Examples of dumb password rules.
There are some pretty bad disasters out there.
My worst experiences are with sites that have artificial complexity requirements that cause my personal password-generation systems to fail. Some of the systems on the list are even worse: when they fail they don’t tell you why, so you just have to guess until you get it right.
Tom • March 2, 2023 7:38 AM
What would be a really good companion to this is a set of good password rules.
Not rules for people who are generating passwords. We all know to use correct horse battery stapler by now.
Rules for people writing password checkers. Because, on a quick look through, most of the “dumb” password rules come from people who are honestly trying to help their customers out and make them choose good passwords. They just don’t know how to do it. Have a laugh at them by all means, but could we try to educate them too?
I’m not prepared to put up a complexity metric or a set of rules – it would inevitably be laughed at.
Doug • March 2, 2023 7:55 AM
‘…but could we try to educate them too?’
“Hello, we here at Big Money Company value your business but don’t give a crap if all of your assets are stolen because WE ARE NOT LIABLE FOR YOUR LOSSES HA HA HA HAAAAAAA. So, if you want to keep your stuff safe, create a complicated password (again, we don’t give a rat’s butt what you call ‘complicated’ so go for it). If you really don’t care about your information and money, let us suggest ‘password’ for your password…nobody will know . Have a great day.”
Clive Robinson • March 2, 2023 8:05 AM
@ Bruce, ALL,
Re : You say potata…
“Some of the systems on the list are even worse: when they fail they don’t tell you why, so you just have to guess until you get it right.”
That is,
“Very obviously a security feature”
Thought up after a person realised it would make the coding cheaper and the rules could be changed when ever…
Sadly I’d like to think that it’s a joke, but…
As has been observed,
“Many a true word, spoken in jest”.
Uthor • March 2, 2023 8:11 AM
@Winter,
I’ve definitely had ones that would accept my long random generated password, but when I go to log in, it tells me that my password can’t be longer than like 12 characters. Did it crop my password to 12 characters or create a random password by converting what I typed in? It never let me log in no matter what I try and I had to tell it I “forgot” my password and reset.
Uthor • March 2, 2023 8:18 AM
Looking at some of the examples, I am reminded by something that annoys me:
Random online store I will never use again and I will pay with PayPal so they don’t have my credit card info? Use whatever password you want!
Financial or medical site full of private information? Only 12 characters and limit which special characters are allowed!
Terrill • March 2, 2023 8:26 AM
Please Add: programmers who think they can validate email addresses using an algorithm they created. [And worse, they didn’t apply the algorithm when you created the account [link sent to validate], but DO apply it when you’re logging-in later]
To Those Programmers: Yes, “My.Name+YourCompany@gmail[.]com” is a valid address. It allows me to know where the spammer bought/stole my email address, and more importantly, “why would PayPal be using my email address to Walmart to inform me of a problem?”
Side Note: In his 1st edition of “Mastering Regular Expressions” Jeffrey E.F. Friedl spent half of his book creating a regular expression that “validated” email addresses following all current standards. It came with a final caveat: it didn’t allow ALL possibilities!
John • March 2, 2023 8:34 AM
My least favorite rule is the one that forces you to change your password frequently for no good reason. There is very little to gain by changing a good password that works, and the very process opens you up to all sorts of phishing attempts. We have all been conditioned to respond to prompts and emails asking us to update our password, when in reality those could be fake phishing prompts.
Agree with @tom
That site appears to be nothing but a list of any site with password rules?
Surely it’s a good thing to try and encourage users to choose better passwords?
Probably the most useless, eventually proven counterproductive, password rule is the compulsory changing of passwords on a scheduled basis. Being a favourite of IT departments for applying internally to staff members, I guess that wouldn’t make such a site-focused list?
Regardless, probably the greatest systemic password policy failure in history is anything but site-specific: expecting users to nominate and remember a password at all.
This failure continues to this very day but at least was finally acknowledged and partially addressed by Mozilla when, decades too late, they stopped poking fun at individuals, like the linked list does, and actually integrated a password suggestion / generation function into Firefox.
Step one of providing users with the means to remember credentials has been built in to browsers for the longest time.
But to store what? Imagined passwords? Different for every site? Holding people hostage to this need when they’re just trying to get a sign up task done and get on with their day is ridiculous.
Step two was to provide access and synchronisation, to a user’s stored credentials, across multiple devices.
Step three: instead of neckbeard BOFH types clacking away in nanoseconds at some pwgen command line and laughing, abusing (flaming) anybody who doesn’t run Linux and use terminals to do the same, Firefox finally got right-click password suggestions.
Combined with using a master password to access Firefox, this makes a browser – not a separate app which is more cumbersome – a fairly reasonable, and practical – “password safe”.
Step four? Integrate password criteria into a standard that website authors can use to give the browser the criteria with which to generate passwords conforming to the site’s requirements. Thus, instead of the quite broken UX when a password is suggested/generated by Firefox, only for the site’s requirements to deem the password unacceptable and leave users to scratch their heads, the browser’s generator algorithm could be adjusted accordingly.
Are there reasons not to make this site-specific password criteria ‘hinting’ as simple as attribute(s) on an input[type=password]? Perhaps the existing pattern attribute could already provide this to the browser’s generator?
Step five: replicate this credential generation, storage and app password policy hinting in an OS-integrated API on mobile. Thus covering the myriad apps out there whose password UX is much more erratic and worse than the web.
