back to article 'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows

Jeff Atwood, founder of the popular coding site Stack Overflow, has published an extended and entertaining rant about the lamentable state of password policy among developers. The post, subtly titled "Password rules are bullshit," points out that the current format for password rules, such as including a certain mix of …

Page:

  1. alain williams Silver badge

    Sometimes I can't use a long password

    There are some systems that: impose a maximum length on passwords, fold upper to lower case, complain if I use anything other than alpha numerics, ...

    Let's start complaining about the systems that prevent the use of good passwords.

    1. Christoph Silver badge

      Re: Sometimes I can't use a long password

      And there are systems that disallow Paste on the password field, so I have to carefully type in the long complex password that my password manager generated, and then again for the confirmation. Which of course means that if it's not a critical security risk site, I'll shorten that generated password to make it less of a bother.

      1. Ben Tasker Silver badge

        Re: Sometimes I can't use a long password

        For those fields, I tend to just hit F12 to open developer tools and edit the form element to include value="[long password here]" and then do the same on the confirmation box.

        I've not found many sites that prevent paste on the password box you use to login, but for the few I do know about, I've written a little greasemonkey script that gives me paste back.

        That's all assuming a site is worth the effort of actually doing any of the above, sometimes I'll just go elsewhere

        1. This post has been deleted by its author

        2. Mage Silver badge

          Re: Sometimes I can't use a long password

          Not all passwords are for websites!

        3. e^iπ+1=0

          Re: Sometimes I can't use a long password

          Disabling JavaScript sometimes does the trick for me, e.g. with NoScript.

      2. joed

        Re: Sometimes I can't use a long password

        Funny enough, while right-click>Paste is blocked on one of such sites, the good ole Ctrl-C just works. Give it a try.

        1. death&taxes

          Re: Sometimes I can't use a long password

          Perhaps you mean Ctrl-V?

        2. dbtx Bronze badge

          Re: Sometimes I can't use a long password

          Sometimes it does, sometimes devs go to great lengths to keep your keyboard from working right. For example Google (groups? forget) likes to catch "/" with JavaScrape and move your cursor to a search text box, so you can't use it there to trigger FF's quick plaintext search like you've been doing forever, so you have to hit Ctrl+F, which was ...insulting. Anyway, ITYM Ctrl+V? On the side, drag-select = copy and middle click = paste, in the other clipboard. Give *nix a try.

          "Drunk piano player... you can't hit nothin. In fact, you're probly seein double."

          "I have two guns, one for each of ya."

          1. dbtx Bronze badge
            FAIL

            probably nobody cares but

            put H&R Block on your 'naughty' list.

            They do list all the varied symbolic crap you must include

            They do NOT allow Ctrl+V pasting

            They do NOT allow middle-click pasting

            They do allow drag&drop from another program where I pasted the thing HAH TAKE THAT

            They do have a glorious 15-character limit which pisses in my chili because

            alias mkpass='pwgen -cnysB 16 1'

        3. Anonymous Coward
          Anonymous Coward

          Re: Sometimes I can't use a long password

          "Funny enough, while right-click>Paste is blocked on one of such sites, the good ole Ctrl-C just works."

          On the Mac it seems to be the reverse; Cmd+v is often blocked but right click>paste has always worked for me.

        4. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Sometimes I can't use a long password

      UBS have this on their iPhone app - you can't use punctuation etc. On the upside, their website requires a dongle to use.

      AC cos I don't want people linking my bank to my username - probably paranoid!

    3. NonSSL-Login
      Holmes

      Re: Sometimes I can't use a long password

      This is my biggest annoyance. Restricted password length and not dealing with certain characters such as speech marks, semi-colons etc. It is hit and miss if the system will allow spaces in the password too.

      While far from the perfect solution, allowing people to write sentences or phrases with spaces gives a lot more protection. We will still see "this is my password1" as the most common password there but you can't cure stupid.

      There is still the issue that most people once they remembered a suitably long complex password will re-use that password everywhere, so it only takes one site to be compromised that has poor storing of passwords...

      1. Wensleydale Cheese Silver badge
        Unhappy

        Re: Sometimes I can't use a long password

        "Restricted password length and not dealing with certain characters such as speech marks, semi-colons etc. It is hit and miss if the system will allow spaces in the password too."

