The worst part of password rules is that every site has its own.
One requires a symbol, another doesn't allow symbols. A third requires 12 characters, a fourth only allows 8.
And they only tell you the rules when you're creating a password. They could at least remind us of the rules so we could remember how we had to mangle the password to match.
Or sites that require at least one symbol, but then mysteriously disallow a handful of common symbols (e.g. I used a site the other day where exclamation points were not allowed). Makes password generators like 1Password's useless about half the time, since 1Password rightly will pick from all (most?) common symbols on a standard US keyboard.
And of course, why would the site tell the user of its obscure symbol requirements before the user tries to enter their brand new password? No, I guess they think it's better to leave it at "a symbol is required" and then reject symbols users use one-by-one.
What's the worst is when they tell you the rules when you try to reset the password, and then you know what your password probably was, but a) they won't cancel the password change process, and b) they won't let you reuse the old password.
I'm not sure this is a bad thing. You should have a different password for each site anyway, so the fact that it disrupts your ability to reuse passwords is an accidental pseudo-feature.
If you include 1 uppercase, 1 lowercase, 1 number and have at least 8 characters, you should meet the password complexity requirements of most servers.
Apple iTunes/Apple ID pwd rules is really annoying.
Microsoft online service incl (based still on the decades old 1997's Hotmail login system is archaic) has an upper limit of 8 (or so) chars. (Office365/Outlook.com/etc)
Aren’t this the correct quotation marks? " means inch or seconds and is only used because most keyboard layouts make it hard to type the correct quotation marks.
I distinctly recall seeing somebody post a comment a few years ago -- I think it was here on HN, though I'm not sure -- to the effect that they had used a line from an obscure poem in Afrikaans as a password, and it was cracked. -- Oh! HN Search comes through for me: here's a recent HN comment [0] by someone who also recalled it, with a link to the original [1].
I referenced this article today at work involving a discussion about password security, 2FA and actual customer experience.
Tonight I was dealing with Wells Fargo for a password reset. They have a max of 14 characters and a generally awful interface. I took screenshots of the process to use as a guide of things to avoid.
I had an idea for a website password system: instead of letting the user set a password, you just give them one. Prevents password reuse, which is the only thing that ever really commonly gets anyone's account hijacked in my opinion.
Doesn't even have to be strong, could be one word from the top 10k English words. Require reset after 5 failed attempts.
Would there be anything wrong with this approach (besides being sort of user-hostile), or have I misunderstood the website account security threat model?
A 1 in 2000 chance of correctly guessing someone's password could lead to lots of attempts which at best would cause lots of password resets and at worst cause lots of compromised accounts.
Yes. Using diceware (with actual dice) is still the most reliable way for a normal person to create a strong password. Use diceware. Ignore this guy's bad advice.
Our university forces us to change the password every 150 days. It is such a pain in the s, because there are too many apps on too many devices need to update the password. I asked the IT department, can you guys consider to stop this and find an alternative security policy? The answer is no, because this security policy is in the state law.
If you're really hellbent on it, you can probably tell the IT department they are full of shit and ask for the citation to the state code number - I am no state code scholar, but I have never heard of anything like this. In the NW States I am familiar with I could not find a single code section that even remotely touched on passwords at state schools. It would be an odd thing to legislate. Some states are goofy though.
Duh. Obviously. And not like it's secure either. THe worst part is some sites ask you to change your password every month/3months/etc. That kinda sucks.
Kelvin is not expressed in degrees; it's just "Kelvin". Now to really throw people for a loop, tell them to do it in degrees Rankine (even less people know what that is).
Have his rules even been proven to be right? There's that famous xkcd comic about passwords and password strength checkers like https://howsecureismypassword.net that seem to imply otherwise. Short passwords with symbols seem easier to crack than longer ones with words put together a human could remember.
The rules, if used properly, work perfectly. But using them properly is burdensome, which means most people get lazy and the result is insecure passwords.
There are about 95 letters, numbers, and punctuation marks and symbols. If you choose a 12 character random password, it's uncrackable by brute force. The problem is, few people want to choose and remember a 12 character random password, and fewer will do that for each of the dozens of passwords they must use, so they choose insecure, non-random passwords.
Right about what, specifically? Being random is good. Being short wasn't part of the rules. Rotation is pretty bad. And words don't fix the core problem of making a good password because people love picking non-random words.
