a companion discussion area for blog.codinghorror.com

Password Rules Are Bullshit


I’m curious what the consensus would be about systems that have certain password complexity rules because they allow you to login over the phone using a number pad and what the implications are of those types of complexity. Some banks, student loan providers, investment companies, etc. do not allow special characters of any kind because the password is used in automated logins over the phone. Your only options are letter, number, and sometimes a special character that is recognized by the * on the number pad. I’ve found that in the few systems that I have to login to that have these rules, they are usually accompanied by an abhorrent minimum password length, often times 8 characters, and often times a maximum of 15 or so.


I think that some refinement of https://CJSHayward.com/passwords/ might be useful.

Core concept: the computer undertakes to generate several passwords that are both entropy-laden and something humans will eventually learn. So have the computer generate acceptable passwords and offer them to the user.


The answer is to do away with passwords altogether. https://1block.io/


I don’t mean 5 seconds per user per login attempt, I mean 5 seconds, per user per password change attempt.


We already have that, in a way. When I sit in front of my Mac laptop, with my copy of chrome open, it knows (most) of my passwords. When I use my Android phone, with my copy of the chrome app open, it knows (most) of my passwords. When I sit in front of my Linux desktop machine, with my copy of chrome open, it knows (most) of my passwords. When I was using my work Windows box at my last job, with chrome open, it knew (most) of my passwords.

The ones that Chrome didn’t know, Keepass knows, but I can’t use it easily on my Android phone.


The first online system I ever used assigned me a password, and had no way to change it. It was a random sequence of 7 alphanumeric characters. Having no way to change it, I memorized it, and still use it on some systems today.


I used a system in college (lo, these many years ago) that assigned the word ‘none’ as everyone’s password. You were expected to rush off to change it before someone else did. One student I know changed his to ‘nun’. We used APL in one of our classes back then.
I have memorized a 29 digit number, but it is printed in a popular book, in case I ever forget it.


if the system uses 2-factor authentication I generally use a simple password like abcd1234 or something of the ilk that will just get me to the TFA especially for mobile apps.

And if it has draconian rules I just find one that works and put it as a sticky note because I don’t really give a damn anymore. :slight_smile:

Anything really important and sane systems allow it would have a multi word password like i voted trump because bernie wasn't running in lower-case. So it is easy for me to remember.


My passwords started out like this:

  1. 6-character gibberish password, that I used for everything.
  2. Then sites started requiring 8-characters, so I added two number at the end
  3. Then sites started requiring upper-case, lower-case, and special characters. Err. OK, added an ‘!’ for those. Start trying to remember which sites require which formats.
  4. Then certain sites require constantly changing your password. Can’t reuse last X passwords. WTF! System is falling apart…

Then I installed a Password Manager. PROBLEM SOLVED. I generate 18-character random sequences for every site. I have a master password that’s 20+ characters. I enabled two-pass authentication for the password manager. Good luck hacking the whole thing. Brute force would exceed the lifetime of the universe. And now I never worry about remembering another password again.

Anyone who’s rationalized away NOT using a password manager is doing something that’s exponentially more stupid, which includes writing all their passwords down in some random unsecured location/wallet/Word file/passwords.txt. Stop fooling yourself and get a password manager.


I use an unsynchronized keepass myself for anything important. The only backup is Time Machine attached to the drive. So the only problem I would have to deal with is a house fire :slight_smile:

However there are many unimportant sites I would go to like Riotgames or Battle.net and what not that I don’t care much about. Why waste the space and scrolling time.


I would say do away with user management and let it be federated by other sane password providers. Or at least relatively saner (i.e. Google with their YOLO (you only log in once feature) that gets really annoying that you have to say it again after 30 days.


Passwords don’t work for casual users, ie. users that are only going to use your site a limited number of times. Arguably they don’t work well for most users. Integrating with Open ID connect et.al., Google authenticator, Twilio’s Authy, or sending a simple random number in a text message are all easy solutions to implement.

