back to article 'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows

Jeff Atwood, founder of the popular coding site Stack Overflow, has published an extended and entertaining rant about the lamentable state of password policy among developers. The post, subtly titled "Password rules are bullshit," points out that the current format for password rules, such as including a certain mix of …

Page:

            1. Hawkeye Pierce

              Re: It only makes it easier to crack...

              Increasing the delay between attempts can be done in one of two ways. The first is to only track by IP address (i.e. if the username + IP address is the same then delay on each failed attempt) in which case a bot farm can be used easily enough to circumvent that. If you don't factor in the IP address and delay on EACH failed attempt then you're opening yourself up for DoS attacks, preventing people from being able to log in.

          1. Adam 1 Silver badge

            Re: It only makes it easier to crack...

            > Why not just have an increasing delay between logon attempts?

            That defence only works against online attacks. And it is probably easier to detect enumeration attempts from the same IP and blacklist it. More likely though, someone forgot to password protect their Mongodb which gets lifted and then they throw hashcat at it.

      1. katrinab Silver badge

        Re: It only makes it easier to crack...

        Password1! if it requires a symbol.

      2. Michael Duke

        Re: It only makes it easier to crack...

        Nah I use the much more secure P@ssw0rd!

    1. DougS Silver badge

      Re: It only makes it easier to crack...

      Education is irrelevant, techies trying to explain password complexity to ordinary people are like gearheads trying to explain final drive ratios to ordinary people.

      We need to give up trying to make people to care about password strength for stupid stuff like online forums. They don't. They shouldn't. Stress that it only matters for really important stuff like online banking, and to stop caring if your Twitter account password is insecure unless you have hundreds of thousands of followers.

      Most people let their browsers remember their passwords which obviates even the best passwords as I'm sure that's the first thing malware looks for when it infects a new system.

      1. Charles 9 Silver badge

        Re: It only makes it easier to crack...

        "We need to give up trying to make people to care about password strength for stupid stuff like online forums. They don't. They shouldn't. Stress that it only matters for really important stuff like online banking, and to stop caring if your Twitter account password is insecure unless you have hundreds of thousands of followers."

        You forget that hackers can break into the weak stuff to glean information to use in social engineering attacks to get at the stronger sites. IOW, weak passwords of any sort become gateways. So you must treat the most innocuous site just as much as your most secure one since one can open the way to the other, making the strongest site only as strong as the weakest one.

        1. DougS Silver badge

          @Charles 9

          The only thing hackers can glean by breaking into the weak stuff is possibly a few answers to those "security questions" that really need to die. Those are often the weakest link, for those dumb enough to answer them correctly. If they give you a selection of answers, google can tell you some of the answers if you are determined.

          "What street did you live on in third grade" - if you can figure out who their parents are and where they live, which google often can, there's probably a 1 in 3 chance it is the same address. "In what city did you meet your spouse?" - if you know where they graduated college, probably almost 50/50 shot that it is in that city. "What was the name of your first pet?" - since most of these automated systems for password reset don't care if you try multiple times, you can probably try 20 common pet names and have a decent shot at guessing right.

          Getting into someone's Facebook or Twitter might help, but if they don't have it locked down Google has it all conveniently indexed so as long as they don't have a terribly common name for where they live (and are male, since many single women use their middle name instead of last, and most married and many divorced women have dropped their maiden name) you can find them. And if they are a member of a group like "Hilldale Elementary School students from the 70s and 80s" you might find them posting about Miss Pankey from first grade, and be able to answer that "What was the name of your first grade teacher?" question!

          If you haven't already guessed, I use those questions as another layer of password, don't answer them correctly, and keep them in a file like I do the passwords themselves and other data like the account name or whatever.

          1. Charles 9 Silver badge

            Re: @Charles 9

            "If you haven't already guessed, I use those questions as another layer of password, don't answer them correctly, and keep them in a file like I do the passwords themselves and other data like the account name or whatever."

            So what happens WHEN (not if) they pwn your local machine with a drive-by and steal your special file?

            1. Kiwi Silver badge
              Trollface

              Re: @Charles 9

              So what happens WHEN (not if) they pwn your local machine with a drive-by and steal your special file?

              So what happens WHEN (not if) the government beams it from your brain using black helicopters powered by green neutrinos?

