Slashdot Asks: Are Password Rules Bullshit?

Here's what Jeff Atwood, a founder of Stack Overflow thinks: Password rules are bullshit. They don't work.
They heavily penalize your ideal audience, people that use real random password generators. Hey, guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
They frustrate average users, who then become uncooperative and use "creative" workarounds that make their passwords less secure.
Are often wrong, in the sense that they are grossly incomplete and/or insane.
Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation. It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules". What do you think?

In your face Betteridge!

Yes.

Re:In your face Betteridge!

[Big+Hairy+Ian]

Just please stop the bank from asking for four letters from random positions in my password. This isn't more secure you're just letting the world know that you can see my plain text password which is the last thing you should be doing.

Re:In your face Betteridge!

you're just letting the world know that you can see my plain text password which is the last thing you should be doing.

That's not necessarily true.

When you set your password, they could extract various 4-character permutations, and store a salted hash of those characters along with their positions within the password.

They're basically making a number of smaller passwords out of the alphabet you supplied via the characters in your password. Then they can salt, hash, and store these small passwords just like would be done for a full password. The plain text password is not stored.

If they do this for, say, 20 permutations, and select one randomly each time you log in, you likely wouldn't be smart enough to see any pattern in the prompting. You'd wrongly think they're selecting the characters dynamically. Then you'd go off on Slashdot claiming that they're storing plain text passwords when they very well may not be, making yourself look like a silly goose.

Re:In your face Betteridge!

[skids]

Things you should never use as a password:

1) Your first pet's name
2) The street you grew up on
3) The model of your first car

Things banks use for "security questions":

see above.

Re:In your face Betteridge!

[Hognoxious]

Why couldn't they hash & store each character separately - so it's effectively multiple short passwords?

Re:In your face Betteridge!

[Oswald+McWeany]

Things you should never use as a password:

1) Your first pet's name
2) The street you grew up on
3) The model of your first car

Things banks use for "security questions":

see above.

That why I always use Password123

Re:In your face Betteridge!

[SirSlud]

In the goal of increased security, it's exceedingly unlikely that a larger bank is storing anything password related in plain text. Banks are beyond that stuff these days. Procedures and software are audited, etc etc - nobody but mom and pop sites would be able to fly under the radar of the harm to reputation that would occur if it turned out that your bank passwords were being stored in plaintext.

Don't know

[slapout]

"Slashdot Asks: Are Password Rules Bullshit?"

I don't know. But headlines with "Bullshit" and "?" are.

Re: Don't know

[Maritz]

I bet you blame "indo-chimps" for your toast falling butter side down. Clearly an epic thinker here.

Customer Psychology

[Nuitari+The+Wiz]

The problem is now that the bullshit rules are now expected by customers. When we did our last major UX review, we didn't have those rules in place. Adding them made our customers overall feel more confident in our platform.

Re:Customer Psychology

[Ryanrule]

Just use one of those weak/medium/strong meters. Pick a strength at random.

Re:Customer Psychology

[TWX]

I saw the exact opposite in the right situation.

I was using an automobile forum that was apparently part of a much, much larger automobile forums company. The company got hacked and apparently their password database was compromised, so as a reaction they now required their users to have twelve character complex passwords, changed monthly. Because they, not the users, screwed up.

I stopped bothering going to them. I am not going to put up with those kinds of password requirements to talk about skidplates and tires. They are not a bank, I have no financial connection with them, arguably even the password itself is not that important on that site, it's very unlikely that anyone is going to care to impersonate me as there simply is no benefit to doing so.

Of course you are right - but how to make it stop

[ICantFindADecentNick]

It's "cargo cult" requirements. People are so used to the security theatre of the password rules that when they come to specify what their system should do they put in all of this stupidity, They don't actually read NIST guidelines. Maybe we should lobby for some kind of certification mark - and the people who assess it would have some clues.

Let me see what I type

[Shados]

Also, please for god's sake let me see what I type. I have 99% of my passwords in a password manager, but not all of them, and sometimes i'm on a different device where I don't feel like logging into it if i actually know the password. Sometimes its the login of the machine itself, so unless I'm using a dongle for loging in, I'll have to type the password.

if I can't see it, and god forbid we're on mobile, I'll have to make it significantly simpler to ensure I don't fat finger shit 19 times.

That's especially true with devices. I already mentionned mobile, but game consoles, smart thermostat, and all the IoT bullshit (some are actually useful). They force me to type my password blindfolded on unfamiliar input devices. If my password is 25 characters, I'm going to make mistakes. Let me see them please.