        This. I recently came across a suggestion that colons crept onto lists of disallowed characters because it's used as a separator in the *nix passwd file, but that smacks of lazy programming.

        Cargo cult programming

        Cargo cult programming is a style of computer programming characterized by the ritual inclusion of code or program structures that serve no real purpose. Cargo cult programming is typically symptomatic of a programmer not understanding either a bug they were attempting to solve or the apparent solution (compare shotgun debugging, deep magic).

        The term cargo cult programmer may apply when an unskilled or novice computer programmer (or one inexperienced with the problem at hand) copies some program code from one place to another with little or no understanding of how it works or whether it is required in its new position.

        1. Frumious Bandersnatch Silver badge

          Re: Sometimes I can't use a long password

          Unix password files have never stored passwords in the plain, so saying that : is disallowed because it might appear there is rubbish.

        2. Yet Another Anonymous coward Silver badge

          Re: Sometimes I can't use a long password

          >used as a separator in the *nix passwd file

          If they are storing your password unhashed in /etc/passwd you have bigger problems

      2. Anonymous Coward
        Anonymous Coward

        Re: Sometimes I can't use a long password

        This is my biggest annoyance. Restricted password length and not dealing with certain characters such as speech marks, semi-colons etc. It is hit and miss if the system will allow spaces in the password too.

        However, knowing which characters are not allowed can help you decide if the site is vunerable to SQL injection attacks.

    4. Eddy Ito Silver badge

      Re: Sometimes I can't use a long password

      Come now, you're exaggerating. The only institutions using simple rules capped at 8 characters are the unimportant and trivial ones where security isn't really a concern, like banks. Oh, hang on.

      1. creepy gecko

        Re: Sometimes I can't use a long password

        "Come now, you're exaggerating. The only institutions using simple rules capped at 8 characters are the unimportant and trivial ones where security isn't really a concern, like banks. Oh, hang on."

        The UK Gov's National Savings & Investment (NS&I) website did until fairly recently have a maximum password length of 8 characters. They did change it last summer to a longer limit of (IIRC) twenty characters. Much better.

        Another annoying trick that many websites use is not to reveal the password composition rules until AFTER you've typed in your new proposed password. Then they tell you it's a maximum of 10 characters, limited special characters, and only lower case letters or something equally silly.

      2. Archtech Silver badge

        Re: Sometimes I can't use a long password

        Oh, now you did it - you got me started on banks...

        Like the ones that talk big about "security", then ask you to download and run an app about which you know absolutely nothing - supposedly to "enhance your security".

        Like the ones that are wide open to MITM attacks, as Firefox warns me...

        1. arctic_haze Silver badge

          Re: Sometimes I can't use a long password

          Oh yes, banks. My bank (a local chapter of a big international financial institution) had a period when they called their clients with offers, starting the conversation with asking them for... the password.

          The first time it happened I was very close to actually calling the police. I could not believe it wasn't a scam. Later they changed the policy to ask about my personal data (like month of birthday). My answer was still the same: "You are calling me so it is me who verifies you". At least they never tell get to give me the offer, which is a bonus.

          1. Solarflare

            Re: Sometimes I can't use a long password

            My bank is actually reasonable on that regard, I set it up with them that when they ring me, I verify that they are legit using the same challenge response question format that they use. Works pretty effectively.

          2. Atilla_the_bun

            Re: Sometimes I can't use a long password

            Yup. I still cannot fathom my bank when there is a security question about the use of my card calls me and asks me to verify my account _before_ they will even talk about the problem. They have my email, and even my cell # and could quite simply text or email me that I need to call them about an issue and call the number they provide on a part of their web site, heck even part of my account page after I have logged in. You simply can't fix that level of stupid an yet we TRUST banks?

    5. JLV Silver badge

      Re: Sometimes I can't use a long password

      >some systems that: impose a maximum length on passwords,

      Thank you for not mentioning our flagship product, Windows 10, by name. We've been thinking about allowing more than 16 character passwords, but you know how it is.

      Would you like a new WinPhone? Going cheap.

      Yours,

      Sinovskella

      1. tiggertaebo

        Re: Sometimes I can't use a long password

        For accuracy Win10 actually allows 127 characters, Microsoft accounts are where the 16 character limit comes in. That's just as bad of course but let's at least have a go at them about the right product.