              (Come on, admit it, you've always wanted to say something like that with one of your "what happens when.." posts... :) )

            2. Anonymous Coward
              Anonymous Coward

              Re: @Charles 9

              I'm not Charles 9 of 7, but my special file is encrypted with pgp and stored on a LUKS partition, along with the pgp binary I use. When encrypting, the plaintext exists in /tmp (a RAM disk) long enough to update, after which it's wiped. Despite some weaknesses in the cipher, I've not read of any instances of small files encrypted with pgp/IDEA being cracked.

          2. Smody

            Re: @Charles 9

            "to those "security questions" that really need to die." HALLEFREAKINLLUYAH. I hate those questions, and I NEVER specify a meaningful answer. Although sometimes they do indicate that i have psychological problems:

            Favorite pet: Godzilla.

            Favorite restaurant: Roach Motel Moe's.

            etc.

            and pass phrase acronyms: IHTGDSSQs.

          3. Roland6 Silver badge

            Re: @Charles 9

            @DougS - I know there is an invisible line in the sand, but we shouldn't confuse hackers who want the best return for the least outlay, hence grab password file and run a dictionary against it, and those who have intent upon you as an individual.

            I accept with large public databases such as Facebook more personal information is available to the hackers, but I do think we need firstly to worry about the hackers. If someone is prepared to undertake the level of research you're intimating then you have bigger problems that super secure passwords won't make go away.

            However, I totally agree with you and Smody's comment, we shouldn't treat these questions as requiring honest answers, they simply need answers that we know and that can be used to demonstrate we are the rightful user of the account associated with them. Because of this, these details also need to be securely stored and not easily retrieved - even if I have the correct username and password.

        2. Kiwi Silver badge

          Re: It only makes it easier to crack...

          So you must treat the most innocuous site just as much as your most secure one since one can open the way to the other, making the strongest site only as strong as the weakest one.

          What you say is true for some sites, but for others, not so. Let's take a couple of dozen of my facebook accounts for example. You'll be doing pretty bloody well to link [random realistic-sounding firstname] [random relistic-sounding surname] to me. Hell, I can't remember even one of the names I used on there any more, let alone passwords etc. When I want to use facebook (rare) I just create throwaway accounts as I'm sure you've seen me mention.

          There are lots of other sites I've done that on. Sites where content I am desperate enough to view is hidden behind a login screen, I'll visit 10minutemail.com, sign up to the site using whatever random characters I type for username (or just the 10min email) and whatever I type for the password, !QAZxsw2 gets through most password strength meters and if not move one column right and try again.

          I can see your point - for regular sites that you use a lot you should consider if there is a risk to your account being hit (here I'm only 12 or so votes from joining you with that silver badge, I'd hate that to be stuffed up!).

          So while true some sites need thought, a lot don't. Most of the sites I've logged into/created accounts on etc are low-value and have little or no real information about me. If they get hacked, I won't even know about it, nor would I ever care. I would be unlikely to even recognise the username and have no chance of recognising the email address.

          HTH, rather than shows I probably should've gone to bed an hour ago...

      2. tony72

        Re: It only makes it easier to crack...

        Well said. But I have to say, I'm a techie, and I don't care (that much). As far as I'm concerned, my password strength is selected to stop someone easily guessing my password, or working it out from readily available information. If someone is going to get hold of the encrypted password DB and make a concerted effort to crack it, assume they're going to succeed, and look to other layers of security for protection. Otherwise it's just stupid; with the continually advancing power of CPUs and GPUs, do we just keep recommending longer and longer passwords? Reductio ad absurdum, people.

  1. Destroy All Monsters Silver badge
    Windows

    2nd factor strong!

    Google's director of information security and privacy this morning. It's 2017. Passwords are irrelevant. Anything you care about should be protected by a strong 2nd factor.

    Typical juvenile Google. One just wants to cross the road on foot and they complain that there is no teleporter with integrated robobutler right next to the kerb to do that.

    Most people and most applications on Earth are not ready for "strong 2nd factor". Or a likey to be so before civilization collapses again. Nor do they need it.

    1. Anonymous Coward
      Anonymous Coward

      Re: 2nd factor strong!

      "Google's director of information security and privacy this morning. It's 2017. Passwords are irrelevant. Anything you care about should be protected by a strong 2nd factor."

      Cynical translation: Google wants your phone number, all the better to track you with.

      1. LDS Silver badge

        Re: 2nd factor strong!

        Yes, 2FA is secure as long as nor Google, nor Facebook, nor other companies hoarding data are involved. Otherwise it's just another way to track what you do.

        1. K.o.R

          Re: 2nd factor strong!

