[HN Gopher] I hate password rules
___________________________________________________________________
I hate password rules
Author : CapitalistCartr
Score : 343 points
Date : 2021-11-16 12:03 UTC (10 hours ago)
(HTM) web link (www.schneier.com)
(TXT) w3m dump (www.schneier.com)
| bsuvc wrote:
| A few years back, not too long ago, I started working on a new
| contract assignment at a medium size aerospace manufacturer.
|
| I show up and check in with IT department. The system
| administrator shows me to my desk, and hands me a post it note
| with my password. Well pass phrase is more like it. It was
| something like "sliding down the tall building".
|
| I was quite impressed that they encouraged the use of long pass
| phrases instead of short cryptic passwords that are hard to
| remember (think "correct horse battery staple"). This place
| really is serious about security, I thought.
|
| I thanked the system admin and causally said "I'll be sure to
| change this to an equally secure pass phrase".
|
| "Oh no," he said, "we don't allow people to change their
| passwords here. You see, we need to be able to log into anyone's
| computer if they go on vacation or are out of the office, so we
| keep an Excel worksheet with everyone's username and password. So
| please don't change your password."
|
| He turns and walks away, and I just sit there stunned, wondering
| if this was some kind of practical joke.
|
| Sadly he was completely serious. I kept the password they gave me
| for the 3 months I was there, as I was asked to do, knowing that
| at any time someone could log in as me and do something illegal
| or unethical. It really did give me a bit of anxiety.
| tenebrisalietum wrote:
| Well, was the Excel spreadsheet accessible to everyone? If not,
| this model could work in some strange way - if someone needs
| access to your computer, they are provided the password, then
| it is changed and you and password custodian now have a
| password not known by everyone else.
|
| One side effect of this is that if you know someone else has
| the password, you're probably very unlikely to do any personal
| business on that machine.
| er4hn wrote:
| On the plus side, it also gave you plausible deniability it
| really was you if you wanted to do something illegal or
| unethical.
| lmilcin wrote:
| A few years back, on day 1 of my new job I was given root
| access to one of the development boxes.
|
| So I ask: "Okay, how do I log in?"
|
| The IT guy: "What do you mean, you just log in using your
| personal domain account and then sudo su -. You know what sudo
| is?" (followed by loud sigh)
|
| Me: "You mean like production domain, same that we use for our
| desktop?"
|
| IT guy: "Of course! What do you mean, what other domain would
| you like?"
|
| Me: "Can I at least change my password to something else just
| for the dev environment? Can I log in with SSH key?"
|
| IT guy: "No, no, no. Per our _SECURITY_ policy, SSH keys are
| disabled and you have to use our domain login and password ".
| (another sigh... of course)
|
| Me: "Are you aware that when somebody has root access to the
| box they can do whatever they want including intercepting
| passwords of all users that log in to that box? In this case,
| every single developer that ever needs access to dev
| environment?"
|
| IT guy: "That's not true. SSH is encrypted protocol and it is
| not possible to access passwords".
|
| Me: after many tries to explain this to various people from IT,
| I gave up and set out to intercept all passwords of all IT
| employees. After I had passwords of almost everybody, I put
| them all in an excel and sent to IT for "verification".
|
| There were a lot of angry people that day wanting me fired...
| fortunately they came to their senses.
|
| Unfortunately, my development box access privileges were
| revoked.
| 8ytecoder wrote:
| I once decided to show the vulnerability of SMTP protocol by
| sending an email as a higher-up. (Too young, too naive, don't
| ask why I did that.) Created a massive firestorm. I did
| successfully convert them to use SPF and DKIM and showed
| everyone the need to never trust an email. Some even adopted
| PGP signatures after that.
| duped wrote:
| > There you go, giving a fuck when it wasn't your turn to
| give a fuck. > > - Bunk
| lmilcin wrote:
| "The standard you walk past is the standard you accept."
| jaywalk wrote:
| This level of negligence should be criminal.
| throwawaygh wrote:
| The software industry is full of should-be-criminal forms of
| negligence.
|
| Things are already horrendously bad. Basically every
| American's identity could stolen at this point. If any nation
| state or other actor decided to operationalize any of the big
| leaks -- eg OPM or EquiFax -- the ramifications would be
| catastrophic. Imagine millions of people losing their
| retirement accounts and all their savings. Even if you could
| correct everything -- and that's a big if -- the process
| might take years and the intervening panic would be
| deafening. The amount of anger might even elicit a hot
| response.
|
| To say nothing of more serious vulnerabilities. We really
| dodged a bullet on the pipeline ransomware.
|
| I'm morbidly curious how bad of a "Cyber 9/11" we'll need
| before software starts being taken seriously as an
| engineering field in which practitioners have professional
| responsibility.
| ixacto wrote:
| So you're saying that is a gigantic target for China and
| Russia to go after lol. It would mean some change for the
| which might not be bad but that's kinda like arguing for
| terrorism, which would be illegal and actually have
| enforcement behind it.
| rudian wrote:
| My internet-first bank's passwords are limited to 8 characters.
| I'd take password rules over this idiocy any day. I reported it
| maybe 5 years ago and of course radio silence. I bet they
| plaintext it.
|
| Oh and of course I also have literally 4 different digit-based
| pins to do operations.
| thecodrr wrote:
| Discloser: I am the co-founder (https://notesnook.com)
|
| We used to ask our users 90% of the standard password
| requirements (min length 8, 1 special character, 1 digit, 1
| capital etc). The result was a lot of people forgetting their
| password and having a really bad first impression. We were
| following "best practices" but the user didn't care.
|
| In the end, we took out all the requirements except one: password
| must be 8 characters long. While we knew this wasn't recommended,
| especially for a private note taking app, it was a necessary
| choice because a lot of people either just modified their old
| passwords or used new ones which they forgot and got locked out.
| Good security but...if you also get locked out, what's the point?
| As for people who used password managers, it doesn't matter
| either way.
|
| A lot of people sign up just to try out the app. Nothing serious.
| Nothing too critical. If they get locked out after their first
| usage, it's goodbye from them. I think there are a few things
| apps can do to improve security without annoying the user too
| much:
|
| 1. Show user a notice inside the app if the password is below a
| certain strength threshold, recommending them to change it.
|
| 2. If the password is reused or compromised, show a permanent
| warning either on startup or somewhere noticeable inside the app.
|
| 3. Promote use of password managers during sign up (and other
| places)
|
| Ultimately, it should be up to the user to decide if they really
| want to change their password or risk having their account
| comprised.
|
| None of these are tested though so I am not sure what the UX
| would be...
| bsid wrote:
| you really need a way for people to get in if they forgot their
| password...
| beardyw wrote:
| Well I suppose this is trying to avoid people using obvious
| passwords but I'm not ever sure it works. At least password
| rotation ( = xxx1, xxx2 etc) has gone out of favour.
|
| Ideally we need AI to say "No! Not your wife's birthday!".
| falcolas wrote:
| > At least password rotation ( = xxx1, xxx2 etc) has gone out
| of favour.
|
| Not everywhere. Some contracts our org is engaged with
| specifies yearly password rotations for our single sign on
| system. Now guess how many folks rotate their passwords.
| GoblinSlayer wrote:
| And what 16 characters limit is trying to do?
| inetknght wrote:
| A hashed (and for correctness, salted) password will always
| have the same number of characters output from the hash
| whether the input password has one, ten, sixteen, hundred, or
| million characters.
|
| Character limits are a symptom that the company wants to
| store some form of the password that hasn't been correctly
| and securely hashed.
| handrous wrote:
| They can be a defense against DOS vectors, too. Though if
| that's the only reason, you can usually make the limit high
| enough that almost no actual person will ever hit it.
| Tagbert wrote:
| If your company accepts credit card transactions you have to
| comply with certification rules that require frequent password
| resets. That comes with a volume discount on post-its
| globular-toast wrote:
| The worst one I've experienced recently is HSBC's online banking.
| It requires you to set up a 6-10 digit PIN number on the phone
| and tells you that you must memorise it, not write it down. Yeah
| right. Like I'm going to commit a 6 digit number to memory while
| on the phone. This is one where I bet at least half of logins are
| the "forgot my password" type (the other half probably wrote it
| down).
| latchkey wrote:
| Instead of requiring people to have special password rules, we
| should require people to use a password manager.
|
| Then, if you have special password rules, the manager could
| generate a strong password that fits into the defined rules.
|
| Of course, getting rid of passwords entirely, is the best option
| (ie: using a decentralized sso solution).
| postalrat wrote:
| Why require a password manager when you could require a
| hardware token instead.
| latchkey wrote:
| I'll let you explain that to my 90 year old grandma.
|
| (not that a password manager is really any better in this
| case)
| Symbiote wrote:
| Would it be that difficult?
|
| Leave a small one connected to her computer (I assume she
| always uses the same one). The web browser prompts "Now
| touch your security key", and the light is flashing.
|
| It's also a good defence againt phishing, as the key won't
| authenticate against a phishing site.
| tzs wrote:
| Personally, because I do not want a repeat of the great
| toilet paper escalation of 1984.
|
| I used to buy toilet paper in individual rolls. I'd buy a
| couple rolls, and when I was on the last roll I'd make a
| mental not to myself to buy a couple more rolls next time I
| went grocery shopping.
|
| One day, when I was on my last roll, I ate some bad fast food
| which left my digestive system in a state that one roll was
| not sufficient to handle. With much effort I was able to
| regain sufficient control for a very hasty trip to the
| convenience store.
|
| From then on, I bought my TP in four packs, and put "get more
| TP" on my list whenever I had finished two rolls from the
| current pack.
|
| Alas, another bad fast food experience managed to defeat even
| that, although I was again able to barely make an emergency
| trip to the store safely.
|
| So I upped it to buying two 4 packs--but it was too late. I
| felt nervous even with 8 rolls on hand, so I started making
| sure I had 12 rolls all the time. Then as soon as I opened a
| pack I'd get an urge to buy more TP.
