
Man who made passwords hard regrets rules that 'drive people crazy' - davesailer
http://www.cbc.ca/radio/asithappens/as-it-happens-wednesday-edition-1.4240252/man-who-made-passwords-hard-to-remember-regrets-rules-that-drive-people-crazy-1.4240255
======
sdrothrock
Recent discussion:
[https://news.ycombinator.com/item?id=14967731](https://news.ycombinator.com/item?id=14967731)

------
leereeves
The worst part of password rules is that every site has its own.

One requires a symbol, another doesn't allow symbols. A third requires 12
characters, a fourth only allows 8.

And they only tell you the rules when you're creating a password. They could
at least remind us of the rules so we could remember how we had to mangle the
password to match.

~~~
ReidZB
Or sites that require at least one symbol, but then mysteriously disallow a
handful of common symbols (e.g. I used a site the other day where exclamation
points were not allowed). Makes password generators like 1Password's useless
about half the time, since 1Password rightly will pick from all (most?) common
symbols on a standard US keyboard.

And of course, why would the site tell the user of its obscure symbol
requirements _before_ the user tries to enter their brand new password? No, I
guess they think it's better to leave it at "a symbol is required" and then
reject symbols users use one-by-one.

~~~
generj
Maybe password rules should be represented as an HTML5 attribute in the input
field.

1Password and LastPass et. al. could read this rule and then adjust the
password generator accordingly.

~~~
tass
What reasons are there for these restrictions in the first place?

~~~
generj
The length requirements are logical if they have reasonable minimums and very
high maximums.

It doesn't make sense to limit special characters, etc. Especially as everyone
should be using a password manager anyways. I suspect most of these odd
requirements are a result of design by committee and pointy haired bosses.
Maybe requirements from legal departments?

As long as the annoying requirements are in place, we might as well try and
get password mangers to work with them. LastPass has a generator which can be
manually configured, but making the step automated would be helpful.

~~~
majewsky
> very high maximums

What does "very high" mean here? And why would you need it? Usually, you just
have a maximum request size in the web server, and people are never going to
hit that with actual passwords.

~~~
ReidZB
Algorithms like bcrypt may have a maximum supported length: for bcrypt, over
about 50 characters and things get dicey [1]. If you're running something
computationally expensive like scrypt tuned properly, you don't want malicious
entities to be able to send you a 32K password request, probably - easier to
force them to keep it small (like < 50 chars), then block them based on
request throughput.

[1]
[https://security.stackexchange.com/a/39851/1373](https://security.stackexchange.com/a/39851/1373)

------
ransom1538
If I cannot use my passwords -- I always give my favorite password a try: '';
truncate table users;

~~~
acchow
Would this be a crime if it worked?

~~~
curun1r
It probably should, since it would mean that the site isn't hashing passwords
with even the most ancient cipher. Bonus ineptness points are given for not
using a prepared statement or sanitizing the SQL query.

As a software developer, I'm okay with that being criminal negligence.

~~~
acchow
Cute.

I am still curious if this would be a criminal offense for the person that did
the SQL injection attack.

~~~
ransom1538
In the US, the "Computer Fraud and Abuse Act" _could_ apply. The case would
revolve around "intent".

Explaining to interrogating officers that you hated password forms and wanted
revenge would be 1 to 5 years in federal prison (better than state).
Explaining to interrogating officers that you accidentally copy pasted wrong -
the case would be dropped. This is why you need see a lawyer always before
answering questions you will be mislead.

"intentionally accesses a computer without authorization or exceeds authorized
access" [1]
[https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act)

[https://www.nacdl.org/cfaa/](https://www.nacdl.org/cfaa/)

------
teilo
It is relevant that NIST 800-53 Rev. 5 has dropped password complexity and
rotation requirements because they make things worse, not better.

------
dawnerd
Some sites are just insane.

[https://github.com/duffn/dumb-password-rules](https://github.com/duffn/dumb-
password-rules)

~~~
frik
Apple iTunes/Apple ID pwd rules is really annoying.

Microsoft online service incl (based still on the decades old 1997's Hotmail
login system is archaic) has an upper limit of 8 (or so) chars.
(Office365/Outlook.com/etc)

~~~
shavingspiders
What? That's incorrect - I've recently had 1Password change my Outlook.com
password, and it's much more than 8 characters.

------
hallman76
Cool. Now can we find the person responsible for “smart quotes”?

~~~
tqkxzugoaupvwqr
Aren’t this the correct quotation marks? " means inch or seconds and is only
used because most keyboard layouts make it hard to type the correct quotation
marks.

~~~
carey
Inches and seconds should really use ″, U+2033 Double Prime, if you’re not
going to use the ASCII quotation mark for everything.

~~~
vacri
The amusing thing is that we never care about this distinction in handwriting.
"Oh, your two tiny vertical-ish lines denoting 'inch' are not ever-so-slightly
slanted..."

