the issue i have, is that most sites don’t deserve a long complicated password. email, banking, etc, of course. but when stupid blogs are asking me for A UNIQUE 12 character password, I simply won’t use their site.
developers seem to always think their site is deserving of crazy password security schemes, when most are not.
The problem still lies with the user, though, especially the people who do a lot of mobile computing. Longer, more complex passwords are more difficult and time-consuming to type into mobile keyboards, as you said in your article. Mandating a 12-character minimum, despite being great for security, is going to turn a lot of mobile users away.
It might be time for different forms of authentication to really take hold. Passwords were made in a time when the main way of inputting anything was your keyboard, but these days you can hardly find any computer without a touchscreen on it. Apple and Microsoft (and probably some other sites I’m forgetting) have made some advances: Touch ID for iPhones/iPods and Picture Password on Windows 8+. The latter is pretty pleasant to use on a mobile device with a so-so keyboard, although there might be some security concerns. It’s easier to remember, too, and at least Touch ID is a lot less vulnerable to brute-force attacks.
Like many have said, there are multiple things that Jeff is bringing up… users using better passwords, sites/systems that need to store usernames+passwords to do a much better job at what they are doing (and like many commenters have said - allowing much more complex passwords!! seriously what’s the problem here??) not to mention allowing reuse of some general authentication like Google/Facebook/etc.
Personally I retain all my passwords in a KeePass database (which has a master password which is pretty darn long) and by far most all of them are randomly-generated using the max of whatever the site allows. Unfortunately, so many of the sites restrict password length which is disappointing. Whatever is the max, I use it and if it allows special chars, I use them as well. That said, by far almost everyone I know (which a large percentage are IT geeks) thinks I’m nuts doing this… I can’t access my email/facebook/anything unless the device/computer is setup unless I specifically set the password to something temporarily for me to remember. Sucks but is secure. There’s shortcuts for the desktop, but not for mobile (or at least that I’ve figured out yet). Eh… it has its pain points.
But yeah most people really just don’t care … and how to get that to change? Frankly, those people are generally not going to be reading this blog…
What do you think about 2-step verification? I use that on all my important accounts, when it’s supported.
The problem with low-security passwords on forums and comment sites is password reuse. You are well above the curve simply by having different passwords for different accounts. But a lot of users simply use one or two passwords for everything. That’s why the best password is no password at all.
For throwaway accounts, especially ones where you don’t even care to use your name (or commonly-used user name), use www.fakena.me. It generates a random identity with a working email account that exists long enough to register + confirm an account, then disappears.
On paper, it seems pretty OK to trust other software to manage your passwords, but you should always be very careful. Look at this open issue in Chrome:
https://code.google.com/p/chromium/issues/detail?id=138147
It’s been there for almost three years…
In my personal case, I use KeePass2 with the AutoType option (either through AutoKey or AutoHotKey if you use windows). That way I never type a password, I am sure they are encrypted and I never have to generate a password myself.
And that’s the problem. There is no way to detect reuse. So if they start forcing complex passwords on blogs, the response will be to use the same single complex password they can remember everywhere.
“Stop requiring passwords altogether”, then say just use any of the other sites that require a password and can be hacked, might have weak passwords, etc.
A 1-factor authentication using my phone (which I have with me) so clicking “login” will send a text or a voice generated phrase I would need to type in as a one-time session password fixes all this, but few use it except for initial authentication. I could even use a “burner phone” separate from my main phone to avoid theft or loss.
For a better cabalistic number which will last longer, I’d say 16. Think length needed in at least 2 years to come, as you even implied later on:
On top of this, technology evolves not just following the self fulfilling moore’s law, but also in almost unpredictable ways. What we can predict is that it’s reliable to believe it will most likely improve more than linearly and by 2019 it’s much more likely it will be much less than 2 days to crack a 11 characters password. Maybe even as little as a few hours. So, in less than 4 years using 12 length will be already a “thing of the past”. Why not simply preventing that by adding just a few characters to the recommendation sooner than later?
16 it is for myself. 