|
| Every trip to the store I'd buy some TP.
|
| It took some effort but I managed to realize I had gone off
| the deep end and bring myself back to more normal TP
| acquisition habits.
|
| I'm afraid that the if I get a hardware token and a backup
| token, the first time something happens to the main token
| I'll end going down that same path I did with TP and end up
| with a couple dozen tokens.
| wruza wrote:
| Well, that was quite a story. Have you considered water-
| washing? Not that it seemed possible to draw an analogy
| with hw tokens, but still.
|
| Another way to handle these rare events is to have an
| emergency-only 12-pack and then go with your regular a
| couple of rolls mode.
| Tagbert wrote:
| How do I use that on my phone?
| lxgr wrote:
| If it's running a reasonably modern version of iOS or
| Android, it has one built in.
| Someone1234 wrote:
| One costs money and requires a physical item, the other is
| commonly free, and you can sign in from multiple
| locations/devices.
|
| Hardware tokens have only managed to prove that hardware
| tokens won't ever take off due to their inherent limitations
| and liabilities.
| postalrat wrote:
| Make them required, they will take off. Most phones made in
| the past few years can operate as one.
| fsflover wrote:
| > Most phones
|
| Are you going to force people to use specific
| smartphones?
| lxgr wrote:
| How many smartphones these days are not running iOS or
| Android?
|
| Even then, nothing keeps the vendors of alternative
| smartphone OSes from implementing a FIDO platform
| authenticator.
| fsflover wrote:
| > How many smartphones these days are not running iOS or
| Android?
|
| Those that fight the duopoly and allow user freedom:
| Librem 5 and Pinephone.
|
| I really hope that it could use an open standard. Then,
| it's probably fine.
| lxgr wrote:
| FIDO is an open standard!
|
| https://fidoalliance.org/fido2/
|
| Nothing is preventing either OS from implementing it,
| either as a platform authenticator or via NFC, USB or
| Bluetooth support for external authenticators.
| wruza wrote:
| Do you mean like via NFC? That would be great, are there
| viable solutions for windows/etc?
| pdonis wrote:
| _> we should require people to use a password manager._
|
| And how could this possibly be checked except by allowing any
| random website that wants to use passwords to pwn my computer?
| fsflover wrote:
| > we should require people to use a password manager.
|
| What if I am storing my passwords in clear text in a Qubes OS
| [0] virtual machine with no network?
|
| [0] https://qubes-os.org
| latchkey wrote:
| I'm curious how you get your password from there and into a
| form on a website.
| fsflover wrote:
| With secure inter-vm copy-pasting: https://www.qubes-
| os.org/doc/how-to-copy-and-paste-text/
| brumm wrote:
| not a password rule but: i use a password length of > 40
| characters because why not? signing up for paypal worked with
| that no problemo until i had to sign in again and the login input
| ignored everything north of 20 characters or so. It worked after
| removing the maxlength attribute :(
| mojuba wrote:
| An HTML input field can give your password generator a hint,
| right? Never looked at it closely but had the impression e.g.
| Safari's generator could adapt to certain rules and that they
| were somehow described in the HTML.
| tikkabhuna wrote:
| Apple have "Password Rules"[1]. No idea how many password
| generators respect it though.
|
| I've created a CodeSandbox example of it being used.[2]
| 1Password does honour it.
|
| [1] https://developer.apple.com/password-rules/ [2]
| https://codesandbox.io/s/password-rules-demo-029h5
| up6w6 wrote:
| Bitwarden is on the way to support it.
|
| https://github.com/bitwarden/browser/pull/2047
| bobbylarrybobby wrote:
| Yep, https://developer.mozilla.org/en-
| US/docs/Web/HTML/Element/in... there's even an option for a
| regex pattern that the password must match.
| mojuba wrote:
| Interesting, that's different from what Safari supports (see
| sibling comment).
|
| I wonder what the algorithm is to generate a good password
| that matches a given regex. Also there's a potential problem
| with patterns that are wrong or contain errors, that may
| result in simple and insecure passwords. I don't see how
| Mozilla's approach is better than Safari's.
| prepend wrote:
| Every time I run into this, I remember meetings where a dumbass
| engineer would convince a clueless PM that something was
| necessary. It seems too specific to be thought up by a non-
| engineer.
|
| I have no way of knowing this, but I do think companies with dumb
| password rules have poor talent.
|
| I need to start a list of companies with dumb password rules, but
| I rarely create new accounts so by the time I get annoyed, I'm
| distracted onto something else.
| GoblinSlayer wrote:
| >I need to start a list of companies with dumb password rules
|
| You were heard: https://github.com/duffn/dumb-password-rules
| gxqoz wrote:
| I hate a lot of the new paradigms with passwords. This includes
| things like letting you sign up for an account and placing you in
| an in-between state until your email is verified (with no
| indication this is the case until you check your email). Or
| moving login password entry to a separate screen from entering
| the username.
| teekert wrote:
| I have seen sites where I can happily enter a 25 char long random
| string but then you can't log in. A lot of trial end error and it
| turns out they simply truncate at 16 chars :s
| alexdumitru wrote:
| I signed up on coinmarkercap and used bitwarden to set a 16 words
| passphrase as my password. Every time I log in I'm asked to
| change it because it's unsafe.
| dankwizard wrote:
| It's like with Runescape, Jagex put a .lower on your password.
| Capitals don't matter!
| clement_b wrote:
| Worse than password rules, are when sites disable the ability to
| paste in the password in the 'confirm your password' field.
| Forces users to reduce the 50 chars crazy password they wanted to
| set using their preferred password manager with a less secure
| version.
| slownews45 wrote:
| No kidding. Govt websites seem to think this is a positive. Of
| course, these same folks do the 90 day rotation. Result -
| everyone writing down passwords on post-it notes next to
| screens.
| JTbane wrote:
| The TreasuryDirect website requires login with a case-
| insensitive on-screen keyboard in the page itself. I have no
| idea why such an idiotic approach would be taken.
| slownews45 wrote:
| I've used that site - got me to get rid of their inflation
| protected investments unfortunately! And no cut and paste.
| antsar wrote:
| Thankfully, Firefox has an easy way to stop that.
|
| about:config
| dom.event.clipboardevents.enabled = false
| clement_b wrote:
| Nice! Will try that one.
| phist_mcgee wrote:
| Beware that this may break certain applications that read
| from your clipboard
|
| https://utcc.utoronto.ca/~cks/space/blog/web/FirefoxClipboar.
| ..
| enobrev wrote:
| Far too many sites seem to do this with bank account numbers,
| where you can't paste into the account number OR the
| confirmation field.
|
| Now I need to drag my tab to another window and type it out
| (twice) and then read and confirm it. If I'm on mobile - forget
| it.
|
| I'm far more likely to get my account number _and_ confirmation
| wrong if I type them rather than copy/pasting them in from my
| bank's site.
| banana_giraffe wrote:
| I've had this in my AutoHotkey file for a long time now:
| ; Type in the clipboard ^!v:: MyClip =
| %clipboard% StringReplace, MyClip, MyClip, `r, , All
| SendRaw %MyClip% return
|
| So I can hit Ctrl-Alt-V and have it type in whatever's in my
| clipboard. I use it to scrub the text and deal with stupid
| sites and forms that don't allow paste. I also have a variant
| that adds a Sleep so I can do the same thing when something
| like RDP takes control.
| wruza wrote:
| Argh, if only AHK used some mainstream scripting language, at
| least in addition to its leetspeak. I will never learn it by
| practicing once in a year.
| banana_giraffe wrote:
| Agreed. The little snippets in my AHK file are mostly magic
| incantations to me by now.
|
| AHK has a v2 that attempts to clean up its scripting
| language, but it's been in beta for a long time.
| Hamuko wrote:
| I once had to open up my developer console and manually set the
| field with JavaScript because they didn't want me pasting into
| the password field. Although the site was also all kinds of
| broken so it might have actually been an accident that pasting
| into the field didn't work.
| WorldMaker wrote:
| I do this on quite a few sites. Most of the easy ones have an
| easy to find onpaste event wired in the DOM and it's a simple
| delete. I feel like there are so few legitimate uses of
| onpaste and the browser should have an easy override that if
| I ctrl+v three times in quick succession or something like
| that it ignores or disables onpaste events.
|
| Alternatively, my password manager does have a decent
| "autotype" tool when all else fails.
| Hamuko wrote:
| I find it easier just to select the DOM element for the
| field and do $0.value = "asd";
|
| instead of finding the onpaste event.
| rav wrote:
| I use the following bookmarklet to fix issues like this. It's
| similar to the browser addon discussed in sibling comments, but
| without installing a browser addon. Simply create a bookmark
| named e.g. "Don't mess with paste" with the following URL:
|
| javascript:void(document.documentElement.addEventListener('keyd
| own',e=>e.keyCode==9&&e.stopPropagation(),true),document.docume
| ntElement.addEventListener('copy',e=>e.stopPropagation(),true),
| document.documentElement.addEventListener('paste',e=>e.stopProp
| agation(),true))
| tzs wrote:
| Note: keyCode is deprecated (but still works in most
| browsers). Supposed to use key nowadays.
| enobrev wrote:
| I read this comment earlier and just now had to come back and
| use it so I could paste an account number during a signup
| process.
|
| You just improved my day.
|
| Thanks!
| pavon wrote:
| Or the site lets your password manager fill the fields, but for
| some reason their javascript doesn't recognize it and refuses
| to let you submit because it hasn't verified your password as
| matching, meeting strength rules, etc. At least in that case
| deleting and typing just the last character usually fixes it.
| spookthesunset wrote:
| Probably some developer who isn't fully up to speed with what
| event hooks to use in order to trigger their JavaScript
| validation rules. And yes it is super annoying.
|
| ...though not as annoying as sites that don't let you copy /
| paste into their login fields.
