Password Enforcement

Ryan Winchester has a nice post complaining about the stupid password rules that some sites enforce. It’s not that Winchester and the rest of us aren’t in favor of stronger passwords or even that we mind some rules that might help with making them stronger. It’s that the rules don’t actually help make them stronger.

A example makes this clear. A typical rule might be

1. At least 8 characters
2. At least one capital letter
3. At least one lowercase letter
4. At least one number

That seems like it would probably require a strong password but it doesn’t because it allows passwords like Abcd1234, which would be found almost instantly by a good password cracker. Even passwords like Loverboy1982 will be found fairly quickly by a decent password cracker. Notice that while our rule allows these two passwords—and many others—it doesn’t allow passwords like the famous correct horse battery staple which is actually much stronger than even the XKCD cartoon suggests¹.

Read Winchester’s post for more examples and a possible solution (on the server side). As a user, you must use a password manager that will generate long random strings from the full character set. For your master password or in situations where the password manager is too inconvenient or impossible, choose 4–6 random words using a Diceware scheme (It’s important that the words be chosen randomly. Don’t choose any 4 words that pop into your mind.) It’s easy; even a sixth grader can do it.

One final reminder: If a site has rules that restrict the maximum length of your password or what types of characters are legal, it’s a sure sign that their password security is broken and that passwords exposed by an exploit can be easily recovered. Avoid such sites if you can. If you can’t, be sure to use a unique password for that site².

UPDATE: batter → battery