Jonathan • March 2, 2023 8:57 AM
I submitted the Nevada DMV to this list. I’m pretty sure they’re storing the password in a plaintext CHAR(8). (Exactly 8 chars and case insensitive)
Good news is it is so bad I finally switched over to using a password manager. It’s the only system I know that can deal with all the obnoxious rules.
Thorvold • March 2, 2023 9:02 AM
The worst password rule I have seen was one that would not allow more than 3 consecutive characters from a given type.
So PassWord123 was OK, because it had only 3 consecutive lower case letters, but CorrectHorseBatteryStaple was not because it had more than 3 lower case letters in a row. It really seemed like the spec was encouraging a keyboard walk type password like 1qaz!QAZ2wsx@WSX. That broke almost all of the passphrases that I could think of, and they had disabled being able to cut/paste into that window.
Thanks for the post! I’d like to note that this is by me. High praise that you would think it’s from Troy though! Here’s the GitHub repository.
Surely it’s a good thing to try and encourage users to choose better passwords?
There’s already some discussion in the repository on how to do this. I invite anyone to take part.
willmore • March 2, 2023 9:31 AM
@Winter, I experienced a variant of that. I purchased a car with a remote monitoring/start ability through a cellular connection in the car (came with a few months free trying to upsell). It took a few months to get it set up and working and that time involved lengthy waits to talk with someone with any clue what was going on with their infrastructure.
It let me subscribe with a gmail address with a + in it–which are handy for tracking abuse of your email info. Seems the front part of their web site worked just fine with it, but some part of the backend just puked when confronted with the + in the middle of the user part of the email address. Took them forever to figure it out. Their ‘fix’ was to have me remove it and create a new login for the whole system–which involved more time online to explain why I needed to re-register a VIN to a different account.
All that because someone made stuipd assumptions about the format of an email address.
RhymesWithAr$eWord • March 2, 2023 9:42 AM
Why are limits on max password length so common? Surely people should be salting and hashing passwords. I get that there’s a limit to string length for submitting them, but it could be long (128 characters at least). Similarly, salting and hashing should remove the need to have “banned characters”.
My preferred method of password policy would be a minimum length, and nothing else. I’d run each password (unsalted) through a hash function and compare it to a large list of breached password hashes. If I saw a collision I’d refuse to use it, explaining why (possibly with a checkbox labelled “I understand and accept the risks of using this weak password, and would like to use it anyway”). Otherwise I’d salt the password, rehash it, and store the result.
phanmo • March 2, 2023 10:00 AM
My work is putting this into place, got the email yesterday.
Apart from enforced character rules, passwords will have to be changed every three months.
What fits the rules?
March-June2023
July-September2023
Rinse and repeat
Winter • March 2, 2023 10:03 AM
@Rhymes
My preferred method of password policy would be a minimum length, and nothing else.
Then someone will dump the collected works from Project Gutenberg into your password API hoping for a buffer overflow somewhere.
You will have to apply an upper limit. But that can indeed be 128 or 256 characters. And passwords should be salted and hashed anyway, like you write, so 128 characters should not be a problem.
Anonymous • March 2, 2023 10:15 AM
This is not related to Troy Hunt.
Jordan • March 2, 2023 10:19 AM
Can you believe in the past they had to remember their security keys in their heads? Oops, sorry! Wrong timeline.
modem phonemes • March 2, 2023 10:27 AM
My hobby: type 111… and keep going, watching the strength meter extend to the right and turn green. Very strong password !
TimH • March 2, 2023 10:34 AM
@Winter
You will have to apply an upper limit. But that can indeed be 128 or 256 characters. And passwords should be salted and hashed anyway, like you write, so 128 characters should not be a problem.
The longer the max PW (and the characters allowed) the longer the hash size to avoid dupes.
Bitlocker only allows 20 chars max (and that’s after changing the limit from 12 before setting it up, and from AES128 to 256). Wonder if the TLAs have reverse hash tables for up to 12 chars?
RhymesWithAr$eWord • March 2, 2023 10:55 AM
@TimH
Unless they are really common, hash collisions shouldn’t be an issue, especially if you are salting with a user specific salt.
Imagine I had access from a breached to the list of usernames, salts, and hashes. Now suppose that due to a hash collision, I notice that your stored hash is identical to mine. That still doesn’t mean we share a password, as we have user specific salts (commonly achieved by incorporating the username in the salt). I am no nearer to knowing your password or being able to log on as you than I was at the start.
Canis familiaris • March 2, 2023 11:38 AM
Not strictly password-related, but I have had problems with password entry pages that assume that I’ve enabled Javascript and don’t give any indication that they don’t work without it.
I routinely browse with Javascript disabled, and for sites that won’t provide the wanted functionality without it, will use uMatrix to keep an eye on what domains scripts are being requested from, enabling only those domains necessary for my needs. So I’m not happy with the Manifest V3 proposals being implemented.
Jon • March 2, 2023 11:42 AM
I can give you one good reason for time-limited, expiring, passwords.
To clean out any possible cruft.
For example, during crunch time, Alice gives Bob her password. They trust each other, all goes well. Now, a couple years later, Bob, now being nefarious, tries Alice’s old password again – and lo, it still works. If it were time-limited, it wouldn’t.