| ryandrake wrote:
| Funny, since the problem of "typing stuff into a text field
| and submitting it to a web site" was solved over 20 years
| ago, and without JavaScript. Yet web developers today still
| manage to try and fail to solve it using code. I guess when
| your only tool is a hammer...
| CurrentB wrote:
| https://chrome.google.com/webstore/detail/dont-fuck-with-pas...
|
| This has been a greatly appreciated plugin for these scenarios
| (it's on Firefox as well)
| selfhoster11 wrote:
| I was going to mention that plugin as well. Its name is
| explicit with good reason.
| GoblinSlayer wrote:
| Drag and drop works for me in those cases.
| Andrew_nenakhov wrote:
| I also hate when they force you to change passwords from time to
| time and forbid you to set one of your previous passwords. One
| particular offender is russian website HeadHunter [1].
|
| I hope such people will go to very special hell after they die.
|
| [1]: https://hh.ru
| NathanielK wrote:
| Extra fun with organizations that use single sign on. Change
| your pc login and now your phone has the wrong wifi
| credentials. Let it attempt to connect too many times and your
| account is disabled.
| gregmac wrote:
| I've asked IT people that set these policies to tell me their
| previous password -- after all, they changed it to something
| completely different, as per policy, right??
|
| No one has ever agreed to this.
| helmsb wrote:
| It also doesn't help that the complexity rules are inversely
| proportional to the importance of the application.
|
| My former mortgage company's password requirements were 8
| characters max, no special characters.
|
| The app for scheduling appointments at my barber (no payment
| info) requires a minimum 12 character password with 2 or more
| special characters, 2 or more uppercase characters and 2 or more
| numbers.
| enriquto wrote:
| > I Hate Password Rules
|
| I hate passwords altogether.
|
| In this day and age, nearly all instances of password usage can
| be replaced by public key cryptography for a vastly improved user
| experience. And, of course, for a net gain in security.
| Zamicol wrote:
| Do you have any examples of this in the wild?
| enriquto wrote:
| ssh?
|
| Why can I connect to a remote server without using any
| password, but still need one to read the mail?
| PaulHoule wrote:
| I had a talk with the head of security at my credit union and
| told him I was within this much distance of ending my
| relationship with them over the fact that their password rules
| were so tough.
|
| I pointed out that there were some banks that had let me keep the
| same (securely generated) password for 15 years.
|
| American Express tried to sell me on a deposit account to go with
| my card but they told me I'd need to make a new account to log
| in. I told them that one reason I kept my AmEx was that they
| didn't make me change my password every time I wanted to log in
| and if I had to add a second login it wasn't worth it to me.
| oehpr wrote:
| To verify, you're using a password manager? Because it's hard
| to imagine someone getting upset over having to just update an
| entry, and obviously the bank can't tell you not to use a
| password to unlock your own vault.
|
| And I can't imagine someone memorizing a password for a bank
| login only, and never using that in other locations. The
| internet requires so many accounts to manage... If you did
| reuse your password then your bank login would be very
| vulnerable to credential stuffing.
| shadowgovt wrote:
| I use a password scrambler that generates a unique N-character
| string for every page. It's close to as much entropy as a one-
| time pad (technically, there is an underlying algorithm, so it
| could be reverse-engineered... But it'd require stealing my pass
| from several sites to start attacking it).
|
| ... except the sites that require a capital letter and an
| excalamation point. Those I sign into with "A<some random
| N-digits>!".
|
| Good job, site designers. You've done nothing to improve
| security, but you have annoyed the hell out of me.
| gorgoiler wrote:
| Having an @ in my password has been a royal pain in the ass over
| the years. Some keyboards switch @ and ". Oof.
|
| Anyway, enjoy my bank account xx
| jjcm wrote:
| Here's how I do passwords - require a certain amount of entropy,
| and compare vs common passwords on the backend. That's it.
|
| Here's a gif of it in action: http://files.jjcm.org/password.gif
|
| And an example webcomponent that implements this:
| https://github.com/jjcm/soci-frontend/blob/master/components...
|
| The ENTROPY_REQUIREMENT variable means you need a password that
| has at least 2^n possible combinations, given the character set
| and the length used. There's no restrictions other than that. If
| you want to only use lowercase letters, that's fine, as long as
| the length is long enough. If you include special characters, the
| length requirement drops.
|
| I use a simple message to tell the user whether or not a password
| is acceptable, along with a radial progress bar to demonstrate
| success: "Not strong enough. Add complexity until the circle
| fills."
| oehpr wrote:
| So... what's all this about XKCD's password scheme not being ok?
| I found the argument pretty compelling, in that even if you
| presumed the attacker knew how you generated your password, there
| would be too much entropy to work out what it was.
|
| I'm going to do some quick googling about this.
|
| edit: oh goodness, this appears to be a holy war,
| https://security.stackexchange.com/questions/62832/is-the-of...
|
| I'll just plant my flag and wish the rest of you luck, use a
| password manager.
| aeternum wrote:
| In practice people do not use random words. Instead they use a
| song lyric or sentence from a popular book.
|
| Many users used this strategy to secure their cryptocurrency
| 'brain' wallets only to have the funds quickly stolen.
| elischleifer wrote:
| Having spent the last weekend trying to explain the arcane rules
| of 1Password to my mother, I can completely relate to this post.
| When things are overly complicated people start to work around
| them ... store master passwords and other codes in local files
| because it is a giant pain to enter them.
|
| Corporate level password security should not be enforced on
| individual users who don't have IT support to keep their systems
| working cleanly.
| qwertox wrote:
| I had a 16 character password which I used in an PC online-
| banking application.
|
| After an update the password was unable to unlock the database.
|
| So I started creating new databases with different passwords to
| see what was going on, and it turned out that all passwords
| longer than 10 characters were failing.
|
| So I _truncated_ my old password to 10 characters and then it
| worked. No hint, no nothing in the release notes.
| infogulch wrote:
| I guess that means that it was silently truncating before the
| update.
| alliao wrote:
| yikes? that means they knew your password therefore able to
| truncate it to 10 characters?!
| qwertox wrote:
| I assume it was like iso1631 commented, that before the
| upgrade they truncated it before hashing it. In any case,
| using a password (=encrypting database) was optional, so my
| reaction to this experience was to remove the password and
| move the entire application into a VeraCrypt container.
| iso1631 wrote:
| Not neccersarily, if the previous version truncated the
| passed password to 10 characters, hashed, then stored, but
| the new version no longer truncated, the hash wouldn't match
| unless you used 10 characters
|
| if your password was qwerty123456, it might have allowed you
| in with qwerty1234999
| mooreds wrote:
| Is it password rules he hates or the UX around the password
| rules?
|
| I just read the post and if the system response had been "You
| must have 2 numbers in your password", well then, okay, easy
| enough to do. An annoyance rather than a hatred.
|
| Not that I think password rules are great. They can, if used
| poorly, unnecessarily constrain the space of passwords. But they
| are often required by certain compliance situations.
|
| I love my password manager and think everyone should use one,
| myself.
|
| Another alternative is the FIDO passwordless technologies that
| are being rolled out more and more. Though I saw a tweet the
| other day that said "Biometric identification is a username not a
| password" that made me think about that.
| iudqnolq wrote:
| The problem with that is I then have to open my password
| manager, append "11" to my perfectly secure password, and save
| it. Just use zxcvbn.
| andylynch wrote:
| This is why current standards say password complexity rules
| are a terrible idea (or officially a SHOULD NOT), and have
| for a while. I'm baffled as to why these rules endure.
| josephcsible wrote:
| I like the rule that Nextcloud uses by default: rather than
| requiring character class minimums or anything like that, it
| makes sure that the password you picked isn't one of the top
| 1,000,000 most commonly used passwords.
| robotears wrote:
| My frustration isn't just the sites that make the password rules
| clear after I submit the form. The worst sites are the ones that
| truncate my generated password to fit their maximum password
| length and then don't tell me (which seems to happen in more
| places than it should).
| jbarberu wrote:
| And then their sign-in page doesn't truncate it and it just
| fails to login... Absolutely love it!
|
| One of my favorites was Nintendo's user account. The web allows
| decent passwords when created, but then the actual game console
| only has room for inputting 15 characters or so for the
| password :@
| kevincox wrote:
| I've even seen it backwards (I assume) where creating the
| account with the longer password worked but then I couldn't
| sign in with it or any prefix of it.
| [deleted]
| thamer wrote:
| Worse: I once set my E*Trade password to something it accepted
| but wouldn't recognize when I tried to log in... because it was
| too long.
|
| After changing it I got locked out of my account and had to
| call support to resolve the issue. The worst part was that
| after verifying my identity over the phone they kept sending me
| reset links and I kept using long passwords generated by
| 1Password (30 characters IIRC) and it always accepted them when
| resetting but still would never let me log in.
|
| It took many attempts and new reset links until they suggested
| trying a shorter password, which was eventually accepted both
| during reset AND login. Of course the reset page didn't mention
| a maximum length.
| davchana wrote:
| Exactly. Indian Retirement Fund, PF, National Pension System,
| has a rule of max 16 chara in password. They don't tell this at
| password reset or set. They simply accept anything 16+ length;
| & silently truncate & use the first 16 chars. But user is never
| told. When I try to login later, it says password wrong. I had
| to reset it multiple times, because my password manager was
| generating longer ones.
| reaperducer wrote:
| _The worst sites are the ones that truncate my generated
| password to fit their maximum password length and then don 't
| tell me_
|
| Or worse, they truncate your password after you've already used
| it for years and years.
|
| I had a 30-character password with Bank of America. Somewhere
| along the line, it changed its password requirements to only
| allow a maximum of 20 or 25 characters (I forget), which
| automatically invalidated my password.
|
| The password was stored in my password manager, so I knew I
| wasn't entering it wrong.
|
| BoA support said I should use the "change password" feature to
| update my password, but I couldn't because it requires me to
| enter the old password, which it would not accept. For some
| reason I can't remember, I couldn't use the "forgot password"
| feature. Maybe it also didn't work right.