Re:Let me see what I type

[JustAnotherOldGuy]

Also, please for god's sake let me see what I type.

^^^^ This this this.

I use some long password phrases and I occasionally make a mistake when entering them. If I was able to see the characters I'd be able to correct my typo. This is especially annoying when using the craptastic user-hostile user interfaces on TVs where you have to dick around with the remote, slowly bumping along from letter to letter at a snail's pace.

Re:Let me see what I type

[freeze128]

Yes! I agree. Let him see his password as he types it. I'm standing over his shoulder....

Obligatory XKCD

https://www.xkcd.com/936/

Re:Obligatory XKCD

[Rei]

I remain in disagreement that that is the best approach. It gives you needlessly large amounts of typing for little entropy. Acronym passwords are better - think of a sentence and a rule for turning it into a password (the simplest just being using the first letter or two letters of each word).

Sentences are easy to remember than four random words, the resultant passwords are shorter, and while the search space can certainly be reduced by statistical means, it's not nearly as much as with four random words. Aka, if the last letters the person typed in were "stapl", what do you think the next letter is going to be?

It's worth pointing out that XKCD's pretense that four random words are easy to memorize was based on them choosing four easy to memorize words. If I just have /usr/share/dict/words pull up random words for me, here's the first five passwords it comes up with:

cytopharynx Gasperoni gastroplasty revolutionising
reacidifying bosom-breathing sipers down-in-the-mouth
text-writer clubbed midfields Shuqualak
Malkite phthisiology BLM improbabilize
weaves Whiggamore unspirally Exod

Yeah, best of luck with that. By contrast, if I convert the previous sentence into an acronym password, I may get something like (depending on what rules I use):

Y,bolwt.
Yebeofluwith
yEbE0FlUw1tH .... etc. Choose your own rules. But you won't forget "Yeah, best of luck with that"

Re:Obligatory XKCD

[Idarubicin]

It's worth pointing out that XKCD's pretense that four random words are easy to memorize was based on them choosing four easy to memorize words. If I just have /usr/share/dict/words pull up random words for me, here's the first five passwords it comes up with:

It's a good thing that XKCD's Munro doesn't choose four random words from /usr/share/dict/words then, isn't it? The cartoon shows 11 bits of entropy associated with each word. That means a dictionary size of 2^11: about 2000 words. (In contrast, a typical /words file might have a hundred thousand entries. That's fifty-fold larger, so you get about 5.5 extra bits per word, but would indeed lead to the utterly useless output you've shown.)

The General Service List contains the top 2000ish most-often used words in the English language. I used the version compiled in 1995 and found here, mostly because it was the first version I could grab online. Pulling random words from the first 2000 entries, the four words I got (on my first three passes) were:
competition behave exact toward
experiment miserable there lord
spare page circle rabbit

Right out of the box, it's not what I would call a disaster, though a few of the words are a bit cumbersome, length-wise. (For reference, your /usr/share/dict/words selection only contains one word - "weave" - from the GSL.) If you started from, say, the top 5000 words, you could probably cut it down to a 2000-word list where every entry was non-obscure, had between 4 and 8 letters (the average word in the GSL has a length of 5.8 letters), avoided difficult-to-spell words, and eliminated similar-sounding words.

Re:Obligatory XKCD

[Drakonblayde]

You're missing part of the point of the XKCD. It's not just about choosing four random words, it's also about constructing a mnemonic to remember that password. That's what the image with the horse is all about.

And it works.

The day I read the XKCD, I changed my home domain password policy. I pulled out all the annoying requirements like must have upper case, special character, number, etc, and extended the length requirement one to 20 characters. That's it. I then showed my family the xkcd and made sure they understood what I was after. They grumbled. The excuse I heard from every one of them was 'I suck at choosing passwords'. I helped them through that, and after they got used to it, they didn't grumble anymore. Sadly, I've had quite a bit more difficulty getting them to use password managers, though I hope that my dire threats of doom and revoked network access have made it clear that they don't use their home domain password for anything else.

Professionally, I've tried to get my companies to see the light, but they remain stubborn and insist that the special character requirement is good enough, and about the only way I could disprove that would be to launch an attack to prove otherwise. Since that is likely to be a resume generating event, I have so far declined that option.

I think the most irritating work password experience I had was when I started using long passwords, routinely over 20 characters.... until I ran into an internal app that, despite using Active Directory for authentication, restricted the password field to 12 characters. Apparently web developers don't understand the logic of 'if you're going to use AD, and AD accepts longer passwords, your app should to'. That's when I wrote my own damn app to mimic the same functionality.

