Online password requirements have gotten ridiculous

[leroyjenkens]

I've noticed that websites have started getting ridiculous with password requirements. I like to use the same password for everything, so I don't get confused about which account has which password. It's a pretty good password. It's a combination of letters and numbers and it's 8 characters long. But it seems like as time goes on, 8 characters just isn't good enough anymore. Now websites want you to include letters and numbers, with at least one of them being in caps. Or maybe they want you to have the first character being a letter, which means I have to change my 8 character password, because it doesn't start with a letter. Or maybe 8 characters isn't long enough anymore. They want you to have 15+ characters for your password. That's what my school password is. I had to basically double my old password.
Another school I used to attend, but I still took classes at after graduating, requires you to change your password every once in a while. I guess that keeps everyone out of your account, including you, when you inevitably forget which password you chose for that specific time frame.

I just finished changing my Ebay password, because my old password wasn't working. They could have simply just told me my password in the email instead of forcing me to change it. You'd think I could have used my standard 8 character password, since that obviously wasn't correct when trying to log in. Well, when I tried to use that, the website tells me I can't use passwords I've already used. So if I've already used that password... and I can't use that password to log in... then what's going on? They basically said "You can't make that your new password, because that's your current password." Yet it won't work when I try to log in. That's absurd.
I guess that's not really a problem with passwords, it's a problem with Ebay. But that was the impetus behind this thread.
When I was making my new password, it said my 8 character password was weak. I remember when I was a kid, I had 5 character passwords that were actual words. Websites would say that it was weak, and I agree. Now, my 8 character password is a combination of random letters and numbers and websites considered it strong. Now it's weak.

Is it really the character limit that's making people's accounts get stolen? Or is it keyloggers or some such programs that copy what you're typing as your password, and let the hacker know what it is? If that's the case, then your character limit can be 20 characters, and it doesn't matter.
Are websites making the character limit so high just to give the users a false sense of security? I think so.

This isn't just a rant, this is a legitimate concern that eventually we're going to have to write our own novels, and use that novel as our password; a minimum of 50,000 characters.

 

[B. Elliott]

You think typical websites have become restrictive? Work for the Department of Defense!

 

[zoobyshoe]

When I was making my new password, it said my 8 character password was weak. I remember when I was a kid, I had 5 character passwords that were actual words. Websites would say that it was weak, and I agree.

I always have to groan a little when I still see on TV, and in movies and books, people able to break into other peoples computers by figuring out the password turns out to be their daughter's nickname or their wedding anniversary date backwards. In other words, the key, in fiction, is in fathoming the account holder's psychology. Maybe 20 years ago, but not lately.

 

[Ryan_m_b]

I hate password requirements. I have so many different passwords for different accounts because what's good for one isn't good for another. Some places require 6-12 characters, others 8 and more, some have to have a capital, some a number etc. The worst is the university I am at which requires 8-12, letters and numbers with at least one capital and must be changed every term. It's a nightmare, every few months I have to come up with something different and the system tracks if it is in any way similar to your previous password, including if the pattern on the keyboard is the same.

I find this topic quite interesting because it seems like such a system encourages un-secure behaviour. I have a few friends who use password manager software rather than remember everything. Whilst this is all well and good it means that if you can find out one password you can go onto their password manager and get everything, from their bank to their facebook via their amazon account. I also know people who write down their passwords in a planner or on their phone.

It seems to me that it would be quite secure to scrap all the complicated and diverse requirements we have now in favour of a phrase. What is the likelihood that anyone could guess or break a password along the lines of "My green toad Timmy likes to eat peas." Its length along would seem to make it much harder to brute force hack.

Perhaps I'm missing some key element that makes having several variants of "MniEl990" safer than the above example but I somehow doubt it.