          Twitter and Facebook's so-called 2FA is pointless as even if you set up an authenticator app, they still send the (interceptable) SMS code with no way to turn it off.

          1. Tom 7 Silver badge

            Re: 2nd factor strong!

            I put in a random number for phone - largely because I dont trust them with my number but more realistically I hardly ever have my phone with me as there is no coverage here - despite EE telling me I can have 4G wifi modem.

            Most of my passwords are so strong I can never get them right anyway.

            1. Adrian 4 Silver badge

              Re: 2nd factor strong!

              2FA is something you forgot and something that's in your other coat.

      2. joed

        Re: 2nd factor strong!

        Yep, everyone wants your phone number now. It's for your good. Even MS is no longer desperate to give away outlook.com accounts (now that they forced Windows 10 on masses). BTW, while outlook.com insists on getting to know you-r phone number, the signup for visual studio account seemed to more lenient (as of last week), go get your spam accounts;)

      3. Anonymous Coward
        Anonymous Coward

        Re: 2nd factor strong!

        "Cynical translation: Google wants your phone number, all the better to track you with."

        For 2FA I have a handy burner phone with a long battery life, replaceable battery, no GPS using a 3 PAYG SIM. My normal phone is on a different carrier. (My hat is also made from the finest mu-metal, but that's coincidental.)

      4. DropBear Silver badge

        Re: 2nd factor strong!

        "Cynical translation: Google wants your phone number"

        Not that I necessarily disagree, but assuming you happen to have an Android phone that you actually use as a smartphone (ie. associated with your Google account) they probably already know your phone number even if they pretend to not know it for your ease of mind. To be honest, I'm willing to jump through some pretty outlandish hoops to preserve _some_ semblance of privacy - but not checking my mail on my smartphone is NOT one of them.

        1. Kiwi Silver badge
          Boffin

          Re: 2nd factor strong!

          Not that I necessarily disagree, but assuming you happen to have an Android phone that you actually use as a smartphone (ie. associated with your Google account) they probably already know your phone number even if they pretend to not know it for your ease of mind. To be honest, I'm willing to jump through some pretty outlandish hoops to preserve _some_ semblance of privacy - but not checking my mail on my smartphone is NOT one of them.

          And there's one of the big issues with 2FA right there. Er, am I allowed to say this? Seems obvious but no one seems to be saying it... Well, I'll go ahead anyway..

          Seems half the world's population today does much of their day-to-day computing on their smartphone. While it's a device they have with them always that can do smart things like 2FA, it's also the device most likely to be stolen.

          So you have a banking app, and theif tries to log in only they don't know your pin. That's OK, they go to the reset and your bank helpfully does a couple of extra things - sends a "reset link" to your email and a special code via sms to your phone. Both of which the thief can check because they have your phone. While the more security-concious of us may have the phone locked, lots of people don't or they use obvious unlock things (like a pattern unlock on their screen that has a very clear Z shape from their greasy fish'n'chips lunchtime fingers). I think with my Alcatel drawerphone the locking is undone always by checking notifications, and a friend of mine who uses iphones recently told me that Siri unlocks his phone when someone tries to trigger Siri (whatever the Apple version of "Ok Google" is).

          So because so many people use their phones for email etc, and don't have security, any 2FA that relies on the phone is insecure by default. Though hopefully most El Reg readers have the nous to see the issue and find a way to deal with it, or turn their smartphone into a nice drawer-accessory..

  2. Ben Tasker Silver badge

    > It's 2017. Passwords are irrelevant. Anything you care about should be protected by a strong 2nd factor.

    I disagree.

    Yes, anything you care about should be protected by a strong 2nd factor - but it's supposed to be precisely that a second factor. Something you know, and something you have. So the password is still very relevant.

    It's your protection against someone swiping that 2nd factor (by taking your U2F dongle of your keys or whatever), just as 2FA is a protection against someone finding out your password. The two complement and help protect each other against different threats.

    Hell, you've only got to look at the history of debit/credit cards to see that. When all you needed was the card (something you have) to swipe, nicking/cloning and using a card was easy. They introduced the PIN (something you know) and it became much harder (whilst not perfect). In fact, the criminal focus largely moved onto other weaker areas of the chain instead. Course with pay-by-bonk we're moving away from that again, but meh.

    1. Charles 9 Silver badge

      "Yes, anything you care about should be protected by a strong 2nd factor - but it's supposed to be precisely that a second factor. Something you know, and something you have. So the password is still very relevant."