        1. JLV Silver badge

          Re: Sometimes I can't use a long password

          Hmmmm, all I know is that my cloud-backed Win 10 account (it's not my primary machine, I have very little confidentials on it so I couldn't be bothered to fish out what might/might not work wo MS Live or whatever) chokes on >16 chars outta the box.

          Presumably for the reason you mentioned.

          The exact cause is less important than the fact that the default, strongly encouraged by MS, set up has that limitation.

  2. malle-herbert Silver badge
    Facepalm

    It only makes it easier to crack...

    When a website asks for a password with at least 1 capital letter, most people tend to make it the first letter in their pasword...

    And if people are forced to also use at least one or two numbers, you can be allmost sure they put those at the end...

    Maybe it's time to educate people about password strength again...

    1. Anonymous Coward
      Anonymous Coward

      Re: It only makes it easier to crack...

      Password1

      1. Flocke Kroes Silver badge

        Re: It only makes it easier to crack...

        I thought all L337 |-|4><0r$ used p455\^/0Rd-0|\|3

        My favourate: '; DROP TABLE users /*

        1. Doctor Syntax Silver badge

          Re: It only makes it easier to crack...

          "My favourate: '; DROP TABLE users /*"

          Problem solved. Our GP's online booking service requires reasonable strength passwords including non-alphanumerics but baulks at semicolons. Maybe that's why.

          1. creepy gecko
            Happy

            Re: It only makes it easier to crack...

            Obligatory XKCD reference....

            https://www.xkcd.com/327/

            1. Anonymous Coward
              Anonymous Coward

              Re: It only makes it easier to crack...

              So what happens when sanitizing the inputs MAKES it malicious? IOW, the malcontents make it so they EXPECT you to sanitize it?

        2. Stumpy

          Re: It only makes it easier to crack...

          Flocke Kroes wrote:

          "My favourate: '; DROP TABLE users /*"

          And the best part of that is that my password strength checker says that it's a fantastically strong password

          1. MrT
            Angel

            Re: It only makes it easier to crack...

            Apart from the double-letters, 'Password rules are bullsh*t!' would appear to be acceptable... password.kaspersky.com reports "Your password will be bruteforced with an average home computer in approximately 10000+centuries".

            1. Cameron Colley

              Re: My favourate: '; DROP TABLE users /*

              Using:

              X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

              Could cause issues for those sites storing passwords in cleartext, perhaps?

              1. Ken Hagan Gold badge

                Re: My favourate: '; DROP TABLE users /*

                There probably aren't many systems that store passwords in cleartext, but there may be some that would let you choose it as a user name.

                1. veti Silver badge

                  Re: My favourate: '; DROP TABLE users /*

                  If the database has a table that's just called "users", and that table can be dropped in isolation (implying that it has no dependencies), then... well, let's just say password strength is the least of your problems.

      2. Your alien overlord - fear me

        Re: It only makes it easier to crack...

        Duh,for security it should be at least 10 characters so you'll have to use Password123 :-)

        1. AMBxx Silver badge

          Re: It only makes it easier to crack...

          Why not just have an increasing delay between logon attempts?

          Car radio I had years ago started with a 5 second delay after the first attempt. Then just kept doubling. Doesn't matter how much CPU you throw at a problem if there's a 24 hour delay between attempts.

          Password124 wouldn't be so bad then!

          1. Anonymous Coward
            Anonymous Coward

            Re: It only makes it easier to crack...

            Pretty much everything already has protection in terms of repeated logon attemps, typically the account will get locked out after a certain number of failed logins or whatever. This password strength concern is about what happens when someone gets hold of the encrypted password DB and starts trying to decrypt it.

          2. picturethis
            Facepalm

            Re: It only makes it easier to crack...

            ^^this^^

            Putting a delay in after submitting each requst essentially moves the problem into a different space. Even is one can create a number of passwords at a prodigious rate, if the reponse to accept the submitted password is delayed, then the entire cycle is extended - by a lot.

            It doesn't matter how fast you can create the passwords, it is how fast each one can be tested. This squarely puts the onis on the websites/devices to implement this.

            I have a 10 year old Dell laptop and if one mistypes the BIOS boot password, it delays additional time (like 5 seconds more) for the next try and then on the 3rd time even more time. Try automating the cracking of that. This method has been used for at least 10 years, where the fuck are the website designers/operators?

