Slashdot Mirror
Slashdot Asks: Are Password Rules Bullshit? (codinghorror.com)
Here's what Jeff Atwood, a founder of Stack Overflow thinks: Password rules are bullshit. They don't work.
They heavily penalize your ideal audience, people that use real random password generators. Hey, guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
They frustrate average users, who then become uncooperative and use "creative" workarounds that make their passwords less secure.
Are often wrong, in the sense that they are grossly incomplete and/or insane.
Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation. It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules". What do you think?
They heavily penalize your ideal audience, people that use real random password generators. Hey, guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
They frustrate average users, who then become uncooperative and use "creative" workarounds that make their passwords less secure.
Are often wrong, in the sense that they are grossly incomplete and/or insane.
Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation. It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules". What do you think?
Yes.
"Slashdot Asks: Are Password Rules Bullshit?"
I don't know. But headlines with "Bullshit" and "?" are.
Coder's Stone: The programming language quick ref for iPad
Also, please for god's sake let me see what I type. I have 99% of my passwords in a password manager, but not all of them, and sometimes i'm on a different device where I don't feel like logging into it if i actually know the password. Sometimes its the login of the machine itself, so unless I'm using a dongle for loging in, I'll have to type the password.
if I can't see it, and god forbid we're on mobile, I'll have to make it significantly simpler to ensure I don't fat finger shit 19 times.
That's especially true with devices. I already mentionned mobile, but game consoles, smart thermostat, and all the IoT bullshit (some are actually useful). They force me to type my password blindfolded on unfamiliar input devices. If my password is 25 characters, I'm going to make mistakes. Let me see them please.
I don't mind too much the simple ones like must have a symbol, one uppercase, and a number and a minimum of x characters. Those are fine because I can click those buttons in Keepass to generate a password with or without those options.
The ones that piss me off are ones that only allow/require a very small set of symbols, so I have to generate it and tweak it.
The other big thing that makes me angry is when their password requirements are hidden. You just have to keep typing in passwords until their validator stops bitching at you. Why are these requirements not up front?!!
The idea of a password rule, as in some set of checks to make sure it meets a certain level of security, is a good one. However it needs to be something complex like entropy calculation. A password can have lots of entropy, and thus be strong (meaning hard to guess/crack) in a number of ways. A truly random set of characters has lots of entropy per character, but a phrase can have plenty, even though it has much less per character and can be easier to remember.
It shouldn't be some hardass thing of "you have to have 3 of 4 groups, no repeating characters, etc, etc". If you want an all numeric password, that's fine, it'll just need to be longer. Test based on actual entropy, not arbitrary bullshit.
Or, if you really care about security, start doing two factor. It always amuses me when some place has ultra-bitchy password rules but has no options to use even weak two factor auth. They care about security, apparently, but not enough to do anything that might be really useful.
I've always thought password rules probably made it easier to crack passwords. Password has to be between 6 and 10 characters? Great, that cuts out a huge range of potential passwords. Password has to have a symbol? That pretty much guarantees 'a' will be '@' and 'i' will be '!'.
How about this reason: I don't care for the account in the first place.
Simple scenario: I want to use a website once, but it requires me to "register an account". Why? No idea. I have absolutely no need for one and don't care if it's "hacked". For all I want, you can throw it away immediately. So I'm going to register the following account.
Username: johndoe123
email: johndoe@mailinator.com
password: 123456
Go ahead, "hack" my password, reuse my account, whatever. I don't care.
Once the site gets breached, I'm another data point for "people still use the world's worst password?!"
I saw the exact opposite in the right situation.
I was using an automobile forum that was apparently part of a much, much larger automobile forums company. The company got hacked and apparently their password database was compromised, so as a reaction they now required their users to have twelve character complex passwords, changed monthly. Because they, not the users, screwed up.
I stopped bothering going to them. I am not going to put up with those kinds of password requirements to talk about skidplates and tires. They are not a bank, I have no financial connection with them, arguably even the password itself is not that important on that site, it's very unlikely that anyone is going to care to impersonate me as there simply is no benefit to doing so.
