Password Enforcement

Ryan Winchester has a nice post complaining about the stupid password rules that some sites enforce. It's not that Winchester and the rest of us aren't in favor of stronger passwords or even that we mind some rules that might help with making them stronger. It's that the rules don't actually help make them stronger.

A example makes this clear. A typical rule might be

  1. At least 8 characters
  2. At least one capital letter
  3. At least one lowercase letter
  4. At least one number

That seems like it would probably require a strong password but it doesn't because it allows passwords like Abcd1234, which would be found almost instantly by a good password cracker. Even passwords like Loverboy1982 will be found fairly quickly by a decent password cracker. Notice that while our rule allows these two passwords—and many others—it doesn't allow passwords like the famous correct horse battery staple which is actually much stronger than even the XKCD cartoon suggests1.

Read Winchester's post for more examples and a possible solution (on the server side). As a user, you must use a password manager that will generate long random strings from the full character set. For your master password or in situations where the password manager is too inconvenient or impossible, choose 4–6 random words using a Diceware scheme (It's important that the words be chosen randomly. Don't choose any 4 words that pop into your mind.) It's easy; even a sixth grader can do it.

One final reminder: If a site has rules that restrict the maximum length of your password or what types of characters are legal, it's a sure sign that their password security is broken and that passwords exposed by an exploit can be easily recovered. Avoid such sites if you can. If you can't, be sure to use a unique password for that site2.

UPDATE: batter → battery

Footnotes:

1

Or would be if everyone didn't know it. You can be sure that password cracking programs will try it. Nonetheless, the point stands: four random words makes a strong password that would not be allowed by the rule.

2

You should do that anyway, of course, but even if you sometimes cheat, don't do it on one of these sites.

This entry was posted in General and tagged . Bookmark the permalink.