Also I’ve missed other 2 recommendations on the article:
How about accounts you want to share with someone? Granted, all accounts should be personal and exclusive, but that’s again not a real expectation from users. They share accounts and now sharing a google account password just to give access to a minor website might soon become an issue.
How about going on other devices? That’s simple enough, as some argued, using 2 factor authentication. But that’s quite an annoyance and not as simple as having a simple password you always remember to type in.
Some accounts will always be low risk. So just use a regular week password and fuck it, as many said already.
I’d also argue there are some even lower risk that don’t even need a password to begin with. Just use gravatar and let anyone claim it’s you, since it won’t matter if anybody tries to impersonate you. Example? Making a service order to send in a repair item. Proof? I’ve actually done this in 2004 and the business still exists up to today. Customers make orders with a saved profile just by typing their Tax ID. It just works.
Not really a problem since that’s just not true thanks to the wrong qualifier there: never.
This is the default behaviour here right now, and it is pretty much just authentication in my book:
So true. But I find it so much easier to simply type my one good and strong google password anywhere I go to access anything I need rather than making a medium 12 character secure password just so I can remember it when I want to go outside my devices. Not to say there isn’t some usage cases, as I’ve mentioned up there.
That triggered me to wonder into this (probably stupid) question: does Discourse use #3 only if you do generate a password?
On a side slightly funny easter eggy note… Recently I stumbled upon www.simple.com an interesting banking concept which unfortunatelly is US only. It was the first time I’ve seen a business referencing the should-be-obligatory xkcd (also used in this article) using it as an example. I couldn’t find a simple way to screenshot it since account creation is only through invitation, but here’s a post from another person who noticed it. The funny thing is that they did accept correcthorsebatterystaple it as my password (and until now I didn’t even knew they tried to block it)! Talk about insecure measures! 
I could have set something for me too, but I don’t remember it. And I get same behavior than Jeff:
It’s both. As you said yourself earlier, too many sites simply don’t work properly. You need hash rates first, trust and training later.
Here’s a wild thought. What if one or more of the major “key-ring” sites, such as Facebook, stopped letting users generate their own passwords? Just create a list of, say, twenty secure passwords and have you choose one. If you want to change it, then here’s another twenty to choose from (but you can’t ask for a refresh, because those twenty should be good enough for anyone).
Ideally, these suggestions would all be xkcd-style phrases, due to the advantages of those. And I sort-of disagree that passphrases are annoying on mobile devices. For one thing, it’s tricky to hunt around for the special characters on those tiny keyboards, but simply typing whole words is something we have frequent practice with, espeically when we have to use words outside the phone’s dictionary.
Which brings me to my second idea. If mobile operating systems and applications didn’t apply the wrong sorts of paranoia to password fields, then we could take advantage of the strides in mobile keyboards. Firstly, as many others have said, passwords may as well be unmasked under most circumstances. And furthermore, why not the option to “swype” your password (or whatever Android calls it now)? If your phone already has a large dictionary that includes the words “correct”, “horse”, etc, then what is lost security-wise in being able to spell out CorrectHorseBatteryStaple in four gestures, just like if I were texting the phrase to a friend?
I would much rather see users have one master login on Facebook or Google with a long, unique password and behind two factor authentication – because lots of sites with mostly reused, simple 8 - 12 character passwords, all of them using weak hashes and just waiting to have their user database downloaded and hash cracked someday en masse is far, far more dangerous!
(There is really no difference between using Lastpass or whatever and Google as your single source of auth. If someone cracks your Lastpass password you are just as hosed.)
I also trust Facebook and Google a lot more than other random websites, even banking ones…
How about not letting the user choose a password, a password is never sent? That’s SQRL. Your password stays on your device, you authenticate on your device, and the password is signed by your personal key.
On storing these, which is perhaps a bigger problem, throw the problem into a different space. Make all passwords stored in UTF 32 format, four bytes per character, and make sure some of the salt is in some forgotten language glyph, as well as Japanese, Chinese, Indian etc. This gives every character the possibility of being one of more than 1 million glyphs that attackers would need to try fro every character. Of course, you would do all of the same current scrypt things as well. This would make most passwords impossible to crack the hash, because the attacker would need to test UTF8 encoding, ASCII encoding, as well as possibly UTF16 in addition to UTF32 to find the correct password set.