“Never share your password with anyone, ever!” can often lose out to “If Bob can’t do this, we’re both getting fired tomorrow.”.
Another example: Alice knows six passwords. When Alice gets fired, IT finds and disables five of them. Oops. A few months later, Alice tries them all – and the sixth still works. Again, if time-limited, it wouldn’t.
This also requires that a timed-out password not merely say, “Too old, enter a new one now”, but forces one to validate themselves in another way to create a new password.
Anyhow, that’s one reason to change passwords over time. You may never know if they’ve leaked – but if they have, changing them makes the leak worthless.
All other caveats still apply – security being the opposite of usability ‘n all. J.
John • March 2, 2023 11:56 AM
Another pet peeve is the password that expires and has to be replaced, which happens when I am on a vacation that exceeds the number of days allowed to reset the password, meaning I am locked out of everything when I return to work only to find that the only IT guy who can reset the password for me has just left on his vacation.
Uthor • March 2, 2023 12:02 PM
@John – The problem is that you went on vacation instead of spend all of your time at work!
Jonathan Rosenne • March 2, 2023 12:04 PM
@RhymesWithAr$eWord GIT uses a hash to identify files. Have you ever heard of a collision in GIT? While collisions are theoretically possible, given that a hash maps an infinite set to a limited size set, the probability is miniscule.
Winter • March 2, 2023 12:20 PM
@TimH
Bitlocker only allows 20 chars max (and that’s after changing the limit from 12 before setting it up, and from AES128 to 256).
BitLocker is a Microsoft product. Should I elaborate?
A hash from source>>128bits to 128 bits is pretty safe. SHA256 would be better, but who uses passphrases that actually need it? SHA256 would already cover 35 random printable characters.
Victor Miller • March 2, 2023 12:42 PM
Another pet peeve, which is not strictly about password rules, is the lack of uniformity in web sites as to where to change your password. There are some sites where I have to hunt around for a long time (it’s sort of like a scavenger hunt) to find it.
0xf486113fbb19cbaa • March 2, 2023 12:56 PM
On chessgames.com the maximum length is 12, and they store the passwords in plaintext. When you forget your password, they kindly send it to you in e-mail.
And NIST guidelines, as of three years ago, were that you don’t need to change your passwords more than every couple of years.
Clive Robinson • March 2, 2023 1:30 PM
@ Winter, ALL,
Re : Upper length limit.
“Then someone will dump the collected works from Project Gutenberg into your password API hoping for a buffer overflow somewhere.”
If properly written the code will accept even an infinite password length as it buffers it to the length of a hash and roles it through the hash over and over.
Thus the RAM needed is for the input buffer, the hash input and feedback buffers and an output buffer. Say four times the lenth of the hash….
Max P • March 2, 2023 1:37 PM
Please Add: programmers who think they can validate email addresses using an algorithm they created. [And worse, they didn’t apply the algorithm when you created the account [link sent to validate], but DO apply it when you’re logging-in later]
This happened to me from a huge nationwide 100 yr old brick and mortar store. I never tried shopping there again – either online or in person. If they couldn’t get that right, I had no confidence in anything else.
I’ve implemented password complexity rules at a few companies. Some places had security policies that specifically didn’t match the defaults from MSFT. Others did. When I was in charge, I setup requirements that the last 3 passwords couldn’t be over 80% the same, which meant
password303!
password304!
couldn’t be used.
OTOH, we stopped the madness of monthly forced password changes … and made them annual with a 7 day notice and encouraged people to change it on a Tuesday, so they have a week to use and memorize it. I also forced 15 characters, which you’d have thought I’d killed their spouse, kids, and pets all at once based on the complaints. The CEO was pissed … then I showed him the IMAPS login attempts for his specific email – over 10,000 daily. From that point on, he stopped complaining and actually provided support. We had SSO for all our different systems, so it wasn’t like we were asking people to have 15 different login credentials. They all used the same LDAP. The login name and email address were disconnected to add a little obfuscation.
Grima Squeakersen • March 2, 2023 2:04 PM
@UThor – I have encountered the after-the-fact pw length limitation; fortunately in my experience the password was rejected, not truncated and accepted. A pet peeve of mine is when a subset of special characters is made illegal, solely because some lazy programmer designed a system where they cause problems. I use Bruce’s PasswordSafe to generate a complex password based on rules I set up. I will then typically alter a few characters in the generated password that are easily confused with each other, in the event that I need to type the password instead of using PasswordSafe to copy it to clipboard (alternatively I may just continue to ask it to generate passwords until I get one that doesn’t have that issue). Arbitrary reduction in the universe of characters available to form passwords doesn’t help any of that.
Jim • March 2, 2023 2:08 PM
My favorite was a Datawatch site about 15 years or so ago that businesses used to manage their access control badges. They had an unspecified and unenforced restriction on certain characters in passwords. You could use them in your new password when changing it, but you couldn’t login with them.
Strictly speaking you could login, but you just got a blank screen. The reason is that the web pages you got when logged in had your unescaped password embedded in them. So if you ever included anything in your password that a browser might choke on, you were stuck.
Oh, and right next to your password was some SQL along with what looked to be a DB password. I guess if you are going to create a really bad website, you might as well go all in.
Devin • March 2, 2023 2:46 PM
@Jon
It is certainly possible to imagine scenarios in which time-limited passwords would help.
