Slashdot Mirror
Slashdot Asks: Are Password Rules Bullshit? (codinghorror.com)
Here's what Jeff Atwood, a founder of Stack Overflow thinks: Password rules are bullshit. They don't work.
They heavily penalize your ideal audience, people that use real random password generators. Hey, guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
They frustrate average users, who then become uncooperative and use "creative" workarounds that make their passwords less secure.
Are often wrong, in the sense that they are grossly incomplete and/or insane.
Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation. It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules". What do you think?
They heavily penalize your ideal audience, people that use real random password generators. Hey, guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
They frustrate average users, who then become uncooperative and use "creative" workarounds that make their passwords less secure.
Are often wrong, in the sense that they are grossly incomplete and/or insane.
Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation. It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules". What do you think?
Yes.
"Slashdot Asks: Are Password Rules Bullshit?"
I don't know. But headlines with "Bullshit" and "?" are.
Coder's Stone: The programming language quick ref for iPad
Also, please for god's sake let me see what I type. I have 99% of my passwords in a password manager, but not all of them, and sometimes i'm on a different device where I don't feel like logging into it if i actually know the password. Sometimes its the login of the machine itself, so unless I'm using a dongle for loging in, I'll have to type the password.
if I can't see it, and god forbid we're on mobile, I'll have to make it significantly simpler to ensure I don't fat finger shit 19 times.
That's especially true with devices. I already mentionned mobile, but game consoles, smart thermostat, and all the IoT bullshit (some are actually useful). They force me to type my password blindfolded on unfamiliar input devices. If my password is 25 characters, I'm going to make mistakes. Let me see them please.
I don't mind too much the simple ones like must have a symbol, one uppercase, and a number and a minimum of x characters. Those are fine because I can click those buttons in Keepass to generate a password with or without those options.
The ones that piss me off are ones that only allow/require a very small set of symbols, so I have to generate it and tweak it.
The other big thing that makes me angry is when their password requirements are hidden. You just have to keep typing in passwords until their validator stops bitching at you. Why are these requirements not up front?!!
I saw the exact opposite in the right situation.
I was using an automobile forum that was apparently part of a much, much larger automobile forums company. The company got hacked and apparently their password database was compromised, so as a reaction they now required their users to have twelve character complex passwords, changed monthly. Because they, not the users, screwed up.
I stopped bothering going to them. I am not going to put up with those kinds of password requirements to talk about skidplates and tires. They are not a bank, I have no financial connection with them, arguably even the password itself is not that important on that site, it's very unlikely that anyone is going to care to impersonate me as there simply is no benefit to doing so.
Do not look into laser with remaining eye.
When my passwords get pwned, at least I can change them. When my biometrics get hacked? I'm SOL.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Ok.. It depends.... Password rules, like anything, when used within reason CAN increase security.
There has been some research which arrive at the conclusion that yes, indeed, password rules are actually bullshit for security.
As mentioned in the summary, enforcing password rules will actually block provably safe passwords :
- a base32 encoded 128bit pure random number. It's mathematically provable to be secure (if done by a cryptography-grade true random number generated, it's a 2^128 security, which is pretty good enough). But it's a 25 character long string of alaphanumeric. So it's not mixed case, and doesn't contain punctuation so it will be rejected by most stupid rules (also some rules have size specified as a range [9 to 16 characters], not a minimum [more than 8]. This will also reject a 25-long password).
As shown in presentations at numerous presentation in conferences such as CCC :
- even a complex rule set (Mixed case, must contain numbers and punctiation, at least 9 characters long) will usually give results such as "Denver17!"
Which are a lot less secure because they follow a general pattern (The first letter is the single capitalized, number come at the end, punctuation is the last and 9 out 10 times it's a '!' ). Most of these "rule abiding password" follow one of very few such patterns, and patterns are alarmingly easy to crack.
As such, no matter what, rules are a bad idea.
On the other hand, password managers with a generation function (like the above 128-bits equivalent password) are definitely a good idea.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
You're missing part of the point of the XKCD. It's not just about choosing four random words, it's also about constructing a mnemonic to remember that password. That's what the image with the horse is all about.
And it works.
The day I read the XKCD, I changed my home domain password policy. I pulled out all the annoying requirements like must have upper case, special character, number, etc, and extended the length requirement one to 20 characters. That's it. I then showed my family the xkcd and made sure they understood what I was after. They grumbled. The excuse I heard from every one of them was 'I suck at choosing passwords'. I helped them through that, and after they got used to it, they didn't grumble anymore. Sadly, I've had quite a bit more difficulty getting them to use password managers, though I hope that my dire threats of doom and revoked network access have made it clear that they don't use their home domain password for anything else.
Professionally, I've tried to get my companies to see the light, but they remain stubborn and insist that the special character requirement is good enough, and about the only way I could disprove that would be to launch an attack to prove otherwise. Since that is likely to be a resume generating event, I have so far declined that option.
I think the most irritating work password experience I had was when I started using long passwords, routinely over 20 characters.... until I ran into an internal app that, despite using Active Directory for authentication, restricted the password field to 12 characters. Apparently web developers don't understand the logic of 'if you're going to use AD, and AD accepts longer passwords, your app should to'. That's when I wrote my own damn app to mimic the same functionality.