      But what if you don't HAVE a second factor: not even a cell phone, because you keep LOSING things? Or you don't trust cell phones? And as for those fobs, what was that RSA hack about again?

      1. smartipants
        Go

        It's 2017 - use FIDO U2F

        The Googler did say STRONG second factor. SMS is not strong, and has also been completely dissed by NIST, not only because it can be intercepted but also because it is often received on the same device as you are logging in from, and can often be viewed without unlocking.

        Use FIDO U2F. Unlike the older hardware tokens (RSA etc.) a U2F security key doesn't have a shared secret, as it uses asymmetric encryption (ie public/private keys). Thus enrolling a key can be done just by the user and doesn't need an IT admin to set you up first, and/or it doesn't need the service provider to send a pre-registered one to you - you can just buy one. More importantly, one token can be safely used on multiple web sites/services, without any sharing or privacy issues (each service generates a unique handle and derived key pair).

        Google, Facebook, Dropbox and Github already support U2F, so that's a good enough reason to get one, and they cost less than a tenner on Amazon. That's for a USB version, while Bluetooth and NFC is coming soon for mobiles..

        Look up the specs at the FIDO Alliance. It's well peer reviewed, widely supported by big industry players and there is a good white paper looking into the security/privacy issues too.

        1. Charles 9 Silver badge

          Re: It's 2017 - use FIDO U2F

          And what if you lose THAT?

          1. Hero Protagonist

            Re: It's 2017 - use FIDO U2F

            Some people just can't be helped.

            1. DropBear Silver badge

              Re: It's 2017 - use FIDO U2F

              "Some people just can't be helped."

              Any security scheme that completely hinges on keeping any one single component absolutely secure (ie. must never be lost or stolen) is not worth bothering with.

  3. Richard 12 Silver badge

    Why does anybody treat passwords as ASCII FFS

    Just accept almost any bytes above a certain length into your hash function.

    This only needs to be entered by the user, nobody ever needs to see it. Who cares if the current font can't actually display it? You're only showing * anyway.

    There should be nothing wrong with using an emoji sequence.

    Oh dear El Reg. I can't post emoji? That's terrible!

    1. Anonymous Coward
      Anonymous Coward

      Re: Why does anybody treat passwords as ASCII FFS

      According to my emojianalysis of your post, you're too old to be using emoji.

      1. Richard 12 Silver badge

        Re: Why does anybody treat passwords as ASCII FFS

        *cat* *sticking-out-tongue* *taco*

        1. VinceH Silver badge

          Re: Why does anybody treat passwords as ASCII FFS

          *banana* *house* *covering-ears* *apple-pie* *rocket*

      2. Roland6 Silver badge
        Pint

        Re: Why does anybody treat passwords as ASCII FFS

        and according to my emojianalysis of your post, you're too young to remember the ASCII emoji.

    2. Tom 7 Silver badge

      Re: Why does anybody treat passwords as ASCII FFS

      You've obviously never got involved in internationalisation! You could set a password that could only be typed in by that keyboard you used in Outer-Mongolia while on business!

      1. katrinab Silver badge

        Re: Why does anybody treat passwords as ASCII FFS

        Or by typing Alt + 3 or 4 digit number.

    3. Anonymous Coward
      Anonymous Coward

      Re: Why does anybody treat passwords as ASCII FFS

      Ah yes, the wonderful days I spent trying to let Javascript ("All strings are UTF-8.") do HTTP basic auth (Encoding not specified in the RFC, depending on what RFCs you read, that means ASCII or Latin-1 or possibly mis-implemented as Win-1252).

      Sorry, beyond the printable 95, chances are you're on your own.

    4. Anonymous Coward
      Anonymous Coward

      Re: Why does anybody treat passwords as ASCII FFS

      Because ASCII FFS is the current standard. I believe Version FFS is the current standard for everything.

    5. Anonymous Coward
      Anonymous Coward

      Re: Why does anybody treat passwords as ASCII FFS

      Some may scoff at your post but I've been doing this very thing for years. My password involves the Alt Codes for letters, numbers, & special characters (including spaces which some password fields would otherwise reject) & that tends to drop a spanner in the works of anyone trying to brute force mine. It probably won't matter much if my password is only 8 characters long if half of those are actually the Alt Codes for those characters & you don't know which ones to use. It may LOOK like "password" but is actually pAlt+0220Alt+256...

      (Whispers conspiratorially: Actually my password is "AnonymousCoward", don't tell anyone!)