However, in practical terms, what you’ve created is a situation in which, rather than the bad actors in your scenarios being able to enter an old password and get in, they would have to fiddle with the numbers at the end of the old password to get in. Not exactly ironclad security.
Now, if your threat landscape is such that nobody outside the company would care enough to fuck with your systems, that might be good enough: you could build in some tests, like making them change at least three characters, and putting in lockouts for people who mis-enter their password several times.
That would keep out someone who has another employee’s old password fairly effectively, but the cost is that it would encourage ALL of your employees to use simple, predictable passwords. That might be okay if the system is of absolutely zero interest to anyone outside your organization, but otherwise…
(The balance of good to bad faith also matters. If we assume that your employees are sharing passwords to deal with temporary odd situations* in good faith, like something urgent has come up and Alice is home sick and needs Bob to do something on her login, it might actually be better for her to have a strong, less-than-memorable password which Bob will type in and forget, rather than for her to have a rotating password like “schismatic27”, which might well stick in Good Faith Bob’s head well enough that he still remembers it three months later when his boss pisses him off enough that he transforms into Malicious Insider Bob and which is now the difficult-to-guess “schismatic28” instead.)
*That is, your systems are well-designed on the whole and password sharing is not needed to accomplish routine tasks. At my current workplace, my boss’s login and password are on the whiteboard because our systems are janky. And since that password has to change frequently, he can’t just write it down once and give it to each of us to keep in our wallet or something, because updating ten people who work different shifts on different days is a nightmare.
Mike • March 2, 2023 3:55 PM
It should be noted that at least some of the example are not true (at least, not true today). For example, the current rules at American Express are:
Minimum of 8 characters
Maximum of 256 characters
Your password can be any combination of letters, numbers, or symbols
Accented characters (e.g. á, ñ, ö) are not supported
It may contain spaces
Password is case sensitive
Jo Morg • March 2, 2023 5:25 PM
@Grima Squeakersen
PasswordSafe … characters in the generated password that are easily confused with each other
There’s an option you can set in the password policy to “Use only Easy-to-read characters (i.e., no ‘I’, ‘1’, etc.)”
Doug • March 2, 2023 6:10 PM
My three two worst are: (third) the ones that use a completely proprietary MFA system instead of TOTP…verizon is the perfect example – they assume that 1) you’re accessing the website from a mobile device, and 2) have their app installed (which does all sorts of undesirable things beyond just MFA). (runner up) the ones that prevent pasting in the field (not sure who thought that was a good idea). (very worst) the ones that truncate the password entered at setup, store the truncated one successfully, and log you in. But later, when you try to login again it accepts the full password entered but doesn’t match because of the length. Left hand meet right hand….meet design specs.
Gerry R • March 2, 2023 6:28 PM
Related to passwords: 2 factor authentication. Plenty of (most) sites send 2FA codes in plaintext over unencrypted channels like instant messages. These frequently come up as notifications on IOS devices. A bad actor doesn’t have to sign into the device; they only have to physically possess (or shoulder surf) it to act as the rightful owner.
This pretty much cancels any benefits of the 2FA process
People aren’t going to turn off notification of the hundreds of IMs they get just to protect the odd 2FA code.
Fen Labalme • March 2, 2023 6:44 PM
I like the password policies according to NIST SP 800-63b guidelines as follows:
All users will be required to have strong “memorized secret” passwords/passphrases that:
Jonathan Wilson • March 2, 2023 7:13 PM
Its 2023, no-one should be storing any password other than as a properly salted hash. And no-one should have any maximum limit for the length of a password (or at least not the stupid 15/20 character limits that so many sites seem to have for no good reason)
ParityTheUnicorn • March 2, 2023 7:47 PM
Keepass has a regex style password generator that lets you just input all of a site’s relevant rules, so that going forward, it can generate a compliant password on the first try. (you can store the pattern in the notes field for later)
It uses plain old alphanumeric as the default which seems to work most of the time.
lurker • March 2, 2023 9:02 PM
Historical reference: MacOS-X for a number of years would accept any length, but silently truncate at 8 chars.
Clive Robinson • March 2, 2023 11:02 PM
@ Jordan, ALL,
Re : Back before the Police State.
“Can you believe in the past they had to remember their security keys in their heads?”
Anything you do not store ONLY in your memory is not a secret any more in the US and quite a few other places…
We are told early on in ICTsec training the three basic authentication factor mantra of,
1, Something you know (memory)
2, Something you have (token)
3, Something you are (biometric)
Like all mantras it does not hold true for very long, as society especially moves.
I noted today[1] to @Matt Palmer that bio-metrics are a compleat security fail as in reality they are part of a faux-market and will be beaten by someone who can think in short order. Or worse they already have been beaten before the biometric reader hit the faux-market. So the something you are bio-metrics should nolonger be considered a valid security factor.
Worse in the US judges have said that forcibly using a suspects body part as forcably as LE “think” necessary –efectively unlimited harm– is neither assault or torture, thus not a breach of the victims human rights (a spurious “ticking time bomb” argument is behind this to make it “Exigent circumstances”[2]).
The same applies to the something you have tokens, that are not further protected by at the very least,
1, Something you know
2, In your memory alone
3, Valid in only a limited time frame.
Augmented by as a minimum technical measures for
4, Anti-guess protection
5, Active anti-tamper protection
6, Emergancy erase button
If not all are present and working then the token should also be seen as a “security fail” and should not be considered a valid security factor.
