

No password rules...please. - ritratt
http://www.riturajsatpute.com/2012/06/no-password-rulesplease.html

======
jasonkester
Complex password requirements lead to post-its on monitors in cubicles with
passwords written on them. That's a much worse result than a weak password for
pretty much any system that relies on passwords to stop bad things from
happening.

For regular websites, generating monitor post-its is inexcusable. Let your
users choose the letter "a" as their password if they want, but warn them
about the implications. The only acceptable password workflow for a website is
this:

    
    
      - Choose a password
      - complexity check
        - if failed, "Seriously?  That seems like a bad password" popup.
          - "Yes, seriously.  I don't really care if this account gets hacked 
            enough to memorize a complex password."
      - done.
    

I'd go as far as having _banks_ do it this way. Anything to avoid having
access to a $20k wire transfer be as simple as sitting down at somebody's desk
when they're gone for the day and reading a post-it saying "BofA - wAffles$2".

~~~
rdl
This is horrible advice given the threat model for either normal home users
(at risk due to mass attacks/brute force, or MAYBE losing a wallet/unlocked
phone/laptop with keys saved locally) or most corporate environments.

The solution in both cases is a move toward single sign on, using a password
manager or a key or 2fa or federated login system (Kerberos, FB connect).

Enforcing minimum complexity requirements (and policies like no username as
password, etc) protects the user and site. If a site has 10% of users with
trivial passwords, even if it is just a commenting section on a blog, the site
itself is at risk. Combine this with the propensity of users to globally reuse
passwords, and everyone is kind of doomed. Passwords must die, but requiring a
minimum level of passwords, and encouraging people to use passwords as safely
as possible as an interim measure, is the only reasonable course of action.

~~~
gte910h
Then measure actual entropy. Don't make me make a password that fits some
weird ass hard to remember standard you dug up. Let me use "This rabbit killed
the horse in cold blood, then drank all the pies" as a password if I want, it
has more entropy than C@tV0m!t does.

~~~
rdl
The problem is it's hard to measure actual entropy. You can make a reasonable
approximation (vs. a dictionary, and looking at the total character set) --
then, if you can, display the strength in some graphical way (ideally with a
list of suggested rules which get checkmarked as the passphrase satisfies
them). Still. "one TWO 3 +our" has less entropy than this would suggest.

I generally set an absolute minimum of 6-8 characters, not equal to username,
site name, or a set of common passwords (including "password"). Sometimes
require one (or two or three) of uppercase, number, or symbol for short
passwords (i.e. stop requiring it if it is longer than 12 characters).

However, when a standard (or company policy) requires something like DIACAP,
I'll enforce it in the pw creator. The absolute worst thing is when policy
changes, and an allowed password becomes disallowed -- if it just expires and
needs to be changed, that's one thing, but I've had sites where my long,
special-case-laden passphrase worked in some login routines but didn't work in
things like the password update routine (!!!).

For anything internal, I consider passwords basically unacceptable as an
authentication mechanism alone; there must be PK or some kind of two factor
auth.

------
rdl
This guy has no idea what a dictionary attack is, or entropy in various forms
of password or pass phrase. Probably not a great source of security policy
advice.

A pass phrase with 4 words chosen from a large alphabet, assuming the words
are randomly selected, gets a lot of entropy really fast compared to similarly
memorable numeric PIN (6-8 digits, tops). "leetspeak" passwords derived using
common rules from rules aren't a lot better than just words themselves, and
are hard to remember (I've had to brute force a bunch of variations on my own
or for other people when keyboard layouts changed, or when exact punctuation
was not remembered).

20000 words in vocabulary, take 4, is 1.6e17 combinations. Dictionary attack
that?

------
M4v3R
44 bits of entropy from XKCD comic is assuming dictionary attacks. So even
without number substitutions dictionary attack would take VERY long. Edit:
JoeAltmaier beat me by 1 minute with this.

~~~
fexl
Right, the use of numbers is not necessary. For example, I could publicly
advertise that my password for a particular site consisted of exactly six
words chosen randomly from the word list at
<http://world.std.com/~reinhold/diceware.html> .

People would be free to attack it at will, but it wouldn't do much good
because that password contains approximately 78 bits of entropy. The attack
would be slow enough offline (for example if they somehow possessed a bcrypt
hash of my passphrase), but far slower online (if they had to send each guess
across the internet one by one).

I could of course cleverly substitute some digits here and there, which would
make my public declaration a lie. I suppose some "security through obscurity"
can help, though I could have accomplished just as much if not more by simply
using seven words instead of six.

------
JoeAltmaier
Dictionary attacks were How xkcd came up with the entropy for
CorrectHorseBatteryStaple, I think. Also adding digits in a couple of places
for vowels adds just a bit or so to entropy, a fairly weak (entirely
predictable) way of improving passwords.

------
jrs235
Displaying password rules inform a hacker what rules to obey and follow,
reducing the number of combinations they have to try. Rather than have rules,
after a user creates/enters their password just let them know if it sucks or
not, perhaps give some "stats" as to how long it would probably take to crack.
Scare them into something stronger, but don't force them into "post-it noting
their password".

~~~
Peaker
For home use, I'm not sure what's wrong with a post-it...

(Not talking about a bank password here).

~~~
batista
Yes, so next time your cleaning lady can use it. Or your babysitter --or her
boyfriend. Or any random burglar...

~~~
Peaker
And make Hacker News comments on my name? :-)