|
| I spent an entire day on the phone getting bounced from person
| to person before finally someone was able to take a new
| password over the phone.
|
| Since Bank of America can't figure out how to build a web site
| login, I no longer trust it with my money. I emptied that
| savings account and paid off the credit card as quickly as I
| could. I no longer use BoA.
| pbhjpbhj wrote:
| So, for a bank the maximum is to allow NSA to crack it if
| they wish, right?
| reaperducer wrote:
| They kept insisting that a 20-character password is safer
| than one with 30 characters. I couldn't get them to
| understand otherwise.
| nzach wrote:
| >Or worse, they truncate your password after you've already
| used it for years and years.
|
| Worse than that must be the sudden realization that your bank
| probably saves your password in plain text somewhere.
| bananasbandanas wrote:
| More likely they just updated the password during a
| successful login.
| iso1631 wrote:
| As it's a bank that's probably the case, but you could have
| a change on the server side from
| hash($password) == $storedhash
|
| to hash(substr($password,0,20)) ==
| $storedhash
|
| And you wouldn't get in, with any password (including just
| putting in the first 20 characters)
| fossuser wrote:
| I'm not sure why anyone uses banks like BoA, Wells Fargo,
| First Niagara, etc.
|
| Fidelity is a superior experience in nearly every way - just
| categorically. I'm not sure if people just don't know that
| you can use Fidelity this way?
|
| The only downsides are no local branches, but that's hardly
| an issue unless you need a cashiers check. In those rare
| cases you can spin up an account at shitty bank, get the
| check, then close the account. I've had to do that maybe once
| ever.
| ysavir wrote:
| In what way? I'd be curious to understand what it is you
| value about them, but your post reads more like marketing
| than a satisfied customer story.
| fossuser wrote:
| No fees, also a brokerage, free checks, free atm, free
| wires, can trivially spin up IRA, move money between
| accounts, etc.
|
| Phone call support has been surprisingly good whenever
| I've needed it.
|
| When I used standard banks they often forced me to go in
| at difficult hours to do basic things and it took
| forever. They also had lots of fees (and as suggested in
| the parent comment, bad software)
| reaperducer wrote:
| You state that you don't understand why people use large,
| complex banks. Then state that you have a very simple,
| financially uninteresting life.
|
| You answered your own question.
| fossuser wrote:
| I have a pretty complex financial situation, but Fidelity
| can just do all of it more easily than retail banks.
|
| Is there something banks like BoA do better that I'm
| missing? When I've asked people I know this I haven't
| gotten any good answers. I'm genuinely asking.
|
| My impression is that BoA, Wells Fargo, etc. mostly take
| advantage of customers that don't know better options
| exist.
| reaperducer wrote:
| Your impression may come from the fact that many people
| don't talk openly about their finances to random people
| on the internet.
|
| For me, Fidelity is a non-starter, for reasons that are
| none of your business.
|
| It's nice that you like Fidelity. But it's a good idea to
| recognize that your finances and life situation are
| unique to you.
| fossuser wrote:
| Cool - so a non-answer and condescending dismissal of
| genuine questions.
|
| Lots of people talk about finances online. See
| r/personalfinance or r/financialindependence. It's a good
| way to learn.
| reaperducer wrote:
| I am not "lots of people." I have no interest in being
| "lots of people," or in proving myself to strangers on
| the internet.
|
| I cannot convey 50 years of my financial life,
| experience, and history into what fits in an internet
| post. Anyone who can probably has a very narrow view of
| finance. I can say that I know how to manage my finances,
| and my accountant agrees with my methods and track
| record.
|
| But if you think Reddit is the route to financial
| literacy, I can understand why you don't understand.
| recursive wrote:
| I don't necessarily think Reddit is a good route to
| financial literacy. Nor do I know of a better route.
| Despite (or because?) of all that, I still think the
| question was reasonable. If you don't want to answer the
| question, that's fine. But you don't have to be so
| antagonistic about it.
| vangelis wrote:
| That response is awfully unconstructive and dismissive.
| Perhaps you're able to articulate why you believe Reddit,
| specifically r/personalfinance and other reasonable
| boards, are bad, no?
| randomluck040 wrote:
| Wait, what? That never happened to me. How do you go and find
| out your password then? Trial and error?
| teawrecks wrote:
| T-Mobile did this to me a few years ago. Don't know if they
| still do, but I couldn't believe anyone thought that was ok.
| mooreds wrote:
| > Trial and error?
|
| Bingo. Super frustrating.
|
| See also this comment:
| https://news.ycombinator.com/item?id=24827031
| Macha wrote:
| I once had a bank that used substr(tolower(input_password),
| 0, 8) as the actual password.
| bell-cot wrote:
| Heh. Late 1990's, I was an admin on a >1,000 user system -
| which was rooted because it had that feature, and another
| admin figured that 'meatball2&balloons' was a secure-enough
| password.
| ylere wrote:
| I had it happen a few times. Usually I would reset it a few
| times until realizing that it's obviously not saving the
| password I'm entering, at which point I would try a setting a
| shorter one.
| [deleted]
| phepranto wrote:
| They might just truncate the password during login as well. I
| was able to login to my online banking using only the first
| five digits of my password not more than 3 years ago.. They
| fixed it in the meantime but I'm still worried.
| robocat wrote:
| You should still be worried, since any bank storing an
| unhashed password clearly has security fail.
| Maultasche wrote:
| That happened to me many years ago with Microsoft logins.
| They were truncating passwords to 12 characters and my
| generated 16-character passwords never worked. I kept
| resetting them over and over until I did a Google search for
| Microsoft password requirements and found out that they were
| being truncated.
|
| That was likely fixed a long time ago, but I'm still wary of
| increasing my Microsoft passwords past 12 characters.
| GoblinSlayer wrote:
| FWIW I use 30 character password with recently created
| skype account, and relogins work.
| memco wrote:
| I've also had fun experiences where the "special characters"
| differ in the description than in the implementation in a few
| ways.
|
| Once I had a password accepted with non-alpha numeric
| characters which were considered invalid as input on the login
| screen and so even though my password was correct it would not
| let me log in because it was validated with different logic
| after creation.
|
| Another issue I've seen is that the password was required to
| have only a certain subset of non-alphanumeric characters, but
| it did not explain or validate this client side so I had a
| password for which all the boxes turned green, but was still
| invalid.
|
| In both cases only trial and error worked to find a valid
| password.
| NathanielK wrote:
| For a while, Discord had few password restrictions so 5
| characters were fine. Then they changed their app to only
| allow 6+ character passwords.
| Causality1 wrote:
| I spent half a year being charged monthly by Microsoft
| because Google considers my email address the same whether or
| not it has a period in it but Microsoft had somehow split my
| account into two based on that difference.
| stormbrew wrote:
| that's.. really on you I think, and not at all similar to
| one site having differing validation rules in different
| places for the same data. What gmail does there isn't some
| kind of standard, it's a unique special feature google
| does. You don't _want_ other sites getting clever about
| this sort of thing, because if the rules change much worse
| things will happen.
|
| Now, sites that treat email addresses as case sensitive -
| those are evil.
| NackerHughes wrote:
| I'm missing something, why would they charge you monthly
| for that?
| hansvm wrote:
| Extra user fee on some kind of SAAS?
| dataflow wrote:
| Can I ask what length your passwords are (roughly)? I don't
| understand the motivation for anything long in the context of
| randomly generated passwords for websites. 8-10 characters
| should be plenty.
|
| (This isn't to excuse silent truncation.)
| loa_in_ wrote:
| My passwords are all 20+ characters long
| dataflow wrote:
| For websites, you're just making your own life harder for
| no real gain. Even with purely alphanumeric 10 chars, it's
| not like anyone can exhaust the 36^10 password space over a
| network with no one noticing. Yet whenever you run into
| issues with the website or the password manager (or some
| other non-routine thing... like you're on your phone and
| need to enter this on a different computer) and have to
| enter it manually, it'll be much more painful than it has
| to be.
| singlow wrote:
| I guess you assume that everyone protects their stored
| hashes.
| dataflow wrote:
| Not really. Even if you're worried about that, (36
| alphanumeric + 10 symbols)^10 is roughly 4E16. Even at 2B
| checks/second/CPU (which is incredibly generous if the
| web developer has any competence) that's around 10M CPU-
| seconds, i.e. 115 CPU-days. For cracking _one single
| password_. An ASIC will speed it up, but again, remember
| this is one single password, and it can be an
| overestimate by like a factor of > 1 million if the
| developer actually used a KDF (and I'm not sure why they
| wouldn't, if they're already hashing). How paranoid do
| you have to be (and how big of a target do you have to
| have made of yourself? and exactly how valuable are your
| credentials?) to worry about a threat like this for most
| websites? Maybe it makes sense for your primary email,
| but do average accounts really benefit? Compared to the
| inconvenience of when something goes wrong and you have
| to type a long password manually.
| GoblinSlayer wrote:
| If you don't let users use their preferred password
| structure, they'll have to use a shitty password like
| hunter2, letmein or dragon. Those can be recovered with a
| few attempts, even online. If you really want a 10
| character password, you can hash the user's password,
| then imagine the first 10 bytes of the hash are the
| user's password, then do whatever you want with them.
| [deleted]
| teawrecks wrote:
| It's trivial to choose a smaller pw for sites that are
| difficult, but for the ones where I'm only ever using a
| pw manager to access, there's no reason not to use a 20
| char unique random string.
| GoblinSlayer wrote:
| Websites are not the only system that can enjoy a
| password, and there's no excuse for their egocentrism.
| BenjiWiebe wrote:
| For me I have long 20+ character passwords because my
| password manager remembers them for me, and I can
| copy/paste or autotype or copy them into the in-browser
| password manager.
|
| I _very rarely_ have to manually type in a password.