Which leaves only the “something you know” of your memory left…
Which thankfully in the case of most humans is very short term and easily forgotton by the stress of compulsion/torture, thus has “reasonable deniability”.
Howrver what the average person can remember is realy very low entropy at best[3]. And as now frequently demonstrated by password cracking competitions, often entirely predictable enough for a simple “password guessing” attack augmented by a few prediction rules (such as “Word with two digits pre or post appended”).
It’s why over a decade and a half ago I looked at designing and making a token that used more than just a pass word/phrase “string” by adding geo-temporal components such that the string would only work in a given place at or upto a given future time. Such that the person being compelled/tourtured by law has only to “hold-out” for a limited time of say 24hours.
This was an extension to the “shared secrets held in multiple non cooperating jurisdictions” extension I gave @Nick P as an extention to his “computers in multiple non cooperating jurisdiction” idea in our discussions on this blog.
The reality people have to face these days is,
Physical object protections are at best of very limited use to secure information based objects.
And,
In by far the majority of cases the human mind is incapable of accurately memorising more than a six digit number
Which is why most humans have to use “reinforcement” methods that boil down to a form of “muscle memory” by physical action or “visual memory” association. Which is the former case is how we remember tunes, songs, and the latter poems / sayings / mantras, all of which suffer from high predictability and often being “public knowledge”…
Which is why we need to use different traits of human memory that work significantly better.
[1] Bio-metrics are a bad idea, simply because they have always been relatively easy to spoof, and thus they have become a time based “arms race” that an an attacker that lacks ethics or morals will always win. Thus bio-metrics should never be used for either authentication or identification.
Remember that one of the failings of bio-metrics is that with them “identification” is always the first step of “authentication” after that spoofing it is done in the “measurment gap” or “test failure” or a mixture of both.
[2] Exigent circumstances : is in the US the “Might is Right” doctrine of thugs and Ne’er-do-wells, dressed up on false reasoning of the “Emergency aid” doctrine. Of what a supposadly “reasonable person” might think makes a Law Enforcment action a necessity due to mostly imagined –post circumstances– “time limitations”,
https://en.m.wikipedia.org/wiki/Exigent_circumstance
Remember a fist in the face, is no less harmfull for being dressed with a “pink ribbon” tied around it.
[3] Evolution has favoured “loose pattern matching at high speed” over the ability to “precisely remember”. Because mistaking an unknown creature for a known preditor has much less disadvantages than not. After all heading for and up a tree at high speed will take energy, but also get you into a safer place where you can then take more time to observe and learn, which having your belly ripped out, or your wind pipe crushed generaly does not.
Recovering IT Professional • March 3, 2023 4:44 AM
A former employer outsourced their IT management. We, the on site team, got accounts on the remote system so we could file tickets and do basic stuff. The password I came up with had an apostrophe as its fourth character. Account creation happened with no complaints but when I went to log in, it said I had the wrong password. After several failed attempts, I tried just entering the first 4 characters. Ding! SQL injection vulnerability found.
The silent acceptance but later failure thing is scary.
John • March 3, 2023 6:43 AM
This discussion highlights the need to move beyond passwords. When is this supposed “passwordless” future going to get here? Or, is it going to be like driverless cars and fusion, always ten years away?
Gert-Jan • March 3, 2023 6:46 AM
Password for our tax office won’t be accepted if any individual character is used more than 2 times. This basically rules out pass phrases.
I see that more often: that rules are set up to avoid short and “easy” to guess passwords, at the expensive of being able to set a strong password.
One other aspect: the username. From security perspective of the individual, the option to freely choose a username is far more secure than having to use your email address. When I can choose a username, I never use my email address and never use the same one. With that, I massively reduce the attack surface for hacking my accounts on different websites.
John Tillotson • March 3, 2023 7:21 AM
@pd
“Being a favourite of IT departments for applying internally to staff members” is an undeserved slur against many IT departments. No-one LIKES implementing Stupid Password PracticesTM, they are required to do it by senior manglement either for security theater or to satisfy some auditor’s checklist.
C.Atkins • March 3, 2023 8:42 AM
@ Gert-Jan,
Password for our tax office won’t be accepted if any individual character is used more than 2 times. This basically rules out pass phrases.
My bank says that, officially, I can’t use any part of my date of birth, card number, or address in my PIN. Luckily, they don’t enforce that, or else I’d have to set it to “6666”—6 being the only unused digit. I’m not sure whether they make a similar claim about passwords, which would leave me with about 8 ASCII letters to choose from (and all the punctuation except for space, comma, and period, so I guess I could still make a strong but non-memorable password).
Clive Robinson • March 3, 2023 9:48 AM
@ John, ALL,
Re : Replacing Passwords.
“When is this supposed “passwordless” future going to get here?”
Not for some time yet.
To see why you have to examine the many aspects involved.
First off is “Computer Storage”…
Remember to some services a million user capacity is neither unexpected or a high water mark. Throw in four fake accounts for every real one as appears to be the case with Twitter, that the creators cycle to avoid detection issue and the service provider need to keep dead accounts alive for seven years for legal reasons and you are looking at 2^25 user space alowance. So how much space per user? Well UserID. GroupID, Account name, User Name/Data, salt and password used to be a minimum, so say 12bytes per field and double and a bit for Name and Data and a three or four four byte date fields giving 12 x 5 + 24 x2 + 4 x 4 = 124bytes… Call it ~8,000 users per megabyte that gives a “password file” of 4Gbyte.