With OpenCV it’s no longer very hard to develop face recognition that can determine a match/no-match against a single person’s face.

What I’m trying to say is that we must make login easier, not just safer.


As there are still websites that enforce a maximum (yes, you read this right: maximum) password length, along with other arbitrary rules, I dread the creation of every new account.

I’ld rather have no rules but a warning in case of a weak password; there’s enough patronising already. This is what I do when given the choice. When a user enters a weak password I put up a warning dialog: “Your password is (very) weak and prone to being guessed. Don’t blame us if your account gets hijacked. Do you want to proceed anyway or choose a stronger password instead?”


I fully agree with everything in OP except this

password equal to username … password equal to email address

which seems too lenient. Instead: equal or very similar password/username pair or password/email pair. E.g. rule out tomsmith and pwtomsmith or tomsmith@gmail.com and pwtomsmith@gmail.com . The one length rule itself would probably prevent many similar pw/username pairs, since people like short usernames. But many email similar passwords would be long enough to not be prevented unless a check for similarity is added.


Just as important is ensuring the user knows how not both to create or repeat the failing. So many sites I’ve been to that have unusual/limiting password rules and don’t tell you until you’ve already entered a good password (but not by the sites rules). And even worse, don’t tell you what’s wrong exactly when you fail it, especially when there is a lot of rules, and they just dump the entire list for you to read through and try to figure out where you failed.

However checking against a list of ~10k common passwords (and adding to that such items as their username and password, site url, etc, etc) is a great base filter, with the message “your password was found in our list of weak passwords” or similar.

Also, assume every user is new to the internet, as there will always be a portion who are. If password check is failed, provide a link to a reputable source on password security and how it matters. Don’t assume your users are educated already.

Fortunately, from the rumblings in the industry, this problem will hopefully begin to disappear, there is a big focus on replacing the password.


Your email password is already the weak point for any site that uses your email address for password recovery. This approach simply highlights the importance of having a secure email acount, it doesn’t weaken security.


Another solution would be to enforce an XKCD style password, by selecting it for the user and showing it to them once. Then, to log in, display a drop-down list of words rather than asking them to type their password.


But I can access a site via a proxy whose endpoint comes out in Iceland, or Australia, or Brazil, instead of a few hundred miles from the geographic center of the USA. And change the endpoint every time. Also, right now, my computer and my cell phone appear to be located several hundred miles apart by the only reliable way of determining their location (IP address, assuming I have all other geolocation turned off), even though they are only two feet apart, physically.

I do, however, have no problem with two-factor authentication. The only problem there is I have trouble convincing techies to use it, let alone customers who complain that they can’t use “password”.

So, yeah, a good password check (e.g. zxcvbn) is not a bad thing. Also, allow Google and Facebook and Twitter and whatever reliable large supplier of identity you can. And let them worry about it :slight_smile:


I have always thought ( or misread long time ago ) Unicode for password would create other security problems. Otherwise i think Emoji for Password would be so much better then English Letter with Numbers.

Chinese, Korean, Japanese, Latin or other Languages, I wonder how many site, especially one in CJK Region, actually support Unicode as Password.


Write mostly internal websites. I came up with a fantastic solution, at least for my needs. My apartment has a shared courtyard with 4 other apartments. To get into the courtyard, you need a big gate key. Then, you have your shirty apartment lock. When some one moves out, or loses their gate key, the landlord re keys the gate and we all get a new gate key.

So, in my systems, i have 2 passwords.

I pick one and the employee picks the other. I call mine the , “gate key”. The gate key is saved in a cookie the first time it is used and, the user can use the shittiest password they want internally. I think i require 5 chars. :slight_smile: when someone gets fired… new gatekey gets mailed out and all the users have to update. Easy peasy.

Anyway, that, combined with a 5 failures and your boss gets a, “do you want to unlock john Doe’s account?” Email, has been great for 10 years.