      *Cough*

      1. Charles 9 Silver badge

        Re: Why does anybody treat passwords as ASCII FFS

        If they set up a keylogger, they can just record the strokes no matter how obscure they are.

  4. Swiss Anton

    99 ice cream loving honeybadgers ate my hamster!

    This might look like a random title for a comment on this story, but it is an example of a memorable password that I made up for a comment on the story Human memory, or the lack of it, is the biggest security bug on the 'net. Even though I only wrote it once, and that was over a month ago, I can still remember it (though admittedly it is probably too long to be a sensible password)

    1. Roland6 Silver badge

      Re: 99 ice cream loving honeybadgers ate my hamster!

      >(though admittedly it is probably too long to be a sensible password)

      Agree this is a real problem, on my MS account, I have a password that is sensible and easy to enter on a normal keyboard. Entering it on an Xbox in the absence of a physical keyboard is another matter.

      Likewise having a 16+ character key for the WiFi, can be fun to enter on some devices as it can overflow the display text box (which the developer forgot to enable horizontal scrolling on) and so you are entering characters without any screen feedback...

    2. Charles 9 Silver badge

      Re: 99 ice cream loving honeybadgers ate my hamster!

      "This might look like a random title for a comment on this story, but it is an example of a memorable password that I made up for a comment on the story Human memory, or the lack of it, is the biggest security bug on the 'net. Even though I only wrote it once, and that was over a month ago, I can still remember it (though admittedly it is probably too long to be a sensible password)"

      Good for you. What about those with POOR memories, or who have to go through hundreds of them in a given month?

      1. Anonymous Coward
        Anonymous Coward

        Re: 99 ice cream loving honeybadgers ate my hamster!

        > What about those with POOR memories

        You probably don't have poor memory: you're just poor at remembering (forming memories).

        There are all sorts of tricks and mnemonic techniques for remembering (and being able to recall) arbitrary information. It's even easier when you get to choose the password. For example, a fictitious site rainbow.com could be be remembered with "Rainbow wankers" -> "Rainbow Wang Cares About Hoovering Up My Password" -> "RWCAHUMP"

        1. Charles 9 Silver badge

          Re: 99 ice cream loving honeybadgers ate my hamster!

          No, poor memory. As in "CorrectHorseBatteryStaple" turns into "DonkeyEnginePaperclipWrong" one day and "CrankMaybePinMule" the next. Some people's memories are THAT bad (or worse, you have to keep telling them THE SAME THING every single day).

          1. Aladdin Sane Silver badge

            Re: 99 ice cream loving honeybadgers ate my hamster!

            Just write it on a post-it stuck to your monitor.

          2. Dan McIntyre

            Re: 99 ice cream loving honeybadgers ate my hamster!

            Some people's memories are THAT bad (or worse, you have to keep telling them THE SAME THING every single day).

            Indeed. I have young-onset Alzheimers. I am one of those people.

            BUT - I have never yet forgotten any of my passwords. And I use different ones for every service I use, both personal and work related.

  5. Uplink

    NoPassword

    I saw something that, while slightly inconvenient, could work well if the SMTP infrastructure is fixed to always use encryption between servers:

    Single use limited validity login link sent to your email address

    There's no password for the service itself, there's no FacegleIn OAUTH exchange, you can use any email provider you like without being locked in. All you have to do is protect your email account with a strong password and 2FA.

    1. Roland6 Silver badge

      Re: NoPassword

      >All you have to do is protect your email account with a strong password and 2FA.

      Shame that the most useful email account and one most likely to be used by the majority, is the one on the phone, which as we know is typically set to auto login and as 2FA gets in the way of inbox update scanning - 2FA disabled. Thus the 'secure' email account is protected by the relatively weak phone lock. Thus we are back to access being largely defined by possessing the physical device and knowing the passcode.

      The key which everyone, including Stackoverflow's Jeff, is missing, isn't so much password security in itself but the security around the 'lock' and credential storage. Note, Jeff's only real complaint about passwords of 8 or fewer characters is that someone with access to the hash can undertake a dictionary attack. What he omits is any measure of how secure say a 4-digit password is, where the rules are; you have three attempts before access is blocked (ie. bank card) and you have to use alternative means to regain access.

      Thus the big issues are firstly getting over the misconception that complex to human's passwords are more secure than long simple to human's passwords. The second is getting dev's and system builders to understand the need to build security in depth by implementing a few basic and very simple principles.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019