> Every site (yes you, Reddit) should be enforcing password strength. And if you ask me, every site that has allowed crap passwords in the past should be working on forcing these to be updated.
> And please stop spreading the misinformation that a password must contain uppercase/lowercase letters, numbers and punctuation to be secure.
> If you’re telling a user that their 26-character passphrase
isn’t secure enough (ahem, Microsoft), then you’re making it harder for that user to create an easy-to-remember/hard-to crack password.
These points are contradictory. The user links to a better password strength estimator, but such heuristics will necessarily change over time as people adapt to strength estimators. Easy to remember prose doesn't necessarily have any more entropy than short, non-sense passwords. Moreover, when you begin enforcing it than password crackers will adapt and heuristics which favor length will become useless.
And requiring people to change bad passwords after the fact causes precisely the problem he notes, which is that people will begin to use the same, easy-to-remember-but-passes-this-months-strength-checker password across multiple sites.
The only way to win is to not play at all: make sure you support U2F so people who care can avoid passwords altogether. For everybody else, there's no hope. Strength checkers and specialized password hashes like argon2 just paper over the fundamental problem.
The real lesson here is to stop bikesheding password authentication frameworks. Handy-wave heuristics cannot fundamentally improve the situation, and often have the opposite effect. The end of the road for real security is salted hashing. There's no solution to the fact that users as a class suck at not only memorizing high-entropy passwords, but memorizing <number of sites they frequent> * <high-entropy passwords>.
> And please stop spreading the misinformation that a password must contain uppercase/lowercase letters, numbers and punctuation to be secure.
> If you’re telling a user that their 26-character passphrase isn’t secure enough (ahem, Microsoft), then you’re making it harder for that user to create an easy-to-remember/hard-to crack password.
These points are contradictory. The user links to a better password strength estimator, but such heuristics will necessarily change over time as people adapt to strength estimators. Easy to remember prose doesn't necessarily have any more entropy than short, non-sense passwords. Moreover, when you begin enforcing it than password crackers will adapt and heuristics which favor length will become useless.
And requiring people to change bad passwords after the fact causes precisely the problem he notes, which is that people will begin to use the same, easy-to-remember-but-passes-this-months-strength-checker password across multiple sites.
The only way to win is to not play at all: make sure you support U2F so people who care can avoid passwords altogether. For everybody else, there's no hope. Strength checkers and specialized password hashes like argon2 just paper over the fundamental problem.
The real lesson here is to stop bikesheding password authentication frameworks. Handy-wave heuristics cannot fundamentally improve the situation, and often have the opposite effect. The end of the road for real security is salted hashing. There's no solution to the fact that users as a class suck at not only memorizing high-entropy passwords, but memorizing <number of sites they frequent> * <high-entropy passwords>.