a companion discussion area for blog.codinghorror.com

Password Rules Are Bullshit


#123

Except when u use the PM with an Android App that is full of holes and the 2-factor authentication worth shit therefore.


#124

told them. Lets see how they will respond :slight_smile:


#125

The true fact is the website or application should not be relying on just a standard password entry to gain access to the system. A simple measure of only allowing 3 or 9 attempts to enter your password correctly or your account is disabled and the user is notified by email, will stop any brute force attack on simple or complex passwords by any super computer! Simple.

Otherwise add 2 step verification to your accounts (like google, dropbox etc) and problem sorted!


#126

Two things:

  1. Almost everyone in this discussion is focused on the point where people have to enter their credentials (rate limiting, etc), but what is more important is if the file of passwords is stolen, the passwords have to be strong all on their own.
  2. people suggest using a big provider like Google or Facebook, because “they have it down already”. Great, but what if there is an attack against them that simply makes the service unavailable? Would you want your car to only work if some central agency was up? No. You want your car to be independent of everything else, to the greatest extent possible.

For these two reasons, credentials have to work like chip cards: You possess it, and it autonomously and securely prevents the info from being stolen. We need a system where the user carries around whatever credential(s) they need, and no big provider exclusively runs it and it can’t be broken even if you take it away and “torture” it, so to speak.

Physical distance used to protect our stuff. We need something equally simple, secure and workable now. Each person must be able to authenticate themself, not through something they know (they could forget it or be unconscious, dead etc) not through something they have (it could be lost or stolen) and not through something they are (can be spoofed). What is left? Where you are relative to where you were 5 seconds ago. How do we do this? That is what we need.

If someone has a better definition of “identity” than your world line, I would love to hear it!


#127

For #2 just have more than one. It’s easy to take down the one Google, but it will be harder to simultaneously take down Google, Facebook, Twitter and LinkedIn at the same time. Of course that depends on people registering more than one to their account if not then that portion will be affected. But not the whole.

Of course an enterprise system where things are really important (not like discourse forums) you’d have your own provider.


#128

Right you don’t need any password, your life is in your Facebook


#129

It’s so refreshing to just be able to run openssl rand 9 -base64 to generate my new shiny 12 character password fore this site :slight_smile:

Here’s a crazy idea - why don’t we generate passwords for users and show it to them as part of account creation? If we’re using HTTPS, we can transmit the password securely, they just need to write it down.

What a concept - let the computer compute, let users type - each of them doing what their good at.


#130

This article:

Password rules are bullshit

Here are all the password rules you should make your users follow

LOL :slight_smile:


#131

“Password must not be a dictionary word.”

Thank you Linux password validity checker, for declaring any string of characters longer than X to be a “dictionary word” despite the password selected not appearing anywhere on the system disk, consisting of multiple words, written in multiple languages, and with the added bonus of grammatical errors to boot.

Then there’s the issue of bullshit sites, such as one for laundry detergent, requiring an extremely strong password (with composition rules revealed after the initial attempt) in order to receive a coupon. A. Coupon.


#132

Biometrics are generally a bad idea, they are non-revocable and often non-concealable. A recent news story had a researcher analyzing high res photos of girls flashing the victory (peace) sign and using that to build a fake fingerprint that could sufficiently fool a fingerprint scanner. You can’t get new fingerprints if your existing fingerprints are leaked on line.
I can also see the residue from my fingerprint on my iPhone home button. I don’t know if it could be lifted and used to build a fake that could fool the sensor, but I understand and accept that the finger print reader is only maybe secure.

And after all that, what is the protocol that you use to connect the fingerprint scanner on my phone to this site? (Technically for me it’s Google Authenticator’s 2 factor and Google OpenID)


#133

Incorrect. One simple rule to explain to the users: length. The others you only complain about if the user actually chooses a password that is literally “aaaaaaaaa” or “0123456789”.


#134

As I understand things, a complex password is a requirement to avoid a
brute force attack, right? I mean, if you don’t already know it, then you
have to brute force it or just guess, right?

So, what if there is simply a more and more extended delay between
failures? Like, maybe give them 3 chances, then make them wait 2 minutes,
and then 3 minutes, and then 4, etc… You’d never have time to brute
force it.

Does that make sense, or am I just a bit dim witted?


#135

My peeve is not only password rules, but that they tend to be presented piecemeal so we have to blackbox the rules. I recently came across this flow:

On password creation, this was the rule: “Passwords are case sensative [sic], must not contain symbols and must be at least 8 characters.”

Of course, I broke a hidden rule and got the real password rule: “Password must be 8-20 chars and include at least 3 of these options: uppercase, lowercase, numbers, or symbols.”

Password rules are annoying, but when they are incomplete or literally contradictory, ugh.


#136

Haha I was just poking fun, I agree with everything about the conclusion you came to and I do exactly the same thing on all my login forms. That said, the article IS indeed about which password rules you hate and which ones you like, namely: minimum length, reject common passwords, enforce entropy, reject special cases. The last 5 points literally read “#1 - password rules are bullshit. #2 - #5 - here are the password rules I enforce” - common, you gotta see the bit of humor in that :slight_smile:


#137

Most people in the US cannot legally ping a phone, so you would most likely have to have some kind of app to work this out; which presents its own idiosyncrasies.


#138

Brute force can be off-line: they steal the hashed password, then use a zillion cpu special-purpose machine to try every password possible. You can’t rate-limit someone else’s hardware. The password has to be secure on its own. This is the whole problem with the internet: there is no ‘here’ or ‘there’, there is just ‘everywhere’, and essentially zero distance from here to there. No one in Romania can steal my car, it is 5000 miles away! Someone in another state is not going to steal my laptop. Why bother? There is one 100 feet away from them to steal.

We need to put the nouns back in: we need ‘where’ to be meaningful, and ‘who’ and ‘why’ and ‘when’ and ‘how often’. Those need to be inherent in the physical design, not able to be circumvented, just like how my car is safe from everyone except a neighborhood kid, because there is a… neighborhood. And a… car. And… physics!


#139

Someone mentioned how they use the same password on a lot of sites. Let me give a short example of why that is bad:

Years and years ago, we got called in to fix a database where the original designer actually kept all the passwords in plain text. (We saw this all the time in the 90’s)

The owner of the company, while seeking quotes on getting it repaired, actually sent the entire database and website to a whole bunch of contractors in Ukraine, Pakistan, India, Viet Nam, etc…

Not only did it have the passwords in plain text, it actually was integrating with clients’ mail servers and file servers. To do this, they had a form where you could keep your own machine’s admin credentials, etc… in plain text.

So, basically, this brilliant “CEO” sent the usernames and passwords of all his users and all his clients and all his clients employees to random people all over the world. (and was confused when we refused to work with him if he didn’t notify everyone of the security lapse. And our Lawyers said we couldn’t even report it without getting sued!)

Anyway… no matter how complex your password is, it just takes one ignorant egomaniac to compromise it.


#140

The idea wasn’t the particular details, the point was to make it possible to do a physically enforceable sanity check on what happens. I cannot log in from Romania if I was in Texas 2 minutes ago. FAIL! For credentials, we store them in a device that can only be in one place at a time, like a smart card, can’t be copied, is useless if stolen, and which is able to protect itself. Some intelligent person can put the reality back in to this nightmare that we unwittingly and optimistically brought upon ourselves and everyone else.


#141

that’s pretty smart.


#142

Just remember, all the tried and true solutions were, at one time, roll-your-own approaches.

I’ve always felt that discussions like this are were they originate - or at least gain acceptance & tweaks.