| loa_in_ wrote:
| My passwords are long because I don't actually use a password
| manager. I generate my passwords with a help of my algorithm
| that makes them easier to type in wherever I might need them
| (resemble real words) like in a terminal.
| gregmac wrote:
| I usually generate passwords in the ~32 character range,
| using A-Za-z0-9, specifically to catch sites with dumb
| security policies (maximum number of characters, or
| considering `aceg1234!` a stronger password than
| `MgHm7MC8kEuXWKEzD7CvDgxCtWssz964`).
|
| In most cases I just comply with their dumb policy and put a
| snarky comment for my future self in the Notes field of my
| password manager and it makes me feel better.
| SAI_Peregrinus wrote:
| All my passwords are passphrases, randomly generated and
| stored in my password manager. Usually 10 words, for about
| 130 bits of entropy. EG PledgeRoutineSuitableBunkhouseExcepti
| onCremeReassureChildishPhrasingNuclear, which is 76 ASCII
| characters but only 10 symbols.
|
| They're stored in a password manager, but they're typeable if
| needed. My "security question" answers (mother's maiden name,
| etc) are generated the same way, unique per use, and also
| stored in my password manager.
|
| Most sites don't need 128 bits of entropy. But things like
| banking or subscriptions should have at least 112 bits of
| entropy. And it's easy to just set the generator to 10 words
| by default.
| Larrikin wrote:
| Outside of things that need to be extremely secure like my
| AWS account password I usually prefer readable random words
| passwords over random text. Even random 2 word passwords
| usually surpass 20 characters especially after adding in
| numbers and special characters most sites require.
|
| It's a lot nicer being able to check if I typed in my Peacock
| login at my parents home at a glance versus a string of
| random characters.
| iso1631 wrote:
| If you're using a random password,
| c29b90b0e25ece3f2dabcef496d22103 is fine for a password,
| 2^128 bits. It's a right pain to type in on a console though.
|
| On the other hand, "rundown skyline pluck shawl pastrami
| radar refueling poach prankster durable" is far easier to
| type and is about the same entropy
| hannasanarion wrote:
| The entropy is far greater than 2^128. Pastrami, refueling,
| and shawl don't appear in the top 30,000 English words
| list, so even knowing your password generation strategy,
| every word adds at least 15 bits of entropy, you're up to
| 150 bits, probably more.
| NoGravitas wrote:
| "correct horse battery staple" is 28 characters. And it
| really should be two words longer than that these days.
| hannasanarion wrote:
| 20 characters is fine. Even using only lowercase letters,
| in a worst-case scenario it'll take millions of years to
| guess by choosing characters, and a dictionary attack won't
| fare any better if you use four words that are moderately
| rare. Even if they're only in the top 1000, four words
| means the search space is 1 trillion guesses. Increase the
| search space to 10,000, by including such obscure words as
| "villager" and "conserve" and "missionary" (9950, 9973, and
| 9991, respectively) the search space increases to the
| quadrillions, equivalent of a 12-character random password
| with symbols, 53 bits.
|
| Is correct-horse-battery-staple guaranteed secure to the
| heat death of the universe? No, but good enough that it'll
| take a targeted attack several months to guess.
| throwawayboise wrote:
| Supermicro BMC passwords do that. Recently (i.e. this year) I
| set up a bunch of servers and was setting the BMC password to a
| known value.
|
| Apparently there is a limit of 20 characters for the password.
| The password I set was 21 characters (which was accepted
| without error).
|
| When I tried to log in with this password, the login was
| rejected.
|
| However if I log in with just the first 20 characters of the
| password, it works.
| sleavey wrote:
| They should at least make their sign-up and login password
| fields have the same max length attributes...
| zamadatix wrote:
| It's even worse than that the BMC is a preconfigured part
| of the server not something you go to a sign up page for.
| It's literally the _change password functionality_ that
| does not warn/error on the password being too long!
| hnlmorg wrote:
| EE does this on their website but not on their mobile app. Took
| me ages of debugging to figure out why my password manager
| worked on one platform but not the other. I was so annoyed when
| I realised what it was.
| teawrecks wrote:
| This has happened to me on one site. As far as I'm concerned,
| this is just a bug.
| Zircom wrote:
| Yeah you'd be surprised where it happens. I used to work on the
| help desk for a company that operated nuclear power plants, and
| their password system would only accept 8 character passwords,
| alphanumeric only. However, the length checking would randomly
| fail and users would be able to set a longer password and the
| system would silently truncate it without throwing an error or
| alerting the user in any way.
| Pxtl wrote:
| If they truncate on password set but don't truncate on password
| validation, that's the worst.
| [deleted]
| tdrdt wrote:
| Since I believe a password is the user's responsibility I use the
| UI to inform the user what a safe password is because most people
| have no clue.
|
| For example:
|
| Choose your password: _A safe password contains many different
| characters, for example a sentence._
| _wldu wrote:
| It would have been really nice if there had been an RFC or ISO
| standard for password composition. NIST 800-63B is probably the
| best advice available, but few people follow it and industry
| regulations (PCI) typically violate it.
| kube-system wrote:
| NISTs regs are really good but I think they'd be more widely
| adopted if they had a cliffnotes version.
|
| Something like: https://auth0.com/blog/dont-pass-on-the-new-
| nist-password-gu...
| dpifke wrote:
| Most attacks on passwords these days are credential stuffing, not
| brute force.
|
| This means that password rules REDUCE the amount of work an
| attacker has to do, as they can omit previously breached
| usernames/passwords which don't meet the password rules for the
| site being attacked. This means they can try more logins before
| getting rate-limited.
| codingclaws wrote:
| At PNS [0], I believe our only rule is 9-100 characters.
|
| [0] https://www.peachesnstink.com
| jjice wrote:
| I hate seeing websites that have odd restrictions like "you can
| use !, ?, #, and @, but not % or ^". I can't think of a
| reasonable reason.
| reaperducer wrote:
| Sometimes banks don't even adhere to their own rules. I have no
| idea what the rules are for CitizensOne (which does financing for
| Apple). I enter a password that turns all of the checks green,
| but it's still not good enough.
|
| https://twitter.com/Reaperducer/status/1459585393175769092
| kemotep wrote:
| There does need to be some rules or else people would set their
| password to be blank or a few characters.
|
| I would be happy with consistent password rules.
|
| 1. No password that was included in a breach a la the
| "haveibeenpwned" hash check system[0].
|
| 2. No password reuse.
|
| 3. A Minimum length. Something like 14-20 characters. And no
| maximum (or at least something set to at least 127 characters as
| the max allowed).
|
| 4. Reset no more than once a year.
|
| And that's it. All valid UTF-8 characters accepted. No
| requirements for special characters or not, just long well
| randomized passwords, or more aptly, passphrases.
|
| Teaching everyone about password managers and diceware[1]
| passwords would go a long way too.
|
| [0]:https://haveibeenpwned.com/API/v3
| [1]:https://en.wikipedia.org/wiki/Diceware?wprov=sfti1
| andylynch wrote:
| This is very close to part of current NIST* / NCSC guidelines.
| I assume you mean no frequent /forced/ reset?
|
| * https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret
| waltbosz wrote:
| Max password lengths make no sense to me.
|
| > just long well randomized passwords, or more aptly,
| passphrases.
|
| Interesting idea. I could imagine a new password prompt with an
| algorithm to reject passwords that were not random enough. How
| infuriating would that be? What would the hint message look
| like: "your password must contain a statistically random
| arrangement of characters"
| kemotep wrote:
| Using a password manager password generation tool or a
| diceware word list would be sufficiently random in my eyes
| but I get what you mean.
| iudqnolq wrote:
| Just use zxcvbn
| kemotep wrote:
| Never heard of this before. Thanks for sharing.
| toto444 wrote:
| > 4. Reset no more than once a year.
|
| That would make a lot of people's life terrible. I reset my
| passwords very frequently (almost every time I log out of a
| website)
| Arrath wrote:
| That seems..excessive. What is your motivation for that?
| rstupek wrote:
| I think they're implying the site doesn't force you to reset
| your password more than once a year.
| kemotep wrote:
| I mean do not require passwords to be reset every 30,60,90
| days etc. Ideally you would only force a password reset if
| they fell for a phishing attack or there was a breach of the
| hashed password database/auth system.
| pixl97 wrote:
| I'm pretty sure the user means "required reset", rather than
| ones ability to reset at will.
| vimy wrote:
| For the vast majority of websites password rules are unnecessary.
| I only care about icloud and gmail, amazon and paypal. I don't
| care if my reddit account is "hacked". Or HN. Or random webshops
| or whatever. I hate being forced to use strong passwords for
| accounts I don't care about.
| KronisLV wrote:
| What cannot be ignored is the fact that many people will
| attempt to use the same password for multiple sites if given
| the chance.
|
| Furthermore, some of those shops may contain identifiable
| information which could be problematic.
|
| Personally, i take a slightly different approach: i don't care
| about almost any of my passwords... because they're randomly
| generated!
|
| KeePass gives you very nice choices in regards to this, when i
| write down a new account into the password protected DB for a
| site that I'm about to use, it allows me to both generate a
| random password for it, as well as specify additional
| generation rules if needed (e.g. longer or shorter).
|
| That way every password is unique and reasonably secure. In
| combination with Nextcloud and regular backups to another HDD
| (and manual ones to SD cards) the password safe is also
| persisted across my own devices and other mediums, whilst
| having an even longer password of its own, the only one that i
| need to memorize (and write down on a piece of paper that i
| could optionally give to someone I trust, since i once forgot
| my phone's lock screen pattern years ago).
|
| Here's more info about KeePass: https://keepass.info/
|
| This, when coupled with separate e-mail accounts (e.g. one for
| professional matters, a few for increasingly more spammy or
| throwaway purposes) and something like uBlock Origin and a VPN
| does make my online browsing experience a bit more tolerable
| and secure.
| vimy wrote:
| Well yes, that's exactly my point. I _want_ to be able to
| reuse crappy passwords because just typing a password is
| still simpler than dealing with password managers.