Ho my god. What did I do last night ? Sorry. It was a huge pile of crap.
My workplace requires long passwords,so I’ve learned how to do it-- and I do it ‘by default’ when opening a new account. This got me into trouble when opening a financial account a few months ago-- a financial institution that will not be named wouldn’t let me open an account because I kept trying to use a password that was ‘too long’. So it’s not always the user’s fault.
This is some good information Jeff and highlights the bad practices that have become common everywhere. I’ve said it before, you don’t need a “strong” password, you only need a long password that you can remember. There’s also the practice of using “salt and pepper” when storing the passwords that I think should be standard. You have two unique strings being added onto the password before it’s hashed, one user specific and the other applied to every password. This means even if you spend a year and break one password you have to expend the same amount of effort for every other one.
Our job as programmers/software developers/architects is to hide the complexities behind all this from our users and simply tell them, please use a password that is at least 12 characters long for example. I actually make the assumption from the start that the password will be leaked/stolen/phished at some point and put safe guards in place to detect when someone logs into an account that’s not theirs. At that point 2 factor authentication kicks in to verify it is the actual user. All that being said for some sites it’s just not worth pushing any of this onto the user and just allow them to pick whatever they’d like as a password, if it’s stored properly and the system rate limits and/or locks the account down and/or kicks in 2 factor after X number of failed attempts then it’s up to the end user to choose if they’d like a secure password or a weak one.
I used to fully support just bypassing all of this and just using google/facebook etc. as an option but I’ve realized that it actually trains the user to open up that account. I know some very technical people who used google to sign in a few places and they just looked quickly to see if it was a secure connection and forgot to check the domain. They fell victim to a targeted phishing attack that gave the attacker access to “the keys to the kingdom”.
If the password is stored on the browser or computer, then how will people access their account from other computers? I like Internet driver licenses like Google much better, like how you set up Discourse. Also, if users want to randomly generate passwords for themselves without going to another website, they can just slam they keyboard a few times. Obviously, that wouldn’t be as secure as a real random generator, but it would work. b*(HU$*GRuewfjfhg7(*#G@rgB takes 8.47 hundred trillion trillion trillion centuries on Online Attack and 8.47 thousand trillion trillion centuries on Massive Cracking Array.
Maybe the solution to passwords is to use arbitrarily long amounts of time?
I use spaces in my passwords because no one uses spaces in their passwords, meaning hackers don’t guess them. U6zruRWL is 70.56 centuries on Online Attack and 2.2 seconds on Massive Cracking Array, but " U6zruRWL " (two spaces added on both sides) is 1.74 hundred billion centuries on Online attack and 1.74 centuries on Massive Cracking Array. Compare that to DDU6zruRWLDD (two Ds added on both sides), which is 1.04 billion centuries on Online Attack and 1.04 centuries on Massive Cracking Array. If you can’t use spaces for some reason (I’ve heard of some sites not allowing spaces in passwords, but never actually encountered one), use non-letter characters. @@U6zruRWL@@ has the same result as " U6zruRWL ".
Practically, though pass phrases are much more secure than short randomized sequences. Personally, I use lines of codes as my passwords. My passwords are Python variable assignments (with spaces) and take hundred billion trillion trillion trillions of centuries on Online Attack and trillion trillion trillions of centuries on Massive Cracking Array.
I looked into making a bookmarklet that does the per-site password generation thing (hash(masterPassword, salt, domainName)), but with bookmarklets it can’t be made secure, as far as I can see, as they execute in the web page environment.
A malicious page could just hook any function you call and steal both your master password and salt. Oops.
So you need at least a Greasemonkey script or a browser add-on to make that work. While some of these do exist, they could all do with better user experience.
Ho my… What happened here ? 
I have a yahoo email account so old that its password is “0101”. I do not think it has been hacked ever… not that it would matter much though