Slashdot Mirror

← Back to Stories (view on slashdot.org)

Slashdot Asks: Are Password Rules Bullshit? (codinghorror.com)

Posted by msmash on from the what-do-you-think dept.

Here's what Jeff Atwood, a founder of Stack Overflow thinks: Password rules are bullshit. They don't work.
They heavily penalize your ideal audience, people that use real random password generators. Hey, guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
They frustrate average users, who then become uncooperative and use "creative" workarounds that make their passwords less secure.
Are often wrong, in the sense that they are grossly incomplete and/or insane.
Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation. It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules". What do you think?

5 of 498 comments (clear)

  1. Obligatory XKCD by Anonymous Coward · · Score: 5, Informative

    https://www.xkcd.com/936/

    1. Re:Obligatory XKCD by Idarubicin · · Score: 4, Informative

      It's worth pointing out that XKCD's pretense that four random words are easy to memorize was based on them choosing four easy to memorize words. If I just have /usr/share/dict/words pull up random words for me, here's the first five passwords it comes up with:

      It's a good thing that XKCD's Munro doesn't choose four random words from /usr/share/dict/words then, isn't it? The cartoon shows 11 bits of entropy associated with each word. That means a dictionary size of 2^11: about 2000 words. (In contrast, a typical /words file might have a hundred thousand entries. That's fifty-fold larger, so you get about 5.5 extra bits per word, but would indeed lead to the utterly useless output you've shown.)

      The General Service List contains the top 2000ish most-often used words in the English language. I used the version compiled in 1995 and found here, mostly because it was the first version I could grab online. Pulling random words from the first 2000 entries, the four words I got (on my first three passes) were:
      competition behave exact toward
      experiment miserable there lord
      spare page circle rabbit

      Right out of the box, it's not what I would call a disaster, though a few of the words are a bit cumbersome, length-wise. (For reference, your /usr/share/dict/words selection only contains one word - "weave" - from the GSL.) If you started from, say, the top 5000 words, you could probably cut it down to a 2000-word list where every entry was non-obscure, had between 4 and 8 letters (the average word in the GSL has a length of 5.8 letters), avoided difficult-to-spell words, and eliminated similar-sounding words.

      --
      ~Idarubicin
  2. Not just composition rules... by Junta · · Score: 3, Informative

    It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules".

    But you repeat yourself....

    Also in there:

    Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically) and SHOULD only require a change if the subscriber requests a change or there is evidence of compromise of the authenticator.

    Holy crap, sanity!

    Also need to scrap the minimum change interval some things impose (you *can't* change your password, even if you know you exposed it to someone accidently).

    I'd also want to be very careful about account lockout policies. Yes, they are a tool to rate limit an attacker, but they are *also* a vector to DoS an account by locking it out on purpose.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  3. Re:In your face Betteridge! by Anonymous Coward · · Score: 5, Informative

    you're just letting the world know that you can see my plain text password which is the last thing you should be doing.

    That's not necessarily true.

    When you set your password, they could extract various 4-character permutations, and store a salted hash of those characters along with their positions within the password.

    They're basically making a number of smaller passwords out of the alphabet you supplied via the characters in your password. Then they can salt, hash, and store these small passwords just like would be done for a full password. The plain text password is not stored.

    If they do this for, say, 20 permutations, and select one randomly each time you log in, you likely wouldn't be smart enough to see any pattern in the prompting. You'd wrongly think they're selecting the characters dynamically. Then you'd go off on Slashdot claiming that they're storing plain text passwords when they very well may not be, making yourself look like a silly goose.

  4. Re:In your face Betteridge! by skids · · Score: 4, Informative

    Things you should never use as a password:

    1) Your first pet's name
    2) The street you grew up on
    3) The model of your first car

    Things banks use for "security questions":

    see above.

    --
    Someone had to do it.