

Can the world please standardize passwords? - pcarroll

This is 2015 and I find it amazing that with all the standards bodies in the world, we have not all decided on a standardized pattern for what constitutes a password.<p>e.g.<p>- some sites require 8-12 characters. Why limit it to 12?
- some sites require a number, a letter (upper and lower case), and some punctuation
- some sites do not allow punctuation
- some sites cannot handle upper&#x2F;lower case<p>With the hundreds of passwords people have to remember, it is impossible to satisfy all the requirements. So that means it&#x27;s impossible for many people to remember their passwords.<p>The worst possible violation of a secure password is to &quot;write it down&quot;. This argument goes for password managers as well (which only work on the device that holds them). Same deal for having the browser remember your password. Not secure at all.<p>Banks and finance institutions are the worst offenders. They if anyone should be able to agree on what constitutes a password.<p>Passwords are with us for the long term. My mother is not going to use certificates to talk to her web banking.<p>And logging into Facebook is hardly a solution either. That&#x27;s the last body that should be controlling authentication. Privacy? What&#x27;s that?<p>So where are the global standards?<p>Ugh... Thanks for listening...
Peter
======
cs-
NO, no no no, and No!

[http://stackoverflow.com/questions/15753279/password-
validat...](http://stackoverflow.com/questions/15753279/password-validation-
with-multiple-rules/15754118#15754118)

It's not a standard that can fix this problem, it's education, both between
end users and developers.

One could devise a system that allows any password as long as the entropy
threshold is satisfied.

The only limitation to passwords should be a minimum level of entropy (or at
least length, to keep things simple) furthered by taking into account
character sets, lists, etc...

Some people prefer only digits, other like sentences, while some are used to
the systems currently in place at the moment with multiple custom rules.

Food for thought.

------
brudgers
Most passwords don't matter. The example I always use is if someone guesses my
HN password, so what? [1] HN is not my bank. It does not need serious security
in regard to my use (not speaking for anyone else). Giving it a unique low
quality password is fine. Facebook demands a bit more attention, gmail more
beyond that, but neither requires life and death security either.

One reason for no single standard is there is no single level of risk. The
other is that standardizing password formats makes cracking passwords more
standard.

[1]: Though, I did change the trivial password I was using before first
posting the example here on HN

~~~
aquark
If you have higher security accounts which have gmail as the contact email,
then the gmail account should be treated the same.

Breaking into gmail gives access to many password recovery mechanisms.

But I agree for low priority sites: my password across many forum sites is the
same and very low entropy. I really don't care to think more about it!

------
daviross
_" So that means it's impossible for many people to remember their
passwords."_

Good. Human-memorable is machine-crackable.

More seriously, there's work being done on this front, but specifically along
the lines of eliminating passwords, because _passwords are a terrible method
of authentication_.

See: FIDO Alliance [https://fidoalliance.org/](https://fidoalliance.org/)

Or my preferred item, the Yubikey:
[https://www.yubico.com/](https://www.yubico.com/)

In other words, a lot of your assumptions aren't necessarily correct (and
there's competing interests. If I were writing a standard, I'd have all
passwords be 20-characters minimum. However, that's not good for user
experience)

~~~
nugget
Passwords are the worst form of authentication except for all the others.

------
TheLoneWolfling
> This argument goes for password managers as well (which only work on the
> device that holds them).

My couple of password manager files encrypted and stored on Dropbox disagree
with that one. (A couple of different ones because I like to segregate them by
criticality. So I don't have to unlock the one with critical information most
of the time. Reduces the attack surface.)

I can access them anywhere. Although I try not to access them on anything I
don't have control over. For example: I memorize my dropbox password and my
student login separately.

And it's a whole lot more secure to have a couple of long passphrases to
unlock long generated passphrases for every site than to have a short
password/passphrase for every site.

------
pcarroll
I buy all the future technology solutions, but only in the future.