Do not look into laser with remaining eye.
. . . .that don't tell you their password rules, only that your password doesn't fit them. This is especially irritating for the sites that require complex passwords and have short (i.e. 3 fails) lockouts. . . .
Even aside of the obligatory xkcd comic that will certainly still surface, password rules are at best useless. At worst they lead to behaviour that is detrimental to security.
So how long do they now have to be? 12 characters at least, no words from a dictionary, containing all sorts of numbers, special characters, upper/lower case, no semblance to any passwords used within the last 60 years... resulting in such great passwords as f$nUkw1dfvM(qkI and so on.
How to remember that? Not at all. What do people do? They write it down. If you're a lucky CISO, they put the post-it into their wallet. If you're not, you find it under their keyboard.
Sure, you can demand that they don't write it down. Then be prepared to drown your support in calls from users that have to get their passwords reset twice a day. Once when they come in, once when they return from their lunch break.
And all that because we are lazy. Yes, we. The company security. We brush off our business, i.e. securing access, onto the user. And why the fuck do we get away with that? Please tell me. It's OUR job to make machines secure, not the user's.
Security is best when you achieve total security without the user even noticing you're there. Perfect security means that little, better even no, user interaction is required. The less the user could possibly fuck up, the better for your security. And yes, that is possible. Replace a "what you know" security model with a "what you have" one, i.e. hand key cards to your personnel. If you really feel like it, augment it with a 4 digit pin they can set. That's already enough.
But brushing off security onto your user and putting insane demands on him is unacceptable.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
When my passwords get pwned, at least I can change them. When my biometrics get hacked? I'm SOL.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
So, your primary counterpoint is that you did not read the original point and instead of having a tool randomly pick four words from your common vocabulary, you asked a tool to pick four words from a lingual mix of English, Greek, Latin, proper names, and acronyms?
I have a better password for you:
uninspiring straw troll Slashdotter
Ok.. It depends.... Password rules, like anything, when used within reason CAN increase security.
There has been some research which arrive at the conclusion that yes, indeed, password rules are actually bullshit for security.
As mentioned in the summary, enforcing password rules will actually block provably safe passwords :
- a base32 encoded 128bit pure random number. It's mathematically provable to be secure (if done by a cryptography-grade true random number generated, it's a 2^128 security, which is pretty good enough). But it's a 25 character long string of alaphanumeric. So it's not mixed case, and doesn't contain punctuation so it will be rejected by most stupid rules (also some rules have size specified as a range [9 to 16 characters], not a minimum [more than 8]. This will also reject a 25-long password).
As shown in presentations at numerous presentation in conferences such as CCC :
- even a complex rule set (Mixed case, must contain numbers and punctiation, at least 9 characters long) will usually give results such as "Denver17!"
Which are a lot less secure because they follow a general pattern (The first letter is the single capitalized, number come at the end, punctuation is the last and 9 out 10 times it's a '!' ). Most of these "rule abiding password" follow one of very few such patterns, and patterns are alarmingly easy to crack.
As such, no matter what, rules are a bad idea.
On the other hand, password managers with a generation function (like the above 128-bits equivalent password) are definitely a good idea.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
You're missing part of the point of the XKCD. It's not just about choosing four random words, it's also about constructing a mnemonic to remember that password. That's what the image with the horse is all about.
And it works.
The day I read the XKCD, I changed my home domain password policy. I pulled out all the annoying requirements like must have upper case, special character, number, etc, and extended the length requirement one to 20 characters. That's it. I then showed my family the xkcd and made sure they understood what I was after. They grumbled. The excuse I heard from every one of them was 'I suck at choosing passwords'. I helped them through that, and after they got used to it, they didn't grumble anymore. Sadly, I've had quite a bit more difficulty getting them to use password managers, though I hope that my dire threats of doom and revoked network access have made it clear that they don't use their home domain password for anything else.