 

[B. Elliott]

I hate password requirements. I have so many different passwords for different accounts because what's good for one isn't good for another. Some places require 6-12 characters, others 8 and more, some have to have a capital, some a number etc. The worst is the university I am at which requires 8-12, letters and numbers with at least one capital and must be changed every term. It's a nightmare, every few months I have to come up with something different and the system tracks if it is in any way similar to your previous password, including if the pattern on the keyboard is the same.

I find this topic quite interesting because it seems like such a system encourages un-secure behaviour. I have a few friends who use password manager software rather than remember everything. Whilst this is all well and good it means that if you can find out one password you can go onto their password manager and get everything, from their bank to their facebook via their amazon account. I also know people who write down their passwords in a planner or on their phone.

It seems to me that it would be quite secure to scrap all the complicated and diverse requirements we have now in favour of a phrase. What is the likelihood that anyone could guess or break a password along the lines of "My green toad Timmy likes to eat peas." Its length along would seem to make it much harder to brute force hack.

Perhaps I'm missing some key element that makes having several variants of "MniEl990" safer than the above example but I somehow doubt it.

In a nutshell, it all comes down to the tools that the cracker is using. Shifting to a phrase-based password structure would only temporarily render the tools used today unfit.

 

[D H]

I always have to groan a little when I still see on TV, and in movies and books, people able to break into other peoples computers by figuring out the password turns out to be their daughter's nickname or their wedding anniversary date backwards. In other words, the key, in fiction, is in fathoming the account holder's psychology. Maybe 20 years ago, but not lately.

"Black hats" have hacked a number of different websites and stolen password files, some of them in the clear. "While hats" have purchased those stolen passwords and analyzed them. Per those analyses, people still use incredibly bad passwords. Until 2013, the number one password on the internet was "password". That password fell to the #2 slot in 2013, with the password "123456" taking the #1 slot. See "Password" unseated by "123456" on SplashData's annual "Worst Passwords" list for details.

I am warned many times a year about social engineering, thanks to the ridiculous number of security refresher courses I have to take. I am warned that I might go to jail if I go to the corner bar and some sweet young thing sweet talks me into telling her that my mother's maiden name was Jones, that my first car was a Volkswagen, and that my first job was in Denver. (BTW, none of those is the correct answer.)

Even now, weak passwords and social engineering remain at the top of the list of techniques used by "black hats" to break into other peoples' accounts.

 

[AlephZero]

It's not just users that choose bad passwords. My employers have outsourced their computer systems management to a well known international company (best left nameless, to avoid embarrassment or lawsuits!). We bought a number of high performance computer systems with access controlled on the basis of "need to use". The so-called computer professionals decided the easiest way to set up new accounts was to set the password equal to the userID and flag it as time-expired, so the user had to reset it the first time they accessed the system.

Apart from the short-term security hole between setting up the account and its first use, they forgot about a basic fact of human nature: the person who sent in a list of access requests from a project or department often just listed everybody who might need access eventually. After a few months, it was easy to find dozens of accounts that had never been used, with known passwords. Oops...

 

[cjl]

I just finished changing my Ebay password, because my old password wasn't working. They could have simply just told me my password in the email instead of forcing me to change it.

No website should ever be able to tell you your password in an email - that would require that they have it either stored somewhere in plaintext, or that they could reconstruct the plaintext from what they have stored. Either way is horrendously insecure.

 

[zoobyshoe]

...Per those analyses, people still use incredibly bad passwords...

I can believe this is true of average people on the internet, but in the works of fiction I mention people are trying to break into the computers of people like company CEO's, terrorists, master criminals, and police detectives. The trick always turns out to be to figure out what is the most important thing in that person's life and their password always ends up being related to that.

 

[Intrastellar]

Since no one posted it yet, I guess I will :)

 

[zoobyshoe]

Since no one posted it yet, I guess I will :)

I don't understand this cartoon. Why is the first one easy to guess and the second hard?

 

[D H]

I don't understand this cartoon. Why is the first one easy to guess and the second hard?

