

Why don't we have password standards? - vaksel

It seems like each website has it's own password standards.<p>Some want 5 letters, some want a minimum of 10, some want a maximum of 8, some want a number, some want a mix of capital and lower case letters, some want an underscore, some want a special character @#$%@#@%@#%...others don't allow special characters etc.<p>Obviously there is absolutely no need for something that restrictive. All it does, is that people are stuck using uncommon passwords...which in turn means that they end up writing them down or constantly forgetting them, which bypasses the security.<p>So how about we create a common set of password standards...one that doesn't force the user to deviate from their common passwords, yet one that does the bare minimum to make brute forcing it with bots complicated.
======
Khao
The only standard we should set is a minimum length that is not too short.
Something like 8 characters minimum. I don't care if you use only number or
only letter, use whatever you want, it's YOUR security after all! The longer
the password, the more likely it is to be unique!

My password has been letters + numbers at the end for a long time and I know
it's secure because it's not a common word or numbers that have to do with me.
No capitals, no punctuations, only lowercase letters and numbers. When a
website forces me to use other letters in my password, I keep forgetting it
and I am forced to use "Lost my password" all the time, which makes me want to
use that service less and less.

Were you inspired to post this by today's XKCD comic? Link :
<http://xkcd.com/936/>

~~~
dfc
I do not mean to single you out but this is a viewpoint that I have never
really unsderstood. If you do not care about "my security" then why have a
length requirement?

~~~
mattbot5000
You don't want your product to be the one with hundreds of people having their
accounts compromised. This warrants a bare minimum of password requirements.

~~~
dfc
Exactly. So you do care about the security of the users.

~~~
millzlane
No, he cares about the reputation of his product being spoiled by the
intellectually challenged.

------
dfc
I think the biggest reason for the lack of a password standard is that the
risk profile / threat model is not the same across all websites.

------
Jbudone
I find that some of these limitations put me in a worse position than if I
were to have full control. eg. you MUST use a symbol, or using both lower AND
upper case characters.

This is a joke! We're in the 21st century, people should be able to have their
own set of password standards. I know we, as programmers, are always looking
out for the most noobish of the end-users. But is it really necessary to go as
far as to FORCE EVERYONE into picking a blatantly obviously brute-force-safe
password?

In the end, the bulk of these users are just going to forget their password,
add it to their password manager, and become frustrated with this chosen
system. This in turn is insecure for its own reasons.. I think what we need is
to remove these silly limitations altogether (although a set standard
minimum/maximum character limit is completely understandable imo), and allow
people to pick their own standards. The newbies out there will eventually get
their accounts hacked, its inevitable imo. And when that happens they will
learn to set better passwords.

------
dfc
For what it is worth OWASP has password guidelines:

[https://www.owasp.org/index.php/Password_length_&_comple...](https://www.owasp.org/index.php/Password_length_&_complexity)

That should be enough? I can't imagine that you are lamenting the lack of an
oversight body to to adopt and enforce a standard. Were you?

------
maze
Put a standard of 8 character minimum, and hackers will start targeting 8
characters+

For example, if they are using brute force they will start it using
8characters, or use dictionary words with 8c +. Still 8c is better then 6.

Just install a password manager, or "develop" your own "algorithm" of how you
create your passwords. For example a password "Hackernews"; move each
character once to the left, which would give: Jsvlrtmrd. Obviously this
"algorithm" has to be change every few websites, or somebody will find out
your pattern.

------
mooism2
We could start by disallowing maximum password lengths, and insisting that all
printable characters are allowed in passwords.

The great thing about standards is that there are so many to choose from. Here
in Britain the Financial Services Authority sets minimum password standards
for online banking. I expect similar regulators in other parts of the world
have their own subtly different requirements.

~~~
dfc
In the states this is handled by the FFIEC but there is no specific complexity
requirement. In accordance with the rest of the guidelines the complexity
requirements are supposed to be based on a risk assessment.