| PascLeRasc wrote:
| A few weeks ago I signed up for a local credit union and received
| a membership packet in my email including a reminder of what my
| password is. I called them to tell them about this security flaw
| and received a single dollar as a bug bounty, but they still
| haven't changed it.
| Igelau wrote:
| 100 Call them again
|
| 200 Get another dollar
|
| 300 Goto 100
| kspacewalk2 wrote:
| Due to the nature of my job and the age of some of my coworkers,
| I am sometimes casually given passwords on a piece of paper. Out
| of a sample size of conservatively 20, I have never even once (!)
| seen a special character other than !. It just doesn't happen.
| Password rules and a requirement to change your password every X
| months are pure security mirage and just create frustration in
| people who often struggle to generate even one secure password in
| their entire lifetime.
|
| (Yes I evangelize password managers around here. So far I've
| converted 2-3 people. They are the important people with shit
| people might want to steal on their computers/accounts, so I'm
| happy with this.)
| handrous wrote:
| > Password rules and a requirement to change your password
| every X months are pure security mirage and just create
| frustration in people who often struggle to generate even one
| secure password in their entire lifetime.
|
| Every place I've ever seen _or heard about_ with a "change
| every X months" system, everyone just uses a (often shared!)
| formula to come up with variations that satisfy the is-this-
| too-close-to-your-last-X-passwords checker, based on the date
| or whatever.
| kayodelycaon wrote:
| I got up to P@ssW0rd12 at one job.
| Arrath wrote:
| I was working my way to it, when IT rolled out a new policy
| of "cannot share more than 2 consecutive characters with a
| previous password" or something like it, included in an
| email along the lines of "an audit has found this new
| policy applies to you".
|
| Dicks.
| godshatter wrote:
| Doesn't that imply that the are saving your previous
| passwords in plain text somewhere instead of saving
| hashes of them? How is this more secure?
| GuB-42 wrote:
| Usually, when you change your password, you have to enter
| your old password. With both plaintexts, the check is
| trivial.
|
| It also means it should be possible to bypass that by
| changing the password twice or by "forgetting" your old
| password.
|
| Another possibility is that they simply lie to you and
| the rule that is actually checked is much more
| permissive. I've often seen requirements that are not
| actually checked
| [deleted]
| dr_kiszonka wrote:
| This would be my guess too. Alternatively, maybe they
| save hashes of all substrings of length > 2 and check all
| hashed substrings of the new password against them.
|
| (Which - in my limited understanding of infosec - would
| be only marginally better than plaintext, but I can be
| wrong.)
| teawrecks wrote:
| Yeah, having hashes of substrings of a password would
| help a LOT when brute forcing. If I have a 10 char pass,
| and I'm storing 1 hash of the full pass + 9 hashes of the
| 2-char substrings, I can now brute force all those 2-char
| hashes and then fit them together in the few valid ways
| they could go together (assuming there is more than 1)
| until I find the final hash. Salts wouldn't matter.
| handrous wrote:
| And that's how you ensure everyone writes their password
| on a sticky note.
| Spivak wrote:
| Eh, a sticky note is pretty darn secure for the kinds of
| attacks you care about. If your attack vector is someone
| breaking into your office the security game changes
| completely.
| Arrath wrote:
| Yeah they either need a keycard or some tailgating to get
| to the bottom of my keyboard at which point they could
| just take the damn laptop and shuck the drive into an
| external enclosure and get everything that way, so nbd in
| my opinion.
| Sohcahtoa82 wrote:
| > shuck the drive into an external enclosure and get
| everything that way
|
| Disk encryption (ie, BitLocker) is supposed to prevent
| that from working.
| cesarb wrote:
| > If your attack vector is someone breaking into your
| office the security game changes completely.
|
| There are at least two other important attack vectors
| against "sticky notes": accidental sharing through
| photographs and/or online meeting cameras, and visitors
| memorizing visible passwords. Both are defeated by hiding
| the sticky note below the keyboard, but my guess is that
| most people leave it visible on the monitor bezel.
| logfromblammo wrote:
| If that policy is enforceable, someone would have to be
| storing passwords in plaintext, or the hashing algorithm
| is too weak.
|
| IT shouldn't be able to tell anything about plaintext
| password similarity beyond equals or not-equals.
| Arrath wrote:
| I had a similar concern. Or maybe it was a company wide
| email and that language was in there just because.
|
| Of course, our company-wide email was down for 2-3 months
| a couple years ago due to a ransomware infection, so our
| IT isn't stellar. So who knows!
| Sohcahtoa82 wrote:
| Ad-hoc, this is correct.
|
| But at the time of the password change, no, assuming
| password changing requires you to enter your current
| password as well.
| Vendan wrote:
| If just with previous password, then yeah, that's fine,
| but more then likely they are saying with the previous N
| passwords, which would require storing the previous N
| passwords in some kind of plain text or easily reversible
| form. Even if those old passwords are useless at that
| point (which might not be the case for something like a
| laptop that hasn't talked to the domain controller and
| learned that the password has been updated or something),
| it's still dangerous (what if they used that password on
| a vendor's site, or on their own banking login...)
| scrooched_moose wrote:
| Sounds like we have similar roles. I've never gotten them on
| paper, but multiple times a month I get emails along the lines
| of "My account doesn't work. My password is Banana1. Please
| fix". Every time I reset every single password they have (at
| least 4 hours of work for them) and inform them not to share
| passwords. Still, I've had users do it multiple times.
|
| I finally got all of our admin/root passwords into a password
| manager with sharing among job functions and our CTO as backup
| to ensure some level of continuity. After losing passwords to
| multiple production systems after someone leaving the company
| it was still a battle.
| rudian wrote:
| Congrats on getting them to use a password manager, now
| everyone can see _all_ of their password by typing in the
| master password they stuck to the side of the screen.
|
| I'm only half-joking sadly, people just don't understand why
| password exist in the first place, so they comply
| maliciously.
| vlunkr wrote:
| I'm sure people do that, but the fact that they only have
| one password to remember, and (hopefully) don't have to
| rotate it would hopefully deter them
| frosted-flakes wrote:
| Requirements for uppercase letters, numbers, and special
| characters mean I stick an "A1!" at the end of my otherwise
| strong and memorable password. I'm sure I'm not the only one.
| Ajedi32 wrote:
| Yeah, at least there's a good work-around for the
| numbers/symbols requirement. What's more annoying is when
| sites have a low maximum length so you _have_ to use special
| characters to get good entropy, or when they have other
| bizarre requirements like "can't contain more than 3 of the
| same character".
| bluGill wrote:
| Todays computers can brute force passwords of their maximum
| length in a few hours.
|
| I suppose someone somewhere has a maximum length that is
| hard to brute force, but I've never seen it.
| tmountain wrote:
| What max length? Once a password reaches 128 bits of
| entropy the key space is unfathomably large. You could
| have a password of length 1 with 10^100 possible values,
| and it could take a VERY long time to crack. In short, it
| has nothing to do with length, it has to do with bits of
| entropy, and there are still very real limits to what
| even the most powerful computers can brute force. Several
| years back, it was stated by Peerio that an 81-bit
| password would cost a billion dollars to crack. It
| becomes less feasible and more expensive from there.
| BeFlatXIII wrote:
| Frequent password rotation causes increases of passwords on
| post-its stuck to the monitor.
| kevincox wrote:
| In most cases I would take a strong password stuck to the
| monitor than a dictionary password on an internet exposed
| system.
|
| But yeah, frequent password rotation is still bad.
| lanecwagner wrote:
| I write a Go package because I have similar feelings.
| https://GitHub.com/wagslane/go-password-validator
| tpoacher wrote:
| I hate MFA. I get the "need", but it's a) generally shittily
| implemented, and c) frequently manipulated/enforced not for the
| right reasons (notably to force you to surrender your phone
| number)
| NoGravitas wrote:
| I actually kind of like TOTP, since I can choose the
| implementation I want to use, and make backups, and so on. I
| _loathe_ having to use any kind of bespoke MFA app, and I just
| resent the use of SMS for MFA.
| phist_mcgee wrote:
| Add to that, that SMS 2FA is becoming rapidly more insecure
| these days.
| ufo wrote:
| In another blog post, linked from this one, Bruce says that the
| XKCD scheme of stringing together a series of words is no longer
| safe:
|
| > Modern password crackers combine different words from their
| dictionaries. This is why the oft-cited XKCD scheme for
| generating passwords -- string together individual words like
| "correcthorsebatterystaple" -- is no longer good advice. The
| password crackers are on to this trick.
|
| Is that true? Or does it just mean we need more words in the
| password?
| grantmwilson wrote:
| Yes, more words is ideal. The ideal authentication scheme is
| that the attacker knows absolutely the system you use but it is
| still secure within realistic time constraints. So using
| randomly generated words from a sufficiently long list (such as
| this one
| https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt )
| and as long as the hashing algorithm is sufficiently complex,
| then you are mathematically protected with a minimum number of
| words.
|
| For example using a 6 word pass phrase from the above 10000
| word list would on average require 5e23 attempts to correctly
| guess it. For credential stuffing this is absolutely
| impractical. For cracking a leaked password hash we can figure
| out how secure it is.
|
| We assume that the service properly salts the passwords, so a
| rainbow table can't be used. If salted bcrypt hashes are used,
| a benchmarked 4-gpu rig did ~160 hashes/s, so even assuming a
| nation-state with 1E9 times as much computing power, we get
| 1.6e11 hashes/s, so this gives us on average 3.1e12 seconds to
| crack, which is about 100,000 years. Which means that no-one
| (pre-quantum) can crack that password.
| ufo wrote:
| If I understand it correctly, a 4-word password like in XKCD
| would require about 100,000 rig-years to crack. Do you think
| that is too low of a safety margin? Or is the problem that
| most people's word list may be less than 10K words?
