Slashdot Asks: Are Password Rules Bullshit?

Here's what Jeff Atwood, a founder of Stack Overflow thinks: Password rules are bullshit. They don't work.
They heavily penalize your ideal audience, people that use real random password generators. Hey, guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
They frustrate average users, who then become uncooperative and use "creative" workarounds that make their passwords less secure.
Are often wrong, in the sense that they are grossly incomplete and/or insane.
Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation. It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules". What do you think?

Customer Psychology

[Nuitari+The+Wiz]

The problem is now that the bullshit rules are now expected by customers. When we did our last major UX review, we didn't have those rules in place. Adding them made our customers overall feel more confident in our platform.

Of course you are right - but how to make it stop

[ICantFindADecentNick]

It's "cargo cult" requirements. People are so used to the security theatre of the password rules that when they come to specify what their system should do they put in all of this stupidity, They don't actually read NIST guidelines. Maybe we should lobby for some kind of certification mark - and the people who assess it would have some clues.

Re:Of course you are right - but how to make it st

Just say no to most of the things that require a password. Most of them are worthless anyway.

Only post anonymously to /..

Quit forums and registration-only websites. You'll find you're getting more free time and less Internet-induced anxiety.

Scuttle your StackOverflow account. It's taken over by H1Bs.

For professional work, use other means of authentication such as crypto keys. Manage professional accounts with password manager and 2fa.

Use long passphrases and 2fa for local logins. Scrap stuff like "cloud" storage because they're there to TRACK YOU.

Get a dumb phone and set up Sim card PIN lock and screen PIN lock.

Password rules aren't consistent

[sjbe]

The password rules wouldn't be quite so annoying if they could agree on a common set of rules. Website A wants caps, numbers and no special characters. Website B wants special characters, caps and numbers. This means more passwords, more permutations of passwords and the end result is worse security because of all the problems with forgetting passwords. I don't know that there is an easy solution but a start would be to have the same password rules everywhere whenever possible and they should follow whatever the currently acknowledged evidence based best practices are. (balancing usability with security of course)

Making the problem worse is every f***ing website wanting you to make an account with them even when doing so is of no benefit to me. Guest checkout should ALWAYS be an option. I'm not going to become a repeat customer because you make me create an account. I'll become a repeat customer because your service and prices rock and you provide something I need.

Re:In your face Betteridge!

[Big+Hairy+Ian]

Just please stop the bank from asking for four letters from random positions in my password. This isn't more secure you're just letting the world know that you can see my plain text password which is the last thing you should be doing.

3 Tries?

[jlf278]

What confuses me the most about common practices is the small number of attempts many platforms allow before they lock your account. How did three tries become standard? I could understand if the password was an atm code, with 10k possibilities, but many of these platforms require fairly strong password to begin with. I often enter one or two incorrect passwords if I am not paying attention - caps lock, typo, num lock, etc. Is allowing 10 attempts really that much more of a vulnerability?

Re:In your face Betteridge!

[SirSlud]

In the goal of increased security, it's exceedingly unlikely that a larger bank is storing anything password related in plain text. Banks are beyond that stuff these days. Procedures and software are audited, etc etc - nobody but mom and pop sites would be able to fly under the radar of the harm to reputation that would occur if it turned out that your bank passwords were being stored in plaintext.

Re:Obligatory XKCD

[Rei]

I remain in disagreement that that is the best approach. It gives you needlessly large amounts of typing for little entropy. Acronym passwords are better - think of a sentence and a rule for turning it into a password (the simplest just being using the first letter or two letters of each word).

Sentences are easy to remember than four random words, the resultant passwords are shorter, and while the search space can certainly be reduced by statistical means, it's not nearly as much as with four random words. Aka, if the last letters the person typed in were "stapl", what do you think the next letter is going to be?

It's worth pointing out that XKCD's pretense that four random words are easy to memorize was based on them choosing four easy to memorize words. If I just have /usr/share/dict/words pull up random words for me, here's the first five passwords it comes up with:

cytopharynx Gasperoni gastroplasty revolutionising
reacidifying bosom-breathing sipers down-in-the-mouth
text-writer clubbed midfields Shuqualak
Malkite phthisiology BLM improbabilize
weaves Whiggamore unspirally Exod

Yeah, best of luck with that. By contrast, if I convert the previous sentence into an acronym password, I may get something like (depending on what rules I use):

Y,bolwt.
Yebeofluwith
yEbE0FlUw1tH .... etc. Choose your own rules. But you won't forget "Yeah, best of luck with that"