Entropy. Physics and computer science have their own concepts of entropy, and they turn out to be closely related.

Even if you follow the rules of what constitutes a good password, there just isn't that much information content in an 8 character password. If you follow the rules in spirit only (and that's exactly what most people do), there's hardly any information content at all in an 8 character password. That this is the case is what has provoked many websites and computer systems to go beyond the old 8 character password rule, and defiance against this is what provoked the original post.

 

[zoobyshoe]

Entropy. Physics and computer science have their own concepts of entropy, and they turn out to be closely related.

Even if you follow the rules of what constitutes a good password, there just isn't that much information content in an 8 character password. If you follow the rules in spirit only (and that's exactly what most people do), there's hardly any information content at all in an 8 character password. That this is the case is what has provoked many websites and computer systems to go beyond the old 8 character password rule, and defiance against this is what provoked the original post.

So, the single best thing you can do to optimize a password is make it longer?

 

[jedishrfu]

The best password discovery scheme was in the movie WarGames where Mathew Broderick finds the secretary's password to the school system written down on a piece of paper taped to the desk drawer (pullout). The tougher the password rules the more likely people will fall back on this scheme.

Later on he uses his knowledge of Dr Falken to figure out the password. At that time, that trick would resonate with many computer users and so today we are cautioned against and even forced with the mix of numeric and punctuation characters.

Nowadays, I can see hackers using a collection of passwords for the given user and discerning a pattern that could be used to attack a user account. As an example, some users may use a common base password and tack on some mnemonic related to the website.

Another scheme I liked was the really long password where it could be some sort of sentence but many websites have limits on the number of characters allowed.

I wish everyone would go to a zero-knowledge password scheme where its always different but it uses knowledge private to yourself for the questions making it much harder for someone to discern:

http://en.wikipedia.org/wiki/Password#Zero-knowledge_password_proofs

 

[DataGG]

You guys should use something like Keepass (or keepassX) or https://lastpass.com/...

Both of them allow for two-factor authentication, (a masterpassword + a second factor to authenticate. For keepass, it's a password + keyfile, https://lastpass.com/multifactor-authentication/) so it's pretty safe if you ask me. They also allow for you to create incredible strong passwords. My passwords are all +25 characters nowadays.

EDIT: Keep in mind that LastPass is cloud storage (encrypted, but still) while keepass(X) is for offline usage.

 

[fluidistic]

I personally keep a notebook with all my password close to my desktop computer.
I've read that a random sequence of letters/signs can be easier to guess than 3 or 4 words stack together due to entropy as mentioned earlier. It is extremely unlikely that a human would guess 3 or 4 random words stack together (and apparently also too hard for a computer that uses brute force to guess). Plus, if you know more than 1 language you can mix languages, etc.
The requirement to have at least 1 capital letter and 1 digit is kind of ridiculous IMO. The only requirement should have an entropy greater than a threshold.
If you use google you'll find several websites that calculate the entropy for passwords (if you're paranoid don't put your exact password in there, but put a similar one)

 

[zoobyshoe]

I've read that a random sequence of letters/signs can be easier to guess than 3 or 4 words stack together due to entropy as mentioned earlier.

I don't see how one is easier than the other. The computer doing the brute force guessing would just treat the words as random sequences of letters, wouldn't it?

 

[DataGG]

I don't see how one is easier than the other. The computer doing the brute force guessing would just treat the words as random sequences of letters, wouldn't it?

What about dictionary attacks?

 

[zoobyshoe]

What about dictionary attacks?

I suppose that would make stacks of random words easier than random strings of letters and numbers, but allegedly the opposite is true.

 

[AlephZero]

It's much easier for a human to remember a long password made from a sequence of words than the same number of random characters. You can probably remember a phrase of 7 or 8 random words just as easily as 7 or 8 random characters. If you choose words that are not "random" for you personally, or sufficiently surreal, remembering is even easier.