Mysterious rules are worse

[CryptDemon]

I don't mind too much the simple ones like must have a symbol, one uppercase, and a number and a minimum of x characters. Those are fine because I can click those buttons in Keepass to generate a password with or without those options.

The ones that piss me off are ones that only allow/require a very small set of symbols, so I have to generate it and tweak it.

The other big thing that makes me angry is when their password requirements are hidden. You just have to keep typing in passwords until their validator stops bitching at you. Why are these requirements not up front?!!

3 Tries?

[jlf278]

What confuses me the most about common practices is the small number of attempts many platforms allow before they lock your account. How did three tries become standard? I could understand if the password was an atm code, with 10k possibilities, but many of these platforms require fairly strong password to begin with. I often enter one or two incorrect passwords if I am not paying attention - caps lock, typo, num lock, etc. Is allowing 10 attempts really that much more of a vulnerability?

Re:Think...

[Cro+Magnon]

When my passwords get pwned, at least I can change them. When my biometrics get hacked? I'm SOL.

Re:Of course you are right - but how to make it st

[MightyYar]

Make sure the creases in your aluminum hat are sharp and at a 60 degree angle.

Don't store multiple hashes!

Posting anonymously for obvious reasons.

they could extract various 4-character permutations, and store a salted hash of those characters along with their positions within the password.

The organisation I work for used to do exactly this. Then one day they decided that they would use a hardware password vault, with the ability to verify the password combinations. The problem was that to move to the vault we would either have to get access to the full password or get everyone to re-register. The business said to me "is there anyway you can get the original password". My initial reaction was "no - it's hashes the password isn't stored", but after a litte thought I realised that the first 4 character combination was basically a 4-character password. A naive brute force could crack it in about 45 seconds. Optimizing simply so that it would try the most common letter combinations first reduced that to under 20.

Having obtained the first four characters XXXX---- finding the subsequent ones XXX-X---, XXX--X-- and so on is sub-second, you only have to find one character each time using the appropriate hash. Cracking the whole customer list took just over 2 days

The current solution uses multiple passwords each of which are known to only one role of person, something in the hardware unit, a value put in the database by the DBAs, and a value set in a file by devops. We know that encrypting the password is not the most secure method but the reason that we use the "4 from n" is we see the risk as asymetric; there is a much larger chance that the customer's PC will be compromised than our systems. Also over a certain limit we require two-factor authentication.

Proven Yes.

[DrYak]

Ok.. It depends.... Password rules, like anything, when used within reason CAN increase security.

There has been some research which arrive at the conclusion that yes, indeed, password rules are actually bullshit for security.

As mentioned in the summary, enforcing password rules will actually block provably safe passwords :
- a base32 encoded 128bit pure random number. It's mathematically provable to be secure (if done by a cryptography-grade true random number generated, it's a 2^128 security, which is pretty good enough). But it's a 25 character long string of alaphanumeric. So it's not mixed case, and doesn't contain punctuation so it will be rejected by most stupid rules (also some rules have size specified as a range [9 to 16 characters], not a minimum [more than 8]. This will also reject a 25-long password).

As shown in presentations at numerous presentation in conferences such as CCC :
- even a complex rule set (Mixed case, must contain numbers and punctiation, at least 9 characters long) will usually give results such as "Denver17!"
Which are a lot less secure because they follow a general pattern (The first letter is the single capitalized, number come at the end, punctuation is the last and 9 out 10 times it's a '!' ). Most of these "rule abiding password" follow one of very few such patterns, and patterns are alarmingly easy to crack.

As such, no matter what, rules are a bad idea.

On the other hand, password managers with a generation function (like the above 128-bits equivalent password) are definitely a good idea.

Re:Think...

[rilister]

Ditto those stupid 'KBA' (knowledge-based authentication) questions, which are even worse:
1. Who on God's earth thinks asking "What was the make of your first car?" is remotely secure? Ford, Honda and Toyota together make up over 30% of all the cars on the roads!
2. once a database on these is cracked/leaked/left-in-a-public-restroom I can never change "the first concert I went to" making that answer insecure for the rest of my life, but I'll probably never know that.
3. I find myself looking down the options going: well, none of these apply. I don't have a favorite baseball team. I didn't have a nickname when I was a kid. I don't want to give you gobs of biographical information. I guess I'll have to make something up, and then forget it.

None of the security of biometrics, with all the irrevocability. I can't figure out why these were ever thought to be a good idea.