In general, every two random characters is worth as much as one random word. I personally find it as easy to remember three random characters as a word, so I get better mileage out of random characters.
[+] [-] sdrothrock|8 years ago|reply
[+] [-] leereeves|8 years ago|reply
One requires a symbol, another doesn't allow symbols. A third requires 12 characters, a fourth only allows 8.
And they only tell you the rules when you're creating a password. They could at least remind us of the rules so we could remember how we had to mangle the password to match.
[+] [-] ReidZB|8 years ago|reply
And of course, why would the site tell the user of its obscure symbol requirements before the user tries to enter their brand new password? No, I guess they think it's better to leave it at "a symbol is required" and then reject symbols users use one-by-one.
[+] [-] rflrob|8 years ago|reply
[+] [-] x1798DE|8 years ago|reply
[+] [-] wisty|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] zeep|8 years ago|reply
[+] [-] ransom1538|8 years ago|reply
[+] [-] acchow|8 years ago|reply
[+] [-] teilo|8 years ago|reply
[+] [-] dawnerd|8 years ago|reply
https://github.com/duffn/dumb-password-rules
[+] [-] edflsafoiewq|8 years ago|reply
[+] [-] rhizome|8 years ago|reply
[+] [-] frik|8 years ago|reply
Microsoft online service incl (based still on the decades old 1997's Hotmail login system is archaic) has an upper limit of 8 (or so) chars. (Office365/Outlook.com/etc)
[+] [-] hallman76|8 years ago|reply
[+] [-] mattbeckman|8 years ago|reply
[+] [-] tqkxzugoaupvwqr|8 years ago|reply
[+] [-] MartinCron|8 years ago|reply
[+] [-] MartinCron|8 years ago|reply
[deleted]
[+] [-] ScottBurson|8 years ago|reply
I distinctly recall seeing somebody post a comment a few years ago -- I think it was here on HN, though I'm not sure -- to the effect that they had used a line from an obscure poem in Afrikaans as a password, and it was cracked. -- Oh! HN Search comes through for me: here's a recent HN comment [0] by someone who also recalled it, with a link to the original [1].
[0] https://news.ycombinator.com/item?id=14781311
[1] https://www.reddit.com/r/Bitcoin/comments/1ptuf3/brain_walle...
[+] [-] paulie_a|8 years ago|reply
Tonight I was dealing with Wells Fargo for a password reset. They have a max of 14 characters and a generally awful interface. I took screenshots of the process to use as a guide of things to avoid.
[+] [-] spraak|8 years ago|reply
[+] [-] spiznnx|8 years ago|reply
Doesn't even have to be strong, could be one word from the top 10k English words. Require reset after 5 failed attempts.
Would there be anything wrong with this approach (besides being sort of user-hostile), or have I misunderstood the website account security threat model?
[+] [-] gelatocar|8 years ago|reply
[+] [-] SomeStupidPoint|8 years ago|reply
http://world.std.com/~reinhold/diceware.html
[+] [-] nshepperd|8 years ago|reply
[+] [-] xname2|8 years ago|reply
[+] [-] Fezzik|8 years ago|reply
[+] [-] mikeycgto|8 years ago|reply
[+] [-] mzzter|8 years ago|reply
[+] [-] asherkosaraju|8 years ago|reply
[+] [-] notreallythough|8 years ago|reply
[+] [-] Casseres|8 years ago|reply
[+] [-] Mistletoe|8 years ago|reply
[+] [-] forapurpose|8 years ago|reply
The rules, if used properly, work perfectly. But using them properly is burdensome, which means most people get lazy and the result is insecure passwords.
There are about 95 letters, numbers, and punctuation marks and symbols. If you choose a 12 character random password, it's uncrackable by brute force. The problem is, few people want to choose and remember a 12 character random password, and fewer will do that for each of the dozens of passwords they must use, so they choose insecure, non-random passwords.
[+] [-] Dylan16807|8 years ago|reply
In general, every two random characters is worth as much as one random word. I personally find it as easy to remember three random characters as a word, so I get better mileage out of random characters.
[+] [-] mallaidh|8 years ago|reply
[+] [-] pishpash|8 years ago|reply
[+] [-] colordrops|8 years ago|reply
edit: for those who down-voted, one of the most famous comedians in the US at the moment is also named Bill Burr.