            It wouldn't even impact 99.99% of users, as they will enter their password correctly the first time, only retries (during a hack attempt). HELLO (Website Designers)...

            This is one of "those" cases where faster (website response) isn't always better.

            Of course this only applies to brute-force/dictionary attacks, cookies, sql injection etc, maybe not so much.

            1. Truckle The Uncivil

              Re: It only makes it easier to crack...

              It does require the site to store failed login attempts though or at least flag accounts. Could not that be used in a site attack?

              1. picturethis
                Meh

                Re: It only makes it easier to crack...

                I don't think it necessarily implies the storing of failed logins.

                One possible compromise would be that if the login is not successful, just delay the rejection response for a period of time, for example, 10 seconds. There's nothing stored, the entity attempting to login wouldn't attempt another. For this to work though a successful login response time may have to be randomized so that the bot doesn't immediately know after 2 seconds that its guess wasn't correct. On the plus side, radomized response times might help load balancing.

                I have to admit, I'm not sure how websites handle simultaneous attempts at logging in with the same username - if it's allowed as multiple sessions or if there's a check to see if the user is already logged in. I suspect that this is implementation dependent as I've seen different behaviours from different sites.

                Well, I'm sure nothing will come of the suggestion anyways, as with most security, it requires additional work (and money) which we all know businesses don't deem necessary. Not to mention the endless bitching from endusers that will result when it takes an additional second or two to login..

                1. Tom 38 Silver badge

                  Re: It only makes it easier to crack...

                  I don't think it necessarily implies the storing of failed logins.

                  One possible compromise would be that if the login is not successful, just delay the rejection response for a period of time, for example, 10 seconds.

                  So now you are open to DoS via resource depletion. What's your next plan?

                  1. Kiwi Silver badge

                    Re: It only makes it easier to crack...

                    One possible compromise would be that if the login is not successful, just delay the rejection response for a period of time, for example, 10 seconds.

                    So now you are open to DoS via resource depletion. What's your next plan?

                    How so? So user Tom38 has a 10 second or so wait before his next login attempt shows up (some pages take longer than that to load!), or ip 118.234.567.8910 takes 10 seconds before the page comes through. How's that a DoS? Only those who have typed a wrong password get the delay. I fail to see how that is a DoS?

              2. Kiwi Silver badge

                Re: It only makes it easier to crack...

                It does require the site to store failed login attempts though or at least flag accounts. Could not that be used in a site attack?

                Only to get people's accounts locked out. My bank gives you a limit of 3 failed logins after which IIRC you have to visit a branch to reset the account. You may be able to do it via phone banking, but I believe it requires a branch visit. No, not going to test it!

                Aside from getting people locked out, I can't see any attack vector from storing failed attempts?

            2. Leathery Hawkeye

              Re: It only makes it easier to crack...

              Tell me what happens when there's been an infiltration attempt and Joe Bloggs user then attempts to logon - only to be told that next allowed logon attempt is in 24 hours? Or are you going to restrict by host/ip - which then restricts a whole system from logging on?

              1. Kiwi Silver badge

                Re: It only makes it easier to crack...

                Tell me what happens when there's been an infiltration attempt and Joe Bloggs user then attempts to logon - only to be told that next allowed logon attempt is in 24 hours?

                What's wrong with that? Many banks do that or make it so you have to visit a branch to get your account reset. If someone is trying to crack my account I'd much rather the account be locked out then they get another go in a few hours (that said, a few hours lockout is enough to make my account not worth touching)

                Or are you going to restrict by host/ip - which then restricts a whole system from logging on?

                3 failed attempts at IMAP/SMTP and a couple of other services on my system gets your IP blacklisted for 5 hours. 3 failed attempts at SSH gets your IP blacklisted indefinitely. To many failed attempts from your IP range gets your IP range blacklisted indefinitely, maybe with some notes to your ISP. Course, there's only a small few people who currently use my system so it's not an issue.

          3. Frumious Bandersnatch Silver badge

            Re: It only makes it easier to crack...

            True, there should be protections against brute-force dictionary attacks, say, by increasing the delay between attempts. On the other hand, you need "defence in depth": if the password file is lifted through some sort of vulnerability, you need (at a minimum) to have those passwords salted and hashed. Not reusing passwords across sites is another sensible level of defence. Hope for the best, but plan for the worst.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019