For today we are stuck with passwords. Maybe my beef would be diffused if some
lazy programmers would be more open to longer passwords and more non-alpha
characters. e.g. let the user decide how long the passwords needs to be beyond
some reasonable minimum. Then allow any character the user can stuff in. i.e.
don't tell the user the password conatins invalid characters.

Again, the average user is like my mom. Not like the people on HN. And you can
memorize non-dictionary passwords...

------
dairgram
Can such standard also include setting the default for echoing the password?
Seeing that I have entered ### for a 5 character password is perfectly
adequate. But for a 17 character password, echoing ######### does not give me
useful feedback where I am or allow me to meaningfully edit mistakes.

Yeah, if I am projecting my screen in front of an audience of 300, I do not
want my password echoed. But when I am using my mobile phone, getting feedback
is far more useful than guarding against someone reading my screen.

------
hawkice
I just recently signed up for dropbox, and when I did, Chromium asked me if it
was cool for them to auto-gen a password and put it in my browser keyring.

Whatever method they are using, I would imagine that'll be the new standard.
My passwords are decently secure, but that's hard to beat in terms of both
workflow and security.

------
brandon272
You can create all the standards you want. Doesn't mean anyone will adhere to
'em. :)

~~~
Jeremy1026
Required: [https://xkcd.com/927/](https://xkcd.com/927/)

------
rstuart4133
> So where are the global standards?

Here:
[http://en.wikipedia.org/wiki/Password_strength#NIST_Special_...](http://en.wikipedia.org/wiki/Password_strength#NIST_Special_Publication_800-63)

That formulate provides the only meaningful measure of a passwords strength:
its entropy. NIST 800-63 is a (very conservative) formula for calculating it.
Rules like "at least one numeric" are poor rules of thumb for the same thing.

That raises the question of "how much entropy do I need". That depends on how
well guarded the password is. A four digit pin has an entropy of around 12
bits. By web standards it's an absurdly weak password, yet it has stood
attacks for years. That's because it's guarded by a piece of hardware that
only lets you have 3 guesses.

There are banks that only let me have a 6 character password - without upper
case or special characters, which you apparently think is bad. But the bank is
assuming they control the use of that password in the same way the pin is
controlled. If that assumption is right it's a perfectly reasonable think to
do.

The assumption is almost certainly wrong, but it probably doesn't matter.
There has been a gang knocking over Russian banks by infiltrating their IT (ie
hacking their infrastructure). If they've done that they also have access to
the customers password data. But then it probably doesn't matter as the bank
is hosed anyway. [http://www.wsj.com/articles/new-report-says-computer-
crimina...](http://www.wsj.com/articles/new-report-says-computer-criminals-
stole-millions-from-banks-1424033504)

The average web site isn't as secure as a bank. It has to assume the password
database will leak. If it leaks the attacker gets unlimited tries at guessing
each password, and number of guesses per second is limited purely by how much
hardware they can afford. For example, if the password is protected by SHA256
+ salt, spending US$30K lets you make 1 guess every 3 pico seconds. If want a
password that can withstand such at attack for a year (ie, take a year on
average to brute force), you need a password with 40 bits of entropy. Such a
password will be around 60 characters long. However, if the web site puts some
thought into how they store the password they can reduce it considerably:
[http://pbkdf2.sourceforge.net/](http://pbkdf2.sourceforge.net/) Sadly almost
none do.

Lets tie this up. We've seen that a 12 bit password (a pin) can work well, yet
a 20 character password stored on a regular web site will last around 10
seconds once the password database storing the password as a salted SHA256
hash leaks. These are wildly different numbers are not going to be easily
encapsulated by the single standard you desire, mainly because difference
between these two examples was _not_ how user chose them. It is in the way
they are protected. That is where you should be focusing your efforts.

Besides, forcing users to change their behaviour doesn't work - they are far
smarter than your "weak password detection" algorithms, and none of us like to
be manipulated.

