before creating a password and account name. Everybody does it backwards.
Re: (Score:2)
I have no trouble pressing shift. What I have trouble doing along with all other humans is having a perfect memory for tons of strong passwords. (I use a keychain so I rarely deal with passwords other than a few.)
My exploration of user patterns from years of looking at people I was admin for, is that capitalization is how they mostly handle the caps requirement or they go full capslock. Programmers love camel case.
In terms of brute force space, it makes sense to force a larger character set while it also
buck the trend (Score:3)
I have a two character password for one important account. It wasn't important 15 years ago when I created it, but grew in value. Perhaps I should change it, but then I'd be among the millions of others using this service with 8+ character passwords. I'm pretty sure that if a hacker looked at my 2 character password, she would just assume that it was a fragment of some code.
"GoDaddy emerged as the only consumer website with a perfect score" - I hope they've improved; for years they consistently locked me out of my account, requiring calls to tech support. There is a practical limit to the number of obscure requirements for account access. Other companies require phone confirmation (I won't give them my phone #), email or text confirmation, etc. Is it necessary or simply a means to gather more marketable information about users?
Then there are companies who insist that your username or password is incorrect. Yes, the one you've been using all along. You have to go and create a new one (again, wait for a code via email). Then, when you use the same password, the system says you are not allowed to use the same password (it knew you had the correct password all along!). Somewhere behind the scenes is an Eichmann who delights in torturing users.
Re: (Score:2)
It's quick enough to try, but does anyone? Human nature being what it is, I assume the people designing brute force attacks design for the common password requirements prevalent in the area that they're trying to force. I know that if I was designing a brute force attack, I'd probably start with 6 characters, because almost nobody allows less than that now.
Re: Usernames and e-mail adresses. (Score:2)
We tried that with our website, and it was a nightmare. Our customers are some of the most technologically illiterate people I've come across (and proudly so), yet they still want to use our website to find trade vehicles to buy.
We had some people who tried clicking the "what is my username link" and then getting confused about what email address to your in (hint, it's probably your work email address). Plus, they then would have had to reset their password too...
In the end we removed usernames and required
Re: (Score:2)
The other problem is reading comprehension. They still don't click on the activation link that contains the UUID
That could be due to following security guidance in articles like this one [omniquadsecurityblog.com]:
"Never follow links in e-mails because that confirms to spammers that you read their message."
"Never follow links in e-mails because they could lead to phishing sites on typosquatted domains instead of the real thing."
Re: (Score:2)
How about websites adjust their software such that e-mail addresses are not required for registration nor use!
Are you recommending use of a mobile phone number capable of receiving SMS as a substitute for an e-mail address? If not, then through what other mechanism would a user recover a forgotten password?
Don't care about your site you precious snowflake (Score:4, Insightful)
Re:Don't care about your site you precious snowfla (Score:4, Interesting)
Exactly.
Your website may not be important to me, so I won't give it a very important password. It may be important to you, but not to me. Especially if you insist on a username and password to do the most basic things.
You want me to log in to download your free software? Sure, I'll create an account - with a wimpy password. I don't care if that software is your heart and soul and you missed your mother's funeral to release it on time. I just want the file.
You want me to log in to comment on your article? Well, ditto. Same for forums as well.
Hell, I fully expect those sites to be hacked, so why use a strong password? Might as well just make it "password" and be done with it - if someone's downloaded the password file then they have all the time in the world to crack it. I might as well assume your site has vulnerabilities that make it easy to steal the password file.
Oh yeah, my Paypal, Amazon and bank passwords? They're nice and secure.
Re: (Score:2)
This is the biggest thing about security of websites. If your site doesn't handle my money, or my real life reputation, then it doesn't need a secure password.
Imagine if every single store you ever visited required you to sign up with all your personal details and carry around a user card before you could walk in the door? Sure you'd put up with it for your favourite grocery store, the local hardware store, and maybe 1-2 others, but you'd quickly say enough is enough and just avoid the mall. The web is incr
Re: (Score:2)
Re: (Score:2)
Maybe his usage of 'entropy' is not correct, but there are easy ways to have long and remeberable passwords.
See diceware.
5 words from a dictionary of 7776 is 7776^5
That's quite a lot.
Equivalent to a 14 lowercase letter password. But instead of memorizing 14 items, you only need to memorize 5
Needless complexity reduces security (Score:3)
I've lost track of how many passwords I have on various sites. Each site has its own rules, that conflict with each other. There's no way I can remember them all. So what do I do? I send myself emails with password hints for each site, or save a list in a password-protected document, or let Chrome remember it, or write them on a sticky note.. If somebody figures out a way to hack Chrome's password vault, a LOT of people are in trouble! Somebody DID hack LastPass.
When building security is very tight, and there's a need for a plumber to come and go, what do they do...somebody props open a door, of course! Passwords are no different. If you make them too hard, people take measures to remember them--measures that make them less secure than if the rules weren't there in the first place!
Re: (Score:2)
I've got a password protected file with login and password hints for a couple dozen sites in it. Not the frequent ones like amazon or my banking, the infrequent ones that I need like once every year or so. Car insurance website with the bizarrely shitty requirements where only some subset of the symbols are allowed, and some other crazy requirements. Student loan login so I can get my interest statement for taxes. I find that it's invaluable when I go to log in each year, as if I can at least remember the l
gratuitous Spaceballs clip (Score:2)
In other news... (Score:2)
Comment removed (Score:3)
More important to ALLOW strong passwords (Score:3)
It's more important that a site allow strong passwords, by having long or no length limit, and no character restrictions. Amazon, Google, and LinkedIn, for example, may allow weak passwords, but unlike many sites, they also allow very strong passwords (no length or character restrictions AFAIK). If someone doesn't want a strong password (for example if they insist on trying to remember dozens of different passwords instead of using a password manager) forcing one will just make them write it on a sticky pad. Which may or may not be OK, depending on whether it's a secure environment.
using nothing but the lowercase letter "a" (Score:2)
The testing criteria is flawed.
If websites did their security right, there is no issue with it just being "a".
Once you salt, pepper, and hash that letter it becomes just as tricky to hack as "h&t3)__ner!1" -- 64 digits of random looking hex.
A real indicator of a website's bad password storage is if there is a character limit. If they only allow password that are 12 characters or fewer, then you know they are saving the password in a recoverable format. You should also try doing a "Forgot Password"; if t
Bullshit (Score:2)
8+ - Good
Alphanumeric required - Bad, you allow the attacker to skip testing all alpha-only / numeric-only passwords.
Password strenght meter - We all know they don't work
Logins cannot be brute forces - OK
2-FA auth - doesn't have much to do with passwords
Re: (Score:2)
for example AWS allows the account owner to set the password policy strength:
Options are:
Minimum password length: [8]
[X] Require at least one uppercase letter
[X] Require at least one lowercase letter
[X] Require at least one number
[X] Require at least one non-alphanumeric character
[ ] Allow users to change their own password
[X] Enable password expiration
Password expiration period (in days): [1]
[X] Prevent password reuse
Number of passwords to remember: [32000]
[X] Password expiration requires administrator reset
*sigh* if only sites didn't chose options like this so I can read their useless blog...