
Picking the low hanging passwords - kiyanwang
https://hackernoon.com/picking-the-low-hanging-passwords-b64684fe2c7
======
wahern
> Every site (yes you, Reddit) should be enforcing password strength. And if
> you ask me, every site that has allowed crap passwords in the past should be
> working on forcing these to be updated.

> And please stop spreading the misinformation that a password must contain
> uppercase/lowercase letters, numbers and punctuation to be secure.

> If you’re telling a user that their 26-character passphrase isn’t secure
> enough (ahem, Microsoft), then you’re making it harder for that user to
> create an easy-to-remember/hard-to crack password.

These points are contradictory. The user links to a better password strength
estimator, but such heuristics will necessarily change over time as people
adapt to strength estimators. Easy to remember prose doesn't necessarily have
any more entropy than short, non-sense passwords. Moreover, when you begin
enforcing it than password crackers will adapt and heuristics which favor
length will become useless.

And requiring people to change bad passwords after the fact causes precisely
the problem he notes, which is that people will begin to use the same, easy-
to-remember-but-passes-this-months-strength-checker password across multiple
sites.

The only way to win is to not play at all: make sure you support U2F so people
who care can avoid passwords altogether. For everybody else, there's no hope.
Strength checkers and specialized password hashes like argon2 just paper over
the fundamental problem.

The real lesson here is to stop bikesheding password authentication
frameworks. Handy-wave heuristics _cannot_ fundamentally improve the
situation, and often have the opposite effect. The end of the road for _real_
security is salted hashing. There's no solution to the fact that users as a
class suck at not only memorizing high-entropy passwords, but memorizing
<number of sites they frequent> * <high-entropy passwords>.