~~~
thaumasiotes
In my handwriting, all quotation marks are pretty heavily slanted. That
doesn't mean I would consider them distinct from hypothetical vertical marks.
Fancy quotes are a display choice, not a distinct glyph.

------
ScottBurson
> Burr said he prefers phrases from literature.

I distinctly recall seeing somebody post a comment a few years ago -- I think
it was here on HN, though I'm not sure -- to the effect that they had used a
line from an obscure poem _in Afrikaans_ as a password, and it was cracked. --
Oh! HN Search comes through for me: here's a recent HN comment [0] by someone
who also recalled it, with a link to the original [1].

[0]
[https://news.ycombinator.com/item?id=14781311](https://news.ycombinator.com/item?id=14781311)

[1]
[https://www.reddit.com/r/Bitcoin/comments/1ptuf3/brain_walle...](https://www.reddit.com/r/Bitcoin/comments/1ptuf3/brain_wallet_disaster/)

------
paulie_a
I referenced this article today at work involving a discussion about password
security, 2FA and actual customer experience.

Tonight I was dealing with Wells Fargo for a password reset. They have a max
of 14 characters and a generally awful interface. I took screenshots of the
process to use as a guide of things to avoid.

------
spraak
This nearly could have been on The Onion :)

------
spiznnx
I had an idea for a website password system: instead of letting the user set a
password, you just give them one. Prevents password reuse, which is the only
thing that ever really commonly gets anyone's account hijacked in my opinion.

Doesn't even have to be strong, could be one word from the top 10k English
words. Require reset after 5 failed attempts.

Would there be anything wrong with this approach (besides being sort of user-
hostile), or have I misunderstood the website account security threat model?

~~~
gelatocar
A 1 in 2000 chance of correctly guessing someone's password could lead to lots
of attempts which at best would cause lots of password resets and at worst
cause lots of compromised accounts.

~~~
maruhan2
yeah with this method, there's a good chance your password will always need a
reset.

------
SomeStupidPoint
Is Diceware still recommended?

[http://world.std.com/~reinhold/diceware.html](http://world.std.com/~reinhold/diceware.html)

~~~
nshepperd
Yes. Using diceware (with actual dice) is still the most reliable way for a
normal person to create a strong password. Use diceware. Ignore this guy's bad
advice.

------
xname2
Our university forces us to change the password every 150 days. It is such a
pain in the __s, because there are too many apps on too many devices need to
update the password. I asked the IT department, can you guys consider to stop
this and find an alternative security policy? The answer is no, because this
security policy is in the state law.

~~~
Fezzik
If you're really hellbent on it, you can probably tell the IT department they
are full of shit and ask for the citation to the state code number - I am no
state code scholar, but I have never heard of anything like this. In the NW
States I am familiar with I could not find a single code section that even
remotely touched on passwords at state schools. It would be an odd thing to
legislate. Some states are goofy though.

~~~
xname2
Just checked, by a little bit of googling, I did find it in a gov document.

~~~
nkristoffersen
Care to share? Curious minds want to know :-)

------
mikeycgto
U2F and Yubikeys if you're serious about it.

------
mzzter
Relevant xkcd: [https://xkcd.com/936/](https://xkcd.com/936/)

------
asherkosaraju
Duh. Obviously. And not like it's secure either. THe worst part is some sites
ask you to change your password every month/3months/etc. That kinda sucks.

------
notreallythough
password must contain 8 characters and the temperature of the room you're
currently occupying, in degrees kelvin

~~~
Casseres
Kelvin is not expressed in degrees; it's just "Kelvin". Now to really throw
people for a loop, tell them to do it in degrees Rankine (even less people
know what that is).

------
JohnJamesRambo
Have his rules even been proven to be right? There's that famous xkcd comic
about passwords and password strength checkers like
[https://howsecureismypassword.net](https://howsecureismypassword.net) that
seem to imply otherwise. Short passwords with symbols seem easier to crack
than longer ones with words put together a human could remember.

~~~
Dylan16807
Right about what, specifically? Being random is good. Being short wasn't part
of the rules. Rotation is pretty bad. And words don't fix the core problem of
making a good password because people love picking non-random words.

In general, every two random characters is worth as much as one random word. I
personally find it as easy to remember three random characters as a word, so I
get better mileage out of random characters.

~~~
forapurpose
> Rotation is pretty bad

Rotation is great if it's implemented correctly. The problem is that it's too
much of a burden on users, therefore they implement it poorly, and then it's
less useful or a weakness.

~~~
eksemplar
Rotation makes people pick things like Winter2017 or write it down, and it
offers little safety because being compromised for 3 months isn't that much
better than being compromised for a year.

------
pishpash
This guy sounds like a joker with no understanding of information theory.

------
colordrops
This guy must be a joker with a name like Bill Burr.

edit: for those who down-voted, one of the most famous comedians in the US at
the moment is also named Bill Burr.

