Password Rules Are Bullshit

Of the many, many, many bad things about passwords, you know what the worst is? Password rules.

Oh, gosh yes.

• My Secure Password ← Sorry, no spaces allowed. (Why not?)
• MySecurePassword ← Sorry, Passwords must include a number
• MySecurePassword1 ← Sorry, Passwords must include a special character
• MySecurePassword 1 ← Sorry, no spaces allowed (Argh!)
• MySecurePassword%1 ← Sorry, the % character is not allowed
• MySecurePassword_1 ← Sorry, passwords must be shorter than 16 characters
• Fuck ← Sorry, passwords must longer than 6 characters
• Fuck_it ← Sorry, passwords can’t contain bad language
• Password_1 ← Accepted.

Type something in a language other than the keyboard language. You’d get a fairly random password in result that potentially includes numbers, punctuation, etc.

Yes, password rules are bullshit, but frankly bad implementations are worse, because they train users to not even TRY to get funky with their passwords.

I’ve encountered more than one website that requires punctuation, but doesn’t allow for every punctuation mark in ASCII, let along other languages.

I’ve encountered sites that let you set a 20 character password, but then their login system dies with errors when you try to use it.

These fails and many more have taught me to keep it nice and simple with passwords - don’t go over 10 characters, and don’t get any fancier than the rules require - that way you won’t get locked out!

No, that’s not a great thing, but given my utter failure at getting these companies to fix their shit in the past, I can’t spend my days learning what each system really allows.

You forgot the one when you use a password manager with pseudo-random password, and the site actively blocks pasting. I hate passwords. On my sites and in my apps the only password rule is minimal length, nothing else. I ensure password fields support Unicode. Passwords with Unicode are the best for obvious reasons. Most sites and apps made by idiots forbid using Unicode in passwords, even if they allow Unicode everywhere else. BTW, “Fuck_it!” worked most of the times for me Without ‘!’ it would only have 7 characters, you know…

I think to make this world safer we should

• request passwords to have characters from at least 3 different charsets (e.g. arabic, russian and chinese)
• limit the access to the account to specific hours of the day (login only possible between 6pm and 7pm)
• test for real knowledge the person in question actually has. So when the person registered stating it has a phd in physics it should be able answer within 30 seconds what the relationship between phason and quasicrystals is.

After that, this world should be a lot safer.

And my personal pet peeve (mainly for sites that don’t hold anything I want to keep secret) tell people what the sign in rule is on the login screen.

That way I stand a chance of remembering what I used, rather than having to receive an email every time I visit.

Well said.

These rules are annoying and always gave bad experience, they could add attempt limits and other methods to keep the account safe. But adding only special char or small and caps doesn’t prevent from account getting compromised.

Oddly enough for a government bureacracy, the US NIST is making progress on this topic.

Of course, their documents are written using wack jargon that only proves they don’t get out much. But they’re suggesting many things you suggest, Jeff.

They’re also suggesting an end to the foolish practice of requiring people to change passwords once in a while. That kind of policy has only one purpose: driving sales of Post-It Notes.

Password managers are EVIL. The one time I tried to use one, it got hacked. Don’t like being dependent on third party service. Of course managing unique strong password for every site is beyond human capabilities. I found my own solution: writing a password manager for myself. It’s less than 20 lines of code and never stores anything - it just does mathematical calculations on list of words, then generates unique 30+ chars password. Brute forcing such password is next to impossible.
Of course nobody is going to hack you personally today (unless you’re some big shot). It’s the servers that got hacked - even the strongest of strongest pass could not save you if some service that stores your credit card info gets compromised. Some day passwords will become obsolete.

At what point should users be responsible for their own security?

If I tie my front door with a piece of string and my house gets robbed, the Police don’t say, “Well, it’s our fault for not forcing you to get a proper lock.”

It seems like a balancing act, just enough rules to stop them from being stupid, but not enough that you’re forcing them into a password they’re not comfortable with.

Perhaps we should make the jump from “Password Rules Are Bullshit” to “Passwords Are Bullshit”? Especially as, even with high-entropy passwords, their biggest point of weakness is the password reset flow:

Screen Shot 2017-03-10 at 21.36.07.png740×227 19.3 KB

So why not make that the default? If the user doesn’t have a session, send them a one-use password so they can log in. Keep the session around until they explicitly log out. Make it easy for them to view and end their current sessions across all their devices (perhaps even prompting them to give each session a name, so they can recognise it later)?

Password rules are bullshit, but some are in a whole other league of bulshitness. My two “favorites” are: 1) no spaces allowed in passwords; 2) ridiculously short maximum password length. I had a major bank’s website reject my perfectly good 16-character password because they require a maximum length of 8. Seriously?

Then there are those sites which force you to change your password and say “your new password can’t be one of your last four passwords”. They are just begging you to change your password five times in a row to circle back to the original out of spite.

It’s not so much password rules that are bullshit, as passwords in general. You can spend all the time in the world enforcing strong passwords, but they are still vulnerable to attacks as sniffing, hijacking or phishing. “Good passwords” that are complex enough and aren’t reused end up in a password manager anyway. There’s no inherent reason this should be a key protected by hardware instead. (which isn’t really possible at the moment)

If you think password rules are stupid, American Express has username rules that force you to include a number in your username. Head-slapping nonsense.

C4vW-VqUcAAVcZZ.jpg833×269 27.3 KB

I was renewing a UK passport recently, which involves filling in a web form with pretty much all the information needed to steal a whole identity. I needed to fill in a password to save this information (despite the fact that I didn’t particularly want to save for later anyway). I had to have an 8-15 character password with various limitations on characters, and also I couldn’t paste into the password field. After about a dozen attempts at using randomly generated passwords I gave up and manually created one. A complete fail on the government’s behalf!

For that the title claims “Rules are bullshit” you mention and require a lot of them yourself then in Discourse. Why even bother? Let the user enter whatever they want. Entropy or not. Its their fault if they chose a weak password, or set the password to the same as their email.

That is seriously fucked up. I can’t imagine how the developers could think that this a good idea or why that might be even required technically.

Yes, sure — there’s some logic there. But there are many instances where a compromised password will negatively impact your community in a big way; multiple compromised passwords can essentially transform your platform into a spam factory and scare everyone else off.

Not to mention that even if a compromised password is your own fault, you’re associating that compromise with the site. Instead of visiting the “regular old site” you’re visiting “that site where my password was compromised that one time and I had to go around changing all my passwords and I feel embarrassed about all those diet pill ads someone posted under my name”.

So sure, you can set a “fend for yourself” password requirement and simply require a single character or more — but at that point you also kind of have to accept that at any point your entire site can descend into chaos.

I recall being asked to provide technical advice on a project bid to implement password rules. The one that got me was the request by the client to disallow passwords which were similar to prior passwords. So you couldn’t change your password from “password1” to “password2” when the password aged out. Since we were following at least the bare minimum of good password management (salted hashed passwords), we pushed back on that request – how would we know how similar the password was to older ones?

I use a password manager that runs locally on my machines, with its database under my control, so I’m not reliant on a 3rd party. If course, if I don’t back it up, or otherwise lose it, I’m still screwed.

I hate the “we won’t tell you what the password rules are until you break them” system. Alexander_Wright’s post really rings true to me, especially the “some special characters are more special than others”. If you are hashing your passwords anyway, what does it matter which special characters are used? Or length? Or any of these limitations blocking good passwords?