I was once responsible for the configuration of a commercial software package where the password (set by the supplier) to access the really low level features was "twoimpossiblylargeandridiculousredandwhitespottedinflatablecows". Hard to type, but even harder to forget, even though it's about 20 years since I last needed to use it.

 

[fluidistic]

I suppose that would make stacks of random words easier than random strings of letters and numbers, but allegedly the opposite is true.

There are more than 150k words in the English language. If you use 4 words that's more than 10^20 total possibilities which I'm almost sure means game over for a dictionnary attack.
You can also mix languages and use "-"'s between words if you think that brute force can crack the password.

this-cracked-will-never-be-password :) Easy to remember, "impossible" to crack.

 

[D H]

If you use 4 words that's more than 10^20 total possibilities which I'm almost sure means game over for a dictionnary attack.

Fixing that for you:

If you use 4 randomly selected words that's more than 10^20 total possibilities which I'm almost sure means game over for a dictionnary attack.​

Using phrases that contain four words such as "four score and twenty" is attackable. Using four randomly chosen words such as "correct", "horse", "battery", and "staple" is not attackable, at least not so far.

There remains two big problem with those four randomly chosen words:

• You have to remember them!
  The password "four score and twenty" is a whole lot easier to remember than is "correct horse battery staple". If you have accounts on multiple computers, you certainly don't want to use "correct horse battery staple" as the password for each. And you definitely don't want to use "four score and twenty" as the password on any system. That's almost as bad as using "password" as your password.
• As implied in the xkcd comic, most systems will reject "correct horse battery staple" as a password.
  The silly password rules alluded to in that comic will reject your password if it doesn't contain a mix of lowercase and uppercase letter plus at least one digit plus at least one special character.

My solution was to write them down. Yep. Just like the movie War Games, many years after the fact. At least I didn't keep my cheat sheet pasted on a sheet of paper taped to my desk drawer. I instead kept it in a safe. That worked quite nicely for me -- that is, until I accidentally shredded my password cheat sheet. OMG! Recovering from that shredding incident was an absolute nightmare.

Fortunately, storing my passwords in a file on my computer is now deemed acceptable by the powers that be, so long as my hard drive is password-encrypted and so long as the file that contains those passwords is encrypted using a password that is distinct from my login password. Using a cloud-based password server? Heaven forbid! I would be fired. And then I might go to jail.

 

[zoobyshoe]

If you use 4 randomly selected words that's more than 10^20 total possibilities which I'm almost sure means game over for a dictionnary attack.

OK, back to my original thought, if the computer trying to get the password doesn't know you're using words it would assume you're using a random string culled from the set of lowercase letters, upper case letters, and digits 0-9, which is a total of 62 choices as opposed to 150K. Attacked this way, random words seem no safer than random (upper and lower case)letters and numbers.

 

[DataGG]

I suppose that would make stacks of random words easier than random strings of letters and numbers, but allegedly the opposite is true.

You're right, I didn't read fluidistic (as well as yours) post correctly!

Using phrases that contain four words such as "four score and twenty" is attackable. Using four randomly chosen words such as "correct", "horse", "battery", and "staple" is not attackable, at least not so far.

There remains two big problem with those four randomly chosen words:

• You have to remember them!
  The password "four score and twenty" is a whole lot easier to remember than is "correct horse battery staple". If you have accounts on multiple computers, you certainly don't want to use "correct horse battery staple" as the password for each. And you definitely don't want to use "four score and twenty" as the password on any system. That's almost as bad as using "password" as your password.
  

• 
  
  Why is "four score and twenty" as bad as "password"? If anyone asked me, I'd have said that it's a pretty decent password.

 

[D H]

So, the single best thing you can do to optimize a password is make it longer?

Exactly. A 28 character password is a whole lot stronger than is an 11 character password. Tr0ub4dor&3 is weak because it's short and because it uses fairly standