Skip to content

Top Best Ask Show New Jobs

Can the world please standardize passwords?

9 pointspcarroll11y ago12 comments

This is 2015 and I find it amazing that with all the standards bodies in the world, we have not all decided on a standardized pattern for what constitutes a password.

e.g.

- some sites require 8-12 characters. Why limit it to 12? - some sites require a number, a letter (upper and lower case), and some punctuation - some sites do not allow punctuation - some sites cannot handle upper/lower case

With the hundreds of passwords people have to remember, it is impossible to satisfy all the requirements. So that means it's impossible for many people to remember their passwords.

The worst possible violation of a secure password is to "write it down". This argument goes for password managers as well (which only work on the device that holds them). Same deal for having the browser remember your password. Not secure at all.

Banks and finance institutions are the worst offenders. They if anyone should be able to agree on what constitutes a password.

Passwords are with us for the long term. My mother is not going to use certificates to talk to her web banking.

And logging into Facebook is hardly a solution either. That's the last body that should be controlling authentication. Privacy? What's that?

So where are the global standards?

Ugh... Thanks for listening... Peter

12 comments

12 comments · 9 top-level

brudgers11y ago· 1 in thread

Most passwords don't matter. The example I always use is if someone guesses my HN password, so what? [1] HN is not my bank. It does not need serious security in regard to my use (not speaking for anyone else). Giving it a unique low quality password is fine. Facebook demands a bit more attention, gmail more beyond that, but neither requires life and death security either.

One reason for no single standard is there is no single level of risk. The other is that standardizing password formats makes cracking passwords more standard.

[1]: Though, I did change the trivial password I was using before first posting the example here on HN

aquark11y ago

If you have higher security accounts which have gmail as the contact email, then the gmail account should be treated the same.

Breaking into gmail gives access to many password recovery mechanisms.

But I agree for low priority sites: my password across many forum sites is the same and very low entropy. I really don't care to think more about it!

daviross11y ago· 1 in thread

"So that means it's impossible for many people to remember their passwords."

Good. Human-memorable is machine-crackable.

More seriously, there's work being done on this front, but specifically along the lines of eliminating passwords, because passwords are a terrible method of authentication.

See: FIDO Alliance https://fidoalliance.org/

Or my preferred item, the Yubikey: https://www.yubico.com/

In other words, a lot of your assumptions aren't necessarily correct (and there's competing interests. If I were writing a standard, I'd have all passwords be 20-characters minimum. However, that's not good for user experience)

nugget11y ago

Passwords are the worst form of authentication except for all the others.

brandon27211y ago· 1 in thread

You can create all the standards you want. Doesn't mean anyone will adhere to 'em. :)

Jeremy102611y ago

Required: https://xkcd.com/927/

cs-11y ago

NO, no no no, and No!

http://stackoverflow.com/questions/15753279/password-validat...

It's not a standard that can fix this problem, it's education, both between end users and developers.

One could devise a system that allows any password as long as the entropy threshold is satisfied.

The only limitation to passwords should be a minimum level of entropy (or at least length, to keep things simple) furthered by taking into account character sets, lists, etc...

Some people prefer only digits, other like sentences, while some are used to the systems currently in place at the moment with multiple custom rules.

Food for thought.

TheLoneWolfling11y ago

> This argument goes for password managers as well (which only work on the device that holds them).

My couple of password manager files encrypted and stored on Dropbox disagree with that one. (A couple of different ones because I like to segregate them by criticality. So I don't have to unlock the one with critical information most of the time. Reduces the attack surface.)

I can access them anywhere. Although I try not to access them on anything I don't have control over. For example: I memorize my dropbox password and my student login separately.

And it's a whole lot more secure to have a couple of long passphrases to unlock long generated passphrases for every site than to have a short password/passphrase for every site.

pcarrollOP11y ago

I buy all the future technology solutions, but only in the future.

For today we are stuck with passwords. Maybe my beef would be diffused if some lazy programmers would be more open to longer passwords and more non-alpha characters. e.g. let the user decide how long the passwords needs to be beyond some reasonable minimum. Then allow any character the user can stuff in. i.e. don't tell the user the password conatins invalid characters.

Again, the average user is like my mom. Not like the people on HN. And you can memorize non-dictionary passwords...

dairgram11y ago

Can such standard also include setting the default for echoing the password? Seeing that I have entered ### for a 5 character password is perfectly adequate. But for a 17 character password, echoing ######### does not give me useful feedback where I am or allow me to meaningfully edit mistakes.

Yeah, if I am projecting my screen in front of an audience of 300, I do not want my password echoed. But when I am using my mobile phone, getting feedback is far more useful than guarding against someone reading my screen.

hawkice11y ago

I just recently signed up for dropbox, and when I did, Chromium asked me if it was cool for them to auto-gen a password and put it in my browser keyring.

Whatever method they are using, I would imagine that'll be the new standard. My passwords are decently secure, but that's hard to beat in terms of both workflow and security.

rstuart413311y ago

> So where are the global standards?

Here: http://en.wikipedia.org/wiki/Password_strength#NIST_Special_...

That formulate provides the only meaningful measure of a passwords strength: its entropy. NIST 800-63 is a (very conservative) formula for calculating it. Rules like "at least one numeric" are poor rules of thumb for the same thing.

That raises the question of "how much entropy do I need". That depends on how well guarded the password is. A four digit pin has an entropy of around 12 bits. By web standards it's an absurdly weak password, yet it has stood attacks for years. That's because it's guarded by a piece of hardware that only lets you have 3 guesses.

There are banks that only let me have a 6 character password - without upper case or special characters, which you apparently think is bad. But the bank is assuming they control the use of that password in the same way the pin is controlled. If that assumption is right it's a perfectly reasonable think to do.

The assumption is almost certainly wrong, but it probably doesn't matter. There has been a gang knocking over Russian banks by infiltrating their IT (ie hacking their infrastructure). If they've done that they also have access to the customers password data. But then it probably doesn't matter as the bank is hosed anyway. http://www.wsj.com/articles/new-report-says-computer-crimina...

The average web site isn't as secure as a bank. It has to assume the password database will leak. If it leaks the attacker gets unlimited tries at guessing each password, and number of guesses per second is limited purely by how much hardware they can afford. For example, if the password is protected by SHA256 + salt, spending US$30K lets you make 1 guess every 3 pico seconds. If want a password that can withstand such at attack for a year (ie, take a year on average to brute force), you need a password with 40 bits of entropy. Such a password will be around 60 characters long. However, if the web site puts some thought into how they store the password they can reduce it considerably: http://pbkdf2.sourceforge.net/ Sadly almost none do.

Lets tie this up. We've seen that a 12 bit password (a pin) can work well, yet a 20 character password stored on a regular web site will last around 10 seconds once the password database storing the password as a salted SHA256 hash leaks. These are wildly different numbers are not going to be easily encapsulated by the single standard you desire, mainly because difference between these two examples was _not_ how user chose them. It is in the way they are protected. That is where you should be focusing your efforts.

Besides, forcing users to change their behaviour doesn't work - they are far smarter than your "weak password detection" algorithms, and none of us like to be manipulated.

j / k navigate · click thread line to collapse