| zahma wrote:
| The worst is when some forms set rules but prevent the user from
| pasting a string into the duplicate field for verification. If
| this is meant to prevent user error in case of a typo in the
| first field, then it also thwarts many of us using password
| managers. Somehow my browser can auto-generate and enter a
| password, but I can't. That's a work-around, but it's irksome
| anyway.
|
| On another note, a more constructive metric for password security
| on a basic website account would be to set a complexity standard
| that allows multiple ways to get there. A haiku of approximately
| 60 plain characters, for example, should be as secure as a 30
| character alphanumeric string, at least when it comes to brute
| forcing. It seems to me like plenty of weak passwords could be
| created to eke out the minimum requirements for a lot of sites,
| so this standard lends a false sense of security, especially when
| any password is recycled.
| core-utility wrote:
| Can anyone explain to me why even new products have a _maximum_
| character limit? I frequently see 16 or 20 maximum characters. If
| you 're hashing the password, why does it matter?
| amelius wrote:
| Perhaps to prevent buffer overflow problems. Simplifies
| development and testing.
| wruza wrote:
| Wait, what? Even if they write their auth backends in C or
| assembly, nothing stops them from "#define MAXPWLEN 100".
| amelius wrote:
| That's still a limit.
| makecheck wrote:
| Complex password rules haven't been shown to improve security in
| any way. They _have_ been proven to torpedo security, e.g. they
| make people forget so they do blatantly-insecure things like
| writing passwords down or relying more frequently on things that
| reduce account security like having to reset the password
| entirely through simple E-mails or codes, etc.
|
| And speaking of banks, I am livid that so many of my financial
| accounts essentially _require_ absolutely terrible passwords. A
| lot of them don't support E-mail for log-in either.
|
| Meanwhile, your basic "correct horse battery staple" [1] works
| pretty well.
|
| [1] https://xkcd.com/936/
| dwighttk wrote:
| My fav is when it says "your password is too short" when it
| actually means "we didn't think anyone would try a password
| longer than 12 characters and your 48 character password messed
| up our code."
| throwawayboise wrote:
| I've simplified the rules I enforce because it was just getting
| out of hand. I enforce a reasonably long minimum length, and
| enforce a limit on number of repeated characters in a row (so
| someone can't set a password of "aaaaaaaaaaaaaaaa")
|
| That's it.
| teeray wrote:
| I'd really love the W3C to come out with some elements that
| provide:
|
| 1) Communication of complexity requirements
|
| 2) Explicit password manager fill targets
|
| 3) An endpoint for a password manager to rotate passwords
| automatically. (and the validity period)
|
| All of these would be backwards compatible with grandmas that
| write passwords on post-its and mouldering IT policies that snub
| NIST recommendations. Sure, webauthn is wonderful and all, but
| it's a whole lot easier to ask for some simple HTML changes
| rather than implementing a whole API.
| whymarrh wrote:
| This is something that folks are working on via the
| `passwordrules` attribute
| https://github.com/whatwg/html/issues/3518
|
| With that and a well-known endpoint for changing passwords (not
| quite the same thing as what you're describing;
| https://w3c.github.io/webappsec-change-password-url/) we are
| moving in that direction.
| amelius wrote:
| W3C can come up with all the elements they like but websites
| won't use them because they don't match with company style and
| the latest trends in graphic design.
| eckesicle wrote:
| NIST best practice recommendations state:
|
| * Require more than 8 characters
|
| * Don't require special characters
|
| * Don't force the user to reset their password
|
| * Do check for compromised passwords
|
| * Require MFA
|
| * ...
|
| All very sensible.
|
| https://auth0.com/blog/dont-pass-on-the-new-nist-password-gu...
| ben0x539 wrote:
| > * Require more than 8 characters
|
| If I'm reading this right, it's more than 7 characters. And
| more than 5 if you don't let users pick the password, which
| seems surprising.
|
| > Memorized secrets SHALL be at least 8 characters in length if
| chosen by the subscriber. Memorized secrets chosen randomly by
| the CSP or verifier SHALL be at least 6 characters in length
| and MAY be entirely numeric.
| beermonster wrote:
| You've read it correctly.
|
| The idea is to mitigate against brute force by account
| lockout/disable following N failed attempts rather than
| enforcing greater password length or complexity requirements.
| starwind wrote:
| Ironically, most of the government doesn't adhere to these
| recommendations
| yread wrote:
| How to practically check for common passwords? Ideal would be
| to have like the most common 1/1000th of the hibp so that it's
| not too big for deployment in some clever structure (compressed
| trie? bloom filter?). I don't trust 3rd party services.
| quickthrower2 wrote:
| Have you heard about https://haveibeenpwned.com/Passwords ?
| [deleted]
| cactus2093 wrote:
| Why do basically zero companies seem to follow this?
|
| Banks and airlines are of course some of the most egregious
| offenders, but even tech companies like Apple and FB have
| complexity requirements on capital letters and numbers. Surely
| the login security teams at these companies are aware of the
| NIST recommendations.
|
| Yet a tiny 3 person startup launching a simple crud app is more
| likely to google the NIST requirements and follow them than any
| of the biggest billion and trillion dollar market cap companies
| in the world. Are these companies acting irrationally here? Or
| is NIST not taking into account the factors that big companies
| actually care about, like support costs of dealing with account
| takeovers, etc.?
| jaywalk wrote:
| Big companies have big bureaucracies and third-party auditors
| that define stuff like this. Getting them to change their
| requirements is a herculean task.
| Galxeagle wrote:
| I've actually raised with a security executive in my large
| consulting firm - the biggest blocker is apparently that
| requirements like frequent forced password changes are
| written in to many contracts signed with clients as
| boilerplate 'we promise to do x/y/z practises to keep your
| data secure'. Newer contracts have much better language and
| there have been some improvements that way (our reset period
| duration tripled recently), but it takes time to trickle
| through.
| skeaker wrote:
| I'd imagine that for at least some of them it has to do with
| appearance. "Facebook is so secure! It's got ten whole
| password requirements!"
| er4hn wrote:
| Inertia and other standards are a big force here.
|
| The NIST standards recommending this (SP 800-63B I believe,
| under "memorized secrets") came out in around 2017, many
| years after large companies had settled on prior standards.
| Prior standards were closer to what banks / other biggies
| were doing and they just kept on doing it. In addition you
| may have other non US govt policies (UK for example likes to
| publish policy docs, see:
| https://www.ncsc.gov.uk/collection/passwords/updating-
| your-a... for their slightly different modern take) which the
| company prefers to use because of either their own HQ
| location or large customer pull.
|
| Better yet many different countries requirements and a couple
| industry docs are cobbled together into a frankenstein set of
| requirements. That requirements docs is then treated as
| though it came from Mount Sinai and should not be altered
| without getting the approval of 3 senior VPs, a professor of
| cryptography, and the head of IT.
| tomc1985 wrote:
| > * Require MFA
|
| Using some kind of OTP authenticator app or device and __NOT__
| SMS!
| jpalomaki wrote:
| For average person there's also the problem of recovering
| access in case the phone with OTP app is lost.
|
| Every service of course has the option to print backup keys.
| Maintaining those (in secure offsite location) over years
| takes some effort.
| uncletammy wrote:
| Anything requiring my phone number or a binary that runs on
| my phone is a deal breaker for me. It has massive privacy
| implications.
|
| We desperately need to have better MFA options if we're going
| to require it from users.
| OskarS wrote:
| > or a binary that runs on my phone is a deal breaker
|
| Phone numbers, fair enough, but TOTP is an open standard
| and there are plenty of open source implementations for the
| client side. It's also available in most password managers
| (I use 1passwords implementation).
|
| "MFA can't require me to run a binary on my phone" is a bit
| extreme. TOTP is fine.
| mixmastamyk wrote:
| FYI: https://en.wikipedia.org/wiki/Time-based_One-
| Time_Password
| NoGravitas wrote:
| MFA can't require me to run _your specific app_ is a good
| guideline, though. It still leaves TOTP as fine, as long
| as I can choose my implementation.
| dahfizz wrote:
| SMS is perfectly good as an additional authentication factor.
| i.e. When you log in on a new device using your user name and
| password, you also need to type in the text message code you
| were sent. It is a convenient way to strictly increase the
| security of an account.
|
| What SMS is terrible for is as a single point of account
| recovery. This is unfortunately how it is often used. "Multi
| factor authentication" in practice has become "Use any _one_
| of multiple available factors for authentication ", which is
| awful.
| tomc1985 wrote:
| No it isn't. If you lose your phone you are in for a world
| of hurt, let alone all the various ways there are to
| intercept/redirect SMS messages and/or entire mobile
| accounts. To say nothing of the fact that internet access
| is not yet globally ubiquitous, or if you forget to pay
| your bill, or all these other possibilities.
|
| A proper OTP app works offline, and more than one of them
| can exist for any given authentication, so you can have
| backups if your phone is stolen.
| greggman3 wrote:
| I guess you don't travel much. it's very common to have
| internet but not cell service (so no SMS). it's also common
| to buy a local sim so effectively no SMS or at least not
| the one you have registered.
|
| So no, SMS is not perfectly good. it's crap and needs to
| die in a fire.
| watwut wrote:
| I used to travel a lot and the exact combination of no
| signal and internet was not frequent at all.
| mixmastamyk wrote:
| The other part was under another mobile system, say in
| another country. Can calls/texts find your phone today
| overseas at a reasonable price?
|
| I know that frequencies are different in some parts.
| tomc1985 wrote:
| That heavily depends on where you travel. Even here in
| Southern California there are populated areas with little
| to no mobile internet service (like Big Bear Lake, Anza
| Borrego, or Joshua Tree areas for example)
| watwut wrote:
| And they still have internet available to travelers?
| nitrogen wrote:
| I've had wifi at the hotel/motel/lodge but no cell
| service before.