Professionally, I've tried to get my companies to see the light, but they remain stubborn and insist that the special character requirement is good enough, and about the only way I could disprove that would be to launch an attack to prove otherwise. Since that is likely to be a resume generating event, I have so far declined that option.
I think the most irritating work password experience I had was when I started using long passwords, routinely over 20 characters.... until I ran into an internal app that, despite using Active Directory for authentication, restricted the password field to 12 characters. Apparently web developers don't understand the logic of 'if you're going to use AD, and AD accepts longer passwords, your app should to'. That's when I wrote my own damn app to mimic the same functionality.
What study?
I'm kind of lazy to google all the sources by my self.
The general approach is *pattern-based*.
I pointed to a presentation on youtube but there are other independent research all arriving at the same conclusion.
They are mostly done by applying pattern-based cracking either to leaked hashes databases or to hashes databases volunteered by organisations.
so it's not theoretical works, it's mostly noticing what is happening in the wild when your try enforcing password rules.
doesn't mean they are totally BS. {...} But OBVIOUSLY password rules force the user to avoid the common pitfalls in password selection and will more likely cause your users to have passwords that are not easily cracked.
The problem, as discovered among other on the presentation in my previous post, is that by trying to avoid common pitfalls in password selection:
- not enough variations if password are all lower-case only caracters (It's only 26 symbols per position)
you do not actually avoid the pitfalls
- if applied accurately that would give 26 lower + 26 upper + 10 digit + even more punctuation per position
but push the people into a different set of pitfalls.
- people are lazy. most of the time, it was discovered, they'll just upper-case the first letter and slap the required extra digits at the end. And add '!' afterthat if they can't get around punctuations. That's still 26 possibility per position, with a few more things (nearly negligiable) at the end.
So... what's easier to guess "password" or "Denver17!" ? I know what I'm going to bet gets broken first..
Both are in the "basically worthless" category.
the first one is straight out of a word list.
The second follows one of the most common patterns: "Llllll##?".
In theory, if a user used all possible characters at any position, you'd be getting "26 lower + 26 upper + 10 digit + 10punctuations" = ~approx 74 symbols per position. A 9 character long password would in theory get 74 ^ 9 or approximately 56bits of security. Not much, but still something.
In practice, most password abiding the rule will be one of the few common pattern such as above.
Without taking dictionary into account, only the symbols at each position of the pattern, the above is 26 ^ 6 * 100 * 10 or only 38bits of security.
You lost about 18bits of theoretical security, just because your users are lazy as shit.
There is about a dozen of such overwhelmingly common patterns (so you're looking at best at 41bits security. If you only use salted hashes in you password database and it gets leaked, the vast majority of your user passwords will get cracked appallingly fast).
And that's without factoring in dictionaries. (Look at all the 6 letter words that you can fill in the first part of the pattern, first use a few common combination for the numbers (current year, '13', '69', etc.) and you can basically go for '!' and leave the rest of the punctuation later). At that point, in case of a database leak, tons of password will get insta-cracked and the attackers can already start probing for password reuse even before the end users has had enough time to be alerted about the leak.
You want to stack the deck in your favor where you can, so if that means forcing your users to follow some rules in password selections gets you 50% more secure passwords.... Do it..
In practice , you only get marginally better security, because the users will resort to simple schemes just to get around the rules.
People are lazy and will resort to the simplest pattern possible just to get around the rules.
In this case, I'm not inclined to believe password complexity rules are just bad,
Their are bad in that they push non-security-minded end users to do things which are nearly entirely predictable for the password cracker.
i.e.: they are actually not adding any significant amount of securit
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Yeah... you need to randomly insert numbers for some rules (as in your last example); it might be hard to remember which "number" rule you applied. Some sites don't allow special characters, so you can't use ",", but some sites require special characters, so your phrase needs to have some memorable punctuation... then, ultimately, it's all well and good for one place, but while you might remember "Yeah, best of luck with that," try remembering a dozen different phrases and, more specifically, which sites they go to and which rules you had to apply to meet their particular requirements.
Stupid sexy Flanders.