Now with a big of 256bits and 512bit hash storage that adds aproximately another hundred bytes per user so 2^(25+7) +4Gbyte ~8Gbyte.
Then you need a minimum of three preferably five active copies… 40Gbyte is gone.
Now depending on what you replace the password with that could appear tiny tiny in comparison…
For instance the “nine image grid” system where user has to enter a digit at four successive image grids needs the user to have 16 or more “personal friend” photographs, of say 100×150 bits is in colour ~60kbytes per image or just under a megabyte per user so 2^(25+20) x 5 ~= 160Tbyte…
Then as annoying as passwords are, just about every system of the same aproximate strength tried has proved even more annoying to users. In a major part because of the “something you know” asspect.
The simple fact is the human mind is a bit of a failure for remembering with accuracy. To get sufficient entropy kind of condems us to keyboard entry or the “something you have” tokens, which are very very expensive…
Using a “standard token” takes us down a whole different set of rabbit holes as many countries that hwve tried National E-ID have painfully discovered (and that’s not yet counting that none in use are PQC capable yet).
So the answer as to “When?” is probably “not untill our kids have retired if ever”…
David • March 3, 2023 11:09 AM
A major financial services firm, 2-3 years ago had the following password rules:
. passwords must be 8 characters long.
NOTE: NOT at least 8 characters. Exactly 8 characters long.
. letters and numbers ONLY — no special characters allowed
. case insensitive — upper and lower case treated the same.
I learned this when setting up online access to my account.
That screamed to me that they were not serious about security.
I contacted them saying that I did not want my account to be accessible online and have since closed my account.
Sumadelet • March 3, 2023 1:14 PM
@Clive Robinson
Re: Human memory.
Human memory is generally very good at remembering some things, and the existence of people with hyperthymesia, like Marilu Henner demonstrates that some people are very good at remembering a great deal of information, not necessarily relevant to passwords and the suchlike.
Memory palaces are good, but require practice; and there are people who memorise long religious texts verbatim. Unfortunately, technologists have not worked out good processes for making use of human memory capabilities that are good, preferring instead to force us into processes that are simple for computers to validate.
Many are also good at remembering routes and places, and where we put things (which is how memory palaces work), although I do know people who would get lost inside a paper bag.
We also remember language, both to listen to, and to generate, and motor-skills get ingrained, like walking, riding a bicycle, or writing (you did mention ‘muscle memory’).
Essentially there is an impedence between what we as humans are good at and what computers can easily validate. We can’t change people that easily, so we should concentrate on changing computers.
Perhaps we should generate random nonsense poems for people to remember; or even songs – there’s a reason why memorable stuff is often written in verse, or performed to music.
Roland Wiggin • March 3, 2023 2:38 PM
@pd
I don’t want Mozilla or Google storing my device info and linking all my devices together, so having them store my passwords in the cloud just so I don’t have to remember them is not useful. Also, it means that when I go to a new device, I first have to identify myself to it, and if I’m using someone else’s computer, now they have my info too. So no, having the browser store your passwords across devices is bad and insecure.
lurker • March 3, 2023 3:37 PM
@Clive Robinson, All
re human memory
Some humans have excellent memory for specific details. Many more humans can be trained to have good memory, eg. civil servants in China for the past two millenia have been expected to be able to quote, or reply to quotes from the Four Books and Five Classics, which they learned by rote at school. This opus is comparable to the collected works of Shakespeare.
Whence we have the modern Shakespearian actor, or opera singer, or concert pianist, who carry the equivalent of thousands of passwords/phrases in their heads. What is the difference between the memory of these people and the man on the Clapham omnibus?
iAPX • March 3, 2023 4:12 PM
Remember that on many websites your password is as weak as their email system and yours, including your email client, without no warranty of encryption whatsoever at any step…
And I know one website asking this for your password:
8 to 15 characters
Must contain Letters and Numbers
Special characters are not allowed
Not similar to your profile name
15 characters maximum gives you a hint…
The password is effectively stored in plaintext, and the “Lost password” send it back to your email address in cleartext.
In 2023!
Clive Robinson • March 3, 2023 6:20 PM
@ Sumadelet, lurker, ALL,
Re: Human memory.
“Human memory is generally very good at remembering some things”
Yes if they are image, location or time based (which is why I’ve looked at using them as extentions to “something you know”).
Baaically because they are things evolution selected from long long ago, and even though we generally don’t consider it something most of us are good at. Which is why people get very upset with people who can’t recognice faces, get to the right place, or do things at the right time.
Lesser used skills are learning tunes, songs, poems and the gist of stories. Usually done by repitition thus are like “muscle memory” you need for playing instruments. But importantly you don’t have to be 100% accurate the odd lar lar lar rarely does harm (unless it’s in “Hickory dickory dock” 😉
However there is an average… Which means for every outstandingly good person, there are one or more who are shall we say embarrassing bad balancing it up.
