No password rules...please. (opens in new tab)

(riturajsatpute.com)

17 pointsritratt14y ago14 comments

14 comments

12 comments · 5 top-level

jasonkester14y ago· 3 in thread

Complex password requirements lead to post-its on monitors in cubicles with passwords written on them. That's a much worse result than a weak password for pretty much any system that relies on passwords to stop bad things from happening.

For regular websites, generating monitor post-its is inexcusable. Let your users choose the letter "a" as their password if they want, but warn them about the implications. The only acceptable password workflow for a website is this:

  - Choose a password
  - complexity check
    - if failed, "Seriously?  That seems like a bad password" popup.
      - "Yes, seriously.  I don't really care if this account gets hacked 
        enough to memorize a complex password."
  - done.

I'd go as far as having banks do it this way. Anything to avoid having access to a $20k wire transfer be as simple as sitting down at somebody's desk when they're gone for the day and reading a post-it saying "BofA - wAffles$2".

rdl14y ago

This is horrible advice given the threat model for either normal home users (at risk due to mass attacks/brute force, or MAYBE losing a wallet/unlocked phone/laptop with keys saved locally) or most corporate environments.

The solution in both cases is a move toward single sign on, using a password manager or a key or 2fa or federated login system (Kerberos, FB connect).

Enforcing minimum complexity requirements (and policies like no username as password, etc) protects the user and site. If a site has 10% of users with trivial passwords, even if it is just a commenting section on a blog, the site itself is at risk. Combine this with the propensity of users to globally reuse passwords, and everyone is kind of doomed. Passwords must die, but requiring a minimum level of passwords, and encouraging people to use passwords as safely as possible as an interim measure, is the only reasonable course of action.

gte910h14y ago

Then measure actual entropy. Don't make me make a password that fits some weird ass hard to remember standard you dug up. Let me use "This rabbit killed the horse in cold blood, then drank all the pies" as a password if I want, it has more entropy than C@tV0m!t does.

1 more reply

jrs23514y ago

One must think who the most likely person would be that would a) want access and b) try to break in... is it an anonymous hacker across the internet or a co-worker trying to sabotage? This is why "post-it noting passwords" is bad. Most computers/systems don't really have information that hackers want, other than to zombie a machine. This isn't to say we shouldn't worry about exposing our computers with quickly cracked passwords, we should protect all vectors into our systems but realize forcing strong need to "post-it note passwords" drastically increases the likelihood of an internal rat/mole.

jrs23514y ago· 3 in thread

Displaying password rules inform a hacker what rules to obey and follow, reducing the number of combinations they have to try. Rather than have rules, after a user creates/enters their password just let them know if it sucks or not, perhaps give some "stats" as to how long it would probably take to crack. Scare them into something stronger, but don't force them into "post-it noting their password".

Peaker14y ago

For home use, I'm not sure what's wrong with a post-it...

(Not talking about a bank password here).

jrs23514y ago

Touche. For/at home I might have a post-it with numerous crazy passwords but no identification as to what sites/systems they are for.

batista14y ago

Yes, so next time your cleaning lady can use it. Or your babysitter --or her boyfriend. Or any random burglar...

1 more reply

M4v3R14y ago· 1 in thread

44 bits of entropy from XKCD comic is assuming dictionary attacks. So even without number substitutions dictionary attack would take VERY long. Edit: JoeAltmaier beat me by 1 minute with this.

fexl14y ago

Right, the use of numbers is not necessary. For example, I could publicly advertise that my password for a particular site consisted of exactly six words chosen randomly from the word list at http://world.std.com/~reinhold/diceware.html .

People would be free to attack it at will, but it wouldn't do much good because that password contains approximately 78 bits of entropy. The attack would be slow enough offline (for example if they somehow possessed a bcrypt hash of my passphrase), but far slower online (if they had to send each guess across the internet one by one).

I could of course cleverly substitute some digits here and there, which would make my public declaration a lie. I suppose some "security through obscurity" can help, though I could have accomplished just as much if not more by simply using seven words instead of six.

rdl14y ago

This guy has no idea what a dictionary attack is, or entropy in various forms of password or pass phrase. Probably not a great source of security policy advice.

A pass phrase with 4 words chosen from a large alphabet, assuming the words are randomly selected, gets a lot of entropy really fast compared to similarly memorable numeric PIN (6-8 digits, tops). "leetspeak" passwords derived using common rules from rules aren't a lot better than just words themselves, and are hard to remember (I've had to brute force a bunch of variations on my own or for other people when keyboard layouts changed, or when exact punctuation was not remembered).

20000 words in vocabulary, take 4, is 1.6e17 combinations. Dictionary attack that?

JoeAltmaier14y ago

Dictionary attacks were How xkcd came up with the entropy for CorrectHorseBatteryStaple, I think. Also adding digits in a couple of places for vowels adds just a bit or so to entropy, a fairly weak (entirely predictable) way of improving passwords.

j / k navigate · click thread line to collapse

14 comments

12 comments · 5 top-level

jasonkester14y ago· 3 in thread

  - Choose a password
  - complexity check
    - if failed, "Seriously?  That seems like a bad password" popup.
      - "Yes, seriously.  I don't really care if this account gets hacked 
        enough to memorize a complex password."
  - done.

rdl14y ago

The solution in both cases is a move toward single sign on, using a password manager or a key or 2fa or federated login system (Kerberos, FB connect).

gte910h14y ago

1 more reply

jrs23514y ago

jrs23514y ago· 3 in thread

Peaker14y ago

For home use, I'm not sure what's wrong with a post-it...

(Not talking about a bank password here).

jrs23514y ago

Touche. For/at home I might have a post-it with numerous crazy passwords but no identification as to what sites/systems they are for.

batista14y ago

Yes, so next time your cleaning lady can use it. Or your babysitter --or her boyfriend. Or any random burglar...

1 more reply

M4v3R14y ago· 1 in thread

44 bits of entropy from XKCD comic is assuming dictionary attacks. So even without number substitutions dictionary attack would take VERY long. Edit: JoeAltmaier beat me by 1 minute with this.

fexl14y ago

rdl14y ago

This guy has no idea what a dictionary attack is, or entropy in various forms of password or pass phrase. Probably not a great source of security policy advice.

20000 words in vocabulary, take 4, is 1.6e17 combinations. Dictionary attack that?

JoeAltmaier14y ago

j / k navigate · click thread line to collapse