Passwords

[ledow]

My first act upon entering my last workplace:

- Remove enforced 30-day password resets that could only be done via IT (500+ users means two tickets a day, at least, were just password resets - and imagine what that does to remote workers who then can't get into remote desktop or email to request a password change anyway!)
- Remove "password history" requirements that were onerous and made people invent - and therefore forget/lose - passwords all the damn time or just use numbers tacked on the end.
- Remove all complexity requirements from passwords, except minimum length.
- Encourage people to choose a small set of GOOD passwords, which I promise I will not invalidate every month, and use them well (e.g. if one system requires another to work but gives NO MORE access to data than the first, they may as well use the same password!).
- Stand up once or twice a year in all-staff meetings and gently remind them to change their password, oh and by the way, I was the guy who stopped you having to change it every single month so you might want to pay me the courtesy of actually doing so.
- Demonstrate, as a mathematician, the thing that the XKCD cartoon does - LENGTH MATTERS, ALPHABET COMPLEXITY DOES NOT (*).

The staff loved me for it, it's totally compliant (passed through security audits, DPA audits, etc.), backed up by official NIST, GCHQ, etc. advice and all kinds of computer security experts and it works.

Number of account compromises: 0 in 3 years.
Number of account password resets required - ONE THOUSANDTH of what it used to be.

(*):

Adding a single character to the alphabet available increases brute force times by a factor of 1/(size of previous alphabet), e.g. one-twenty-sixth more.

Adding another character - using the same alphabet - to the length of a password increases brute force times by a factor of (size of previous alphabet), e.g. TWENTY SIX TIMES MORE.

A 10-character, only A-Z, a-z password takes TWICE AS LONG to brute-force as an 8-character, every-ASCII-character password.

Don't store multiple hashes!

Posting anonymously for obvious reasons.

they could extract various 4-character permutations, and store a salted hash of those characters along with their positions within the password.

The organisation I work for used to do exactly this. Then one day they decided that they would use a hardware password vault, with the ability to verify the password combinations. The problem was that to move to the vault we would either have to get access to the full password or get everyone to re-register. The business said to me "is there anyway you can get the original password". My initial reaction was "no - it's hashes the password isn't stored", but after a litte thought I realised that the first 4 character combination was basically a 4-character password. A naive brute force could crack it in about 45 seconds. Optimizing simply so that it would try the most common letter combinations first reduced that to under 20.

Having obtained the first four characters XXXX---- finding the subsequent ones XXX-X---, XXX--X-- and so on is sub-second, you only have to find one character each time using the appropriate hash. Cracking the whole customer list took just over 2 days

The current solution uses multiple passwords each of which are known to only one role of person, something in the hardware unit, a value put in the database by the DBAs, and a value set in a file by devops. We know that encrypting the password is not the most secure method but the reason that we use the "4 from n" is we see the risk as asymetric; there is a much larger chance that the customer's PC will be compromised than our systems. Also over a certain limit we require two-factor authentication.

Re:Think...

[rilister]

Ditto those stupid 'KBA' (knowledge-based authentication) questions, which are even worse:
1. Who on God's earth thinks asking "What was the make of your first car?" is remotely secure? Ford, Honda and Toyota together make up over 30% of all the cars on the roads!
2. once a database on these is cracked/leaked/left-in-a-public-restroom I can never change "the first concert I went to" making that answer insecure for the rest of my life, but I'll probably never know that.
3. I find myself looking down the options going: well, none of these apply. I don't have a favorite baseball team. I didn't have a nickname when I was a kid. I don't want to give you gobs of biographical information. I guess I'll have to make something up, and then forget it.

None of the security of biometrics, with all the irrevocability. I can't figure out why these were ever thought to be a good idea.

Yes, They Are God Damned Bullshit

[Greyfox]

I worked for a company recently where I had well over a dozen separate systems, each with their own password requirements. There was no keeping track of your passwords and in some cases your user IDs on their systems. The end result was that a lot of people just kept their passwords in text files somewhere, and often just requested password resets every time they logged into that system they only logged into a couple of times a year. About half the systems I had to interact with were not connected to the internet, making it impossible to use a password manager for them.

Just to add insult to injury, those fuckers started adding third party web sites for services like project planning and some employee incentives. And those third party web sites also had their unique password requirements. I eventually arrived at the conclusion that most of their employees were so busy maintaining their passwords that no other work was getting done inside the company.