Slashdot Asks: Are Password Rules Bullshit?

Here's what Jeff Atwood, a founder of Stack Overflow thinks: Password rules are bullshit. They don't work.
They heavily penalize your ideal audience, people that use real random password generators. Hey, guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
They frustrate average users, who then become uncooperative and use "creative" workarounds that make their passwords less secure.
Are often wrong, in the sense that they are grossly incomplete and/or insane.
Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation. It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules". What do you think?

In your face Betteridge!

Yes.

Re:In your face Betteridge!

you're just letting the world know that you can see my plain text password which is the last thing you should be doing.

That's not necessarily true.

When you set your password, they could extract various 4-character permutations, and store a salted hash of those characters along with their positions within the password.

They're basically making a number of smaller passwords out of the alphabet you supplied via the characters in your password. Then they can salt, hash, and store these small passwords just like would be done for a full password. The plain text password is not stored.

If they do this for, say, 20 permutations, and select one randomly each time you log in, you likely wouldn't be smart enough to see any pattern in the prompting. You'd wrongly think they're selecting the characters dynamically. Then you'd go off on Slashdot claiming that they're storing plain text passwords when they very well may not be, making yourself look like a silly goose.

Re:In your face Betteridge!

[Oswald+McWeany]

Things you should never use as a password:

1) Your first pet's name
2) The street you grew up on
3) The model of your first car

Things banks use for "security questions":

see above.

That why I always use Password123

Don't know

[slapout]

"Slashdot Asks: Are Password Rules Bullshit?"

I don't know. But headlines with "Bullshit" and "?" are.

Of course you are right - but how to make it stop

[ICantFindADecentNick]

It's "cargo cult" requirements. People are so used to the security theatre of the password rules that when they come to specify what their system should do they put in all of this stupidity, They don't actually read NIST guidelines. Maybe we should lobby for some kind of certification mark - and the people who assess it would have some clues.

Let me see what I type

[Shados]

Also, please for god's sake let me see what I type. I have 99% of my passwords in a password manager, but not all of them, and sometimes i'm on a different device where I don't feel like logging into it if i actually know the password. Sometimes its the login of the machine itself, so unless I'm using a dongle for loging in, I'll have to type the password.

if I can't see it, and god forbid we're on mobile, I'll have to make it significantly simpler to ensure I don't fat finger shit 19 times.

That's especially true with devices. I already mentionned mobile, but game consoles, smart thermostat, and all the IoT bullshit (some are actually useful). They force me to type my password blindfolded on unfamiliar input devices. If my password is 25 characters, I'm going to make mistakes. Let me see them please.

Re:Let me see what I type

[JustAnotherOldGuy]

Also, please for god's sake let me see what I type.

^^^^ This this this.

I use some long password phrases and I occasionally make a mistake when entering them. If I was able to see the characters I'd be able to correct my typo. This is especially annoying when using the craptastic user-hostile user interfaces on TVs where you have to dick around with the remote, slowly bumping along from letter to letter at a snail's pace.

Obligatory XKCD

https://www.xkcd.com/936/

Mysterious rules are worse

[CryptDemon]

I don't mind too much the simple ones like must have a symbol, one uppercase, and a number and a minimum of x characters. Those are fine because I can click those buttons in Keepass to generate a password with or without those options.

The ones that piss me off are ones that only allow/require a very small set of symbols, so I have to generate it and tweak it.

The other big thing that makes me angry is when their password requirements are hidden. You just have to keep typing in passwords until their validator stops bitching at you. Why are these requirements not up front?!!

Re:Customer Psychology

[Ryanrule]

Just use one of those weak/medium/strong meters. Pick a strength at random.

Don't store multiple hashes!

Posting anonymously for obvious reasons.

they could extract various 4-character permutations, and store a salted hash of those characters along with their positions within the password.

The organisation I work for used to do exactly this. Then one day they decided that they would use a hardware password vault, with the ability to verify the password combinations. The problem was that to move to the vault we would either have to get access to the full password or get everyone to re-register. The business said to me "is there anyway you can get the original password". My initial reaction was "no - it's hashes the password isn't stored", but after a litte thought I realised that the first 4 character combination was basically a 4-character password. A naive brute force could crack it in about 45 seconds. Optimizing simply so that it would try the most common letter combinations first reduced that to under 20.

Having obtained the first four characters XXXX---- finding the subsequent ones XXX-X---, XXX--X-- and so on is sub-second, you only have to find one character each time using the appropriate hash. Cracking the whole customer list took just over 2 days

The current solution uses multiple passwords each of which are known to only one role of person, something in the hardware unit, a value put in the database by the DBAs, and a value set in a file by devops. We know that encrypting the password is not the most secure method but the reason that we use the "4 from n" is we see the risk as asymetric; there is a much larger chance that the customer's PC will be compromised than our systems. Also over a certain limit we require two-factor authentication.

Proven Yes.

[DrYak]

Ok.. It depends.... Password rules, like anything, when used within reason CAN increase security.

There has been some research which arrive at the conclusion that yes, indeed, password rules are actually bullshit for security.

As mentioned in the summary, enforcing password rules will actually block provably safe passwords :
- a base32 encoded 128bit pure random number. It's mathematically provable to be secure (if done by a cryptography-grade true random number generated, it's a 2^128 security, which is pretty good enough). But it's a 25 character long string of alaphanumeric. So it's not mixed case, and doesn't contain punctuation so it will be rejected by most stupid rules (also some rules have size specified as a range [9 to 16 characters], not a minimum [more than 8]. This will also reject a 25-long password).

As shown in presentations at numerous presentation in conferences such as CCC :
- even a complex rule set (Mixed case, must contain numbers and punctiation, at least 9 characters long) will usually give results such as "Denver17!"
Which are a lot less secure because they follow a general pattern (The first letter is the single capitalized, number come at the end, punctuation is the last and 9 out 10 times it's a '!' ). Most of these "rule abiding password" follow one of very few such patterns, and patterns are alarmingly easy to crack.

As such, no matter what, rules are a bad idea.

On the other hand, password managers with a generation function (like the above 128-bits equivalent password) are definitely a good idea.