| jillesvangurp wrote:
| The reason companies like Microsoft are basically calling
| for companies to stop relying on SMS is that it is just way
| too easy to compromise a phone number or a sim card and
| there are way too many people that get subjected to
| identity theft this way. Compared to other second factor
| options in the market, SMS is probably one of the worst
| ones precisely because operator security is so flawed.
|
| It's better than just having "secret" as your password, but
| not by nearly enough that you should feel particularly
| secure with it.
|
| The issue with with all multi factor authentication is
| dealing with the likely situation that one of your users
| locks themselves out of their account and needs to have the
| factors reset so they can get back in. The secure way to
| deal with that would be to go, "Sorry, we don't know you
| and you've lost all your data. Goodbye!". But of course
| with important accounts that usually escalates pretty
| quickly with upset users hogging your helpdesk employees
| and not giving up that easily. So, most companies have help
| desks that are easily talked into "helping you". That's
| what they are incentivized to do. Companies with tight
| margins are the worst. Like most operators for example.
| klhutchins wrote:
| I think people also worry about the SIM card swap attack.
| Even if you have multiple ways to authenticate, RSA token,
| MFA app, and sms auth, the SIM card swap makes it way
| easier for someone else to have the thing only you should
| have.
| dheera wrote:
| > Require MFA
|
| But allow at least 2 hardware keys and not only SMS.
| colinclerk wrote:
| Disclosure: I am the cofounder https://www.clerk.dev
|
| Here's the direct link to NIST 800-63B - it's really a
| fantastic document with sensible recommendations on every
| authentication method:
| https://pages.nist.gov/800-63-3/sp800-63b.html
|
| The tedious part of NIST's password requirements is "Do check
| for compromised passwords"
|
| HaveIBeenPwned exists, but most open source tools don't
| leverage it and this requirement goes overlooked.
|
| At Clerk, we follow NIST guidelines by default, including
| integration with HIBP. In a world with password reuse and
| "credential stuffing" attacks, this feature is critical to
| securing your user accounts (unless you go full passwordless,
| but that has its own tradeoffs).
| amanzi wrote:
| The important part is that the NIST password advice is meant
| to be read as a whole. Often I see people quote snippets out
| of the advice, but unless you read and understand the whole
| document, you run the risk of reducing your security posture.
| Jeff_Brown wrote:
| But even if you didn't read all of it, and just required
| longer passwords instead of special characters, you'd be
| improving things.
| colinclerk wrote:
| What's crazy to me is that NIST compliance isn't part of
| SOC-2 certifications or similar.
|
| A portion of our customers will ask us about NIST, but it's
| slimmer than I would have expected.
| pbreit wrote:
| Eight or more.
| crooked-v wrote:
| I have multiple financial accounts that still insist on using
| public-knowledge security questions (which of course I've given
| fake answers saved in my password manager) instead of just
| letting me set up proper 2FA. It's infuriating.
| matheusmoreira wrote:
| Yeah, my bank does that too. Asks for my birthday for
| "security" reasons. They also kill their website's usability
| by forbidding physical keyboards and forcing users to use a
| virtual keyboard with randomized key layouts in order to type
| passwords in a feeble attempt to defeat keyloggers. Some
| banks even make it extra annoying by generating ambiguous
| keys like "1 or 7" or "2 or 3".
|
| The saddest thing is banks _can 't_ be too secure. If they
| were, then they would be too hard for normal people to use
| and they would get locked out of their funds.
| rapht wrote:
| Don't get me started on online bank security. Here in France,
| most banks have decided that security is best achieved by:
|
| - authenticating using a 'client number' (different from your
| 'account number', sent to you once by a physical mail you
| lost long ago) combined with a 4-to-6 digit (numeric-only)
| passcode that you have to input on a virtual keyboard
|
| - confirming web-initiated transactions via their app on your
| phone... but when it's app-initiated, well, you don't have to
| confirm anything other than just retype your passcode
|
| - in the end, introducing some awfully long delays between
| some actions e.g. creating a new beneficiary and being able
| to send money to her... because 'it's for your own protection
| that we degrade your client experience'
|
| This just bugs me.
| jliptzin wrote:
| Citibank is particularly egregious. 8 character MAXIMUM
| length, lots of special characters not permitted while
| requiring numbers and letters, forced password changing every
| few months, I absolutely hate it.
| ptk wrote:
| Are you speaking as an employee or a customer? I just
| checked my password db for a few Citibank accounts and all
| of them were far longer than 8 characters.
| jliptzin wrote:
| For my CitiBusiness account, not my personal accounts
| kibwen wrote:
| Treating security questions like passwords and saving them in
| your password manager is correct, but make sure that your
| fake answers aren't autogenerated nonsense like
| ":s^Twd.J;3hzg=Q~". Many password reset flows involve
| communicating a security question over the phone, and it's
| easy enough for an attacker to guess "oh, it's just a bunch
| of random characters lol" and for the phone rep to just laugh
| and shrug their shoulders and let the person in. Make sure
| it's a sentence that makes sense (I would even avoid non-
| sequitur passphrases such as those generated by diceware),
| while also making sure that it has no relationship whatsoever
| to the question.
| js2 wrote:
| openssl rand -hex 8 | sed 's/..../&-/g;s/-$//'
|
| Or if you like upper-case letters: openssl
| rand -hex 8 | sed 's/..../&-/g;s/-$//;y/abcdef/ABCDEF/
| exolymph wrote:
| This would still parse as "random letters and numbers" to
| your typical support agent, no?
| js2 wrote:
| Maybe, but it's close to what I use. It's a limited
| character set and more or less looks like a credit-card
| which people are used to seeing.
|
| It's either that or pick a random dictionary word.
| time0ut wrote:
| My password generator can make pronounceable nonsense
| words. It has worked ok so far. Some of them are
| embarrassing though.
| fragmede wrote:
| My password generator (or just do it manually) can
| generate word passwords like correct-horse-battery-staple
| using real words, which is probably a bit easier to read
| over the phone.
| Symbiote wrote:
| grep --perl-regexp '^[a-z]{4,7}$' /usr/share/dict/words |
| \ shuf -n 5 | tr '\n' ' '
|
| Although maybe just 2 or 3 words would be best for
| avoiding a support agent skipping the question.
| bless clench moraine
| wruza wrote:
| Maybe ":s^Twd.J;3hzg=Q~ if I don't spell it, it's not me"?
| [deleted]
| bsid wrote:
| Yup. So many people mess this up, it's infuriating. U.S. banks
| are the worst.
| beermonster wrote:
| Even outside of the U.S.
| 63 wrote:
| Interestingly, one of the studies they cite finds that blocking
| common passwords is one of the most frustrating experiences for
| users. Even though it's more secure, the user has no idea
| what's wrong with their password or how to correct it.
| kylebyproxy wrote:
| I can't say how common this is, but many (most?) online
| accounts I personally interact with are disposable, represent
| no sensitive information, and I couldn't care less if they're
| compromised. They're one-time sign-ups, junk accounts, free
| trials, free tiers, etc.
|
| > one of the most frustrating experiences
|
| I understand this frustration as a mismatch between the
| user's non-expectation of security and the service's obeyance
| to industry security best practices.
|
| Placing a cognitive burden of memorizing a new password just
| to try out your product strikes me as cruel.
|
| Maybe only enforce password rules as progressive enhancement
| once sensitive information comes into play? After all, what's
| the point of protecting junk?
| MomoXenosaga wrote:
| Yes every service considers itself critical. But users
| don't give a shit if some forum they signed up for 3 years
| ago gets hacked.
|
| For me I just see it as a sign of pretentiousness when you
| expect me to come up with a 20 character password. Luckily
| Firefox has a built in password generator now.
| zamadatix wrote:
| Passwords often protect things like random niche forum
| boards from grief more than they protect the user's
| sensitive information in such cases. 3rd party auth is a
| great solution but a lot of people don't want to tie their
| "real" accounts to the low tier sites. MFA is of even
| greater help for low tier site's pains but if you can't get
| someone to use a decent password or link their identity how
| likely are you to set up 2FA for it? In the case of "free"
| services type signups they want you to onboard your
| information or link your identity and an account workflow
| is the easiest way to do that as it's a small percentage
| that will go through the trouble of burner or temp emails
| and fake info yet at least you have an easy way to rate
| limit such users from hijacking your "free" offerings.
|
| Also you're not supposed to be memorizing anything for
| logins. At the very least you should be letting your
| browser use the randomly generated password and save it to
| the browser password store if you're not using a full blown
| password manager.
| MomoXenosaga wrote:
| I believe in personal responsibility. If someone wants to use
| 1234 they should be allowed to.
|
| America is strange, any rando nutjob should have access to
| firearms but US corporations are terrified of being sued.
| michaelcampbell wrote:
| Bruce's point is so delightfully reiterated here and his on-site
| comments along the lines of, "I agree, but here's how _I_ do
| passwords... "
| Zamicol wrote:
| 1. Why don't passworded websites provide their own password
| generators? There's "secure" entropy generation available to
| JavaScript, e.g. `Crypto.getRandomValues(Uint8Array)`.
|
| 2. Shouldn't the only variable for password generation be
| entropy/information?
|
| Here's a 256 bit password:
|
| 1NH8O3C3GH33FNQHM3B7VFKIQ95EMD-QLPOFPPYJ54NCFXMOB3
|
| How could you know?
|
| An easy way is to take the character set and convert the input
| string to binary. Once you reach a specified information level
| (say 256 bits), then the password could be considered sufficient.
|
| https://convert.zamicol.com/?in=1NH8O3C3GH33FNQHM3B7VFKIQ95E...
|
| 3. Combined, I'd imagine a decent user experience.
|
| 4. I can't wait for public key authentication to kill passwords.
| wruza wrote:
| I believe this doesn't account for dictionary-based attacks.
| "qwerty secret 123456" may even have decent entropy in ascii
| space, but can be bruteforced in minutes because these words go
| first in the weighted list. (Not a security expert)
___________________________________________________________________
(page generated 2021-11-16 23:00 UTC)