
Guy Who Invented Annoying Password Rules Now Regrets Wasting Your Time (2017) - rahuldottech
https://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987
======
kerkeslager
In theory, the idea is correct, but making it a metric falls prey to
Goodhart's Law: When a measure becomes a target, it ceases to be a good
measure. Using a wide range of characters is good, but when you make that a
rule for users who don't grok that the point of that is to create more
entropy, they use those characters in ways that create less entropy, like
l33tSp3@k, incrementing a number at the end, name and birthday to get numbers,
etc.

Still, just letting users set their password to "password" isn't acceptable.
We have a responsibility to protect our users from hacking, even if they don't
know how to select a good password. Minimum password lengths might be a start,
but leaves room for a lot of issues.

My feel is that users don't know how to select passwords, so in 2019 we should
be selecting secure passwords for users. My ISP does this: our wireless router
came with a randomly generated password. They allow you to change the password
(and you can change it to something insecure like "password") but most users,
I suspect, won't change the password if the existing one is something easy to
remember (in the style of "correct horse battery staple"). One could lock this
down further by generating new passwords on password reset, instead of
allowing users to set a password.

This is a bit heavy-handed, but it prevents all the common attacks against
passwords that I can think of.

~~~
rasz
>My ISP does this: our wireless router came with a randomly generated
password.

yeah, about that
[https://www.usenix.org/system/files/conference/woot15/woot15...](https://www.usenix.org/system/files/conference/woot15/woot15-paper-
lorente.pdf)

"With no exceptions, all WPA2 default key generating algorithms that were
recovered during our experiments use either the router’s MAC address or serial
number, or both, as input."

~~~
kerkeslager
That's true, but the solution is simple: don't do that. :)

------
tomohawk
> He certainly wasn’t a security expert.

Yep - when the government performs a function, you get whatever GS 12 or 13
employee is in that seat making decisions with little or no accountability.
Good, bad, or indifferent - mostly indifferent.

------
jolmg
> Inevitably, you have to wonder if Bill not only feels regretful but also a
> little embarrassed.

I can't avoid imagining Bill reading this sentence, implying that he should
feel embarrassed too. There's no reason to say that. It's a completely
redundant sentence. It only seems to serve to put him down.