It’s why bank cards only have a four digit pin, and they alow you to use your birthday or 1225 –or 2512 for our US friends– for Santa’s visit etc. Worryingly is the statistic that says married men often use their wife’s birthday or their wedding aniversary… Not sure if it’s because they have remembered those dates or they are hoping repeated reminders will stop them forgetting…
The fact is that around 10% of people write their pin down in their diary/address book…
But… Any system for general use that is going to replace passwords/phrases realy has to work with people in the bottom 5-20% or it just won’t be acceptable as a replacment…
So yes,
“Many more humans can be trained to have good memory, eg. civil servants in China for the past two millenia have been expected to be able to quote…”
People can do it, but they have to be either lucky or motivated. But also do they learn a skill or a text? That is if you gave them a new page of text to read, how well would they remember it after just one read through[1]
And a well valued civil servant position is still highly sort after. Have a look at modern day India and their selection system and motivation.
I happen to know hundreds of jokes and I guess the words to hundreds of songs and can whistle maybe five times as many. But… I also write poetry and come up with silly/funny words for well known songs at the drop of a hat. The only motivation is I guess you could call them “party tricks” to make others smile, laugh, or even cry with mirth. Why? Because I believe in my gnarly little soul that happy people are less likely to act in anger or haste.
I could be wrong, but so far I’ve not been attacked by a happy person (yes hugged to the point of near asphyxiation but that’s different, the worst offender on that score was a female rugby player but that’s a story for another day[2] 😉
[1] Many years ago I purchased on a Sunday the latest Douglas Adams story the day before it was officially released and I read it all in a few hours. On the Monday evening I was with friends for a meal, the book was talked about on the news and they quoted a paragraph and I said page 132 third paragraph straight from memory. Needless to say I was doubted, so as I had the book in my bag I handed it over and told them to look as I recited it word for word from memory. Back then prior to having my head karata kicked into a lamp post I had a memory that could do that, now I’m lucky if I can remember what day of the month it is without working it out.
[2] And has more than a few saucy bits so probably comes in the NSFW category.
Felix • March 3, 2023 6:56 PM
@Tom
To accurately evaluate the strength of a password you need to predict how hard it is to crack the password using state of the art methods against the stored hash of the password.
So if you devise a password strength estimator, the way to test it is to crack a random sample of real passwords and compare the predicted difficulty with the actual difficulty.
I think this is a good use case for machine learning, at least for the weaker end of the password spectrum where it is computationally feasible to produce cracking time training data.
ParityTheUnicorn • March 3, 2023 8:08 PM
As for memorizing long passwords… I’ve found that the best practice, regardless of what the password is… It literally could be
6UJjnxY}*R3T’Xsmf7OGhxh&ZOD”:J9d.UK@vASs
, doesn’t matter… The only thing that matters is just to type it in frequently. 3 times a day for two weeks… You’ll have it in motor memory, even if it’s not in your head. You’ll just bang it out without thinking. Typing it accurately and ergonomically, on the other hand… 😛
Sumadelet • March 4, 2023 7:16 AM
Clive Robinson said
But… Any system for general use that is going to replace passwords/phrases realy has to work with people in the bottom 5-20% or it just won’t be acceptable as a replacment…
This forgotten so often, it is noticeable when it is remembered.
I know many people with reduced abilities compared to the population average: blind, and partially sighted, significantly/substantially reduced motor skills (some to the point they cannot talk), reduced cognitive skills. They are extraordinarily poorly served by technology intended for the general population. It’s almost as though developers and legislators don’t believe they will ever get old, or suffer impairments.
At the very least, public services should be accessible to everyone who needs to make use of them. For some, this will require special handling, but to simply ignore the existence of such people or treat them as an SEP is inexcusable.
Clive Robinson • March 4, 2023 9:27 AM
@ Sumadelet,
Re : People with Special Needs.
“It’s almost as though developers and legislators don’t believe they will ever get old, or suffer impairments.”
Or have children etc etc.
I can not say about US legislators, but the EU does have quite broad legislation for those who are off to the disadvantaged side of the mean. Including all ICT.
The problem is that developers don’t do the work… The reason mor often than not is it is effectively “left out of the specification”. Which means in turn it gets left out of everything else.
I had an uncomfortable time as a “new-hire” to manage a test dept, one of the first things I asked for at a team meeting as I could not see it, was the testing proceadures as relating to the disability legislation… It got an uncomfortable silence in the meeting.
They all new we should be doing it, and they all knew senior managment had nixed it as being an unnecessary expense… Worse they also knew senior managment were not going to change just because of legislation or regulation[1].
Thankfully a new job I’d already been interviewed for else where became available…
[1] There is the old question of,
“Q : What’s the difference between a businessman and a bureaucrat?”
“A : They both have a set of rules the bureaucrat is safe if they stay inside, the businessman only survives by being just outside the rules.”
Most businesses will stray outside the legislation and regulations if the agences responsible do not police the regulations and legislation heavily enough that the Risk v. Reward balance is tipped well away from reward. You see this in US MSM headlines, that a business gets a few million dollars fine, on a business model that brought in billions in profit or earnings in that year alone. What the MSM often fail to say is not only are the fines tiny they are one way or another going to get paid for or subsidized by tax allowances and the like.
Gert-Jan • March 6, 2023 6:55 AM
The only thing that matters is just to type it in frequently. 3 times a day for two weeks… You’ll have it in motor memory, even if it’s not in your head
This is true and not true.
You typically learn the text (password) pretty quickly, simply by using it frequently. But how memory also works, is that over time, it is not stable. There will be this moment when you don’t know part of the password, or you think you know it, but the system says it’s incorrect.
And of course, this approach doesn’t scale.
So if you use this to remember the master password of your password manager, I’d say “go for it”, but make sure you have it written down somewhere as backup. Because the day will come that you don’t know the correct password anymore.
JonKnowsNothing • March 6, 2023 10:38 AM
All
re: The only thing that matters is just to type it in frequently
Passwords and other information can be derived from your typing cadence.
My typing cadence contains a great number of backspaces, wrong keys, miss spellings, corrections, editing, word reordering with lots and lots of backspace keys. I write more typo-code than first-time-compile-code. I’m very fast at typos.
ParityTheUnicorn • March 6, 2023 2:26 PM
@Gert-Jan Yeah, this technique is not designed for long term password storage… Nor is any pure memorization technique, I think, although this one is probably even worse than others, such as memory palace. It’s more designed to show that even ridiculously unintuitive passwords can be practical, if you just use them often enough.
As for scaling… Yeah, I could only remember about 100 characters at a time, often divided into groups of 20. It helps a lot to associate a certain group of motions with a certain login prompt’s asthetic… Like, when you see Facebook’s blue colour, it prompts the initial sequence of the facebook password, and once that gets going, the rest flows out.
It’s very true that you shouldn’t rely on this long term for anything, not even a master password really… But it makes strong passwords practical for daily use, and a bit less intimidating.
ParityTheUnicorn • March 6, 2023 2:30 PM
@JonKnowsNothing Is that when someone is listening? Wasn’t there a thing a while back where you needed to be playing a tape of at least five different random recordings of keystrokes simultaneously to mask the sound of your typing? I guess with technical progress for the analysis, such as from machine learning, that may no longer work…
Peter Morch • March 7, 2023 1:01 AM
The worst I’ve seen is where some sights have disabled passing in the password field, forcing you to retype the password from the password manager. Why???
JonKnowsNothing • March 7, 2023 1:01 AM
@Parity
re: collecting typing cadence methods
I don’t know for sure, however, there are potential ways to collect the information.
JonKnowsNothing • March 7, 2023 1:07 AM
@Peter Morch
re:Why block CutNPaste PW Field
One reason maybe to block someone from capturing the Paste Buffer or Cache Buffer and using that to impersonate you.
I’ve not tried it but I wonder if some of the AutoScript tools would type it for you? Gamers use these all the time to interact with the Game UI. I wouldn’t think a website could tell that an AutoScript was doing the input, letter by letter.
Clive Robinson • March 7, 2023 4:37 AM
@ JonKnowsNothing, ALL,
Re: collecting typing cadence methods.
The one that most concerned me on Smart Devices was the “spell checker” which is attached to the touch screen input device effectively permanently in Android.
It was at one time fairly easy to “channge” or “update” and getting it to work with an “Internet / on-line” dictionary not that hard. So as with all those search engines which also pull your typing cadence charecter by charecter across the network…
The lesson that crackers learnt long ago is,
“To get users to open up usefull side channels to leak information do something the user finds helpfull thus your tap becomes their essential feature”.
supersaurus • March 9, 2023 11:15 AM
favs:
after being forced to change password, system comes back with “not sufficiently different from the last one”. duh.
accepted a 30 char password, allowed login, but silently truncated to 20 char before they stored it. how do I know? because they allowed me to truncate one char at a time until they accepted the first 20.
password checker updated to a new system that would not accept “_” as part of the password although that char worked fine for years.
any password checker that refuses “special” chars like ‘%’, ‘#’, et al.
any password checker that accepts “stupid” as legitimate.
ParityTheUnicorn • March 9, 2023 9:30 PM
@JonKnowsNothing, Clive Robinson,
I was trying to think of a scenario (not involving recording sound from a separate device) where it wouldn’t be easier to just log the keystrokes directly, if you could observe the keystroke cadence through software. I guess tapping the encrypted network stream (from an in between device such as a router) and measuring the timing (and thus cadence) of the individual transmitted packets (containing individual keystrokes), is the answer I was looking for.
Clive Robinson • March 10, 2023 3:52 AM
@ ParityTheUnicorn,
“is the answer I was looking for”
That’s all right look on it as “all part of the service” thanks to our host @Bruce (buy him a drink if you ever meet).
Billy Jack • March 15, 2023 11:19 PM
Terrill
When I signed up for an insurance policy a year ago, I gave the agent an e-mail address with a ‘+’ alias to make it easier for me to filter the incoming e-mail and put it into the correct folder. The agent’s systems had no issue with that at all.
Now, it seems like I cannot create and log into an account with the insurance company to check my insurance transactions because they do not appear to recognize the ‘+’ as valid. To sign in I have to use the e-mail address that I used when signing up, but I can’t use the e-mail address because of their crazy rule. And since I can’t log in to the site, I can’t change my e-mail address to something that they can handle.
I’ve tried contacting their telephone support, but they are completely useless. They also won’t pass me on to their data processing department to ask why they think that the ‘+’ is invalid.
BERNARD WLODARSKI • March 22, 2023 8:07 AM
i always assumed some logic exists which causes web site password designers to for example require these special characters but not some others . it could not possibly be arbitrary . i would find it interesting if these authors were questioned re/ their password requirements decisions .
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Winter • March 2, 2023 7:35 AM
Worse, I have had cases where you are told nothing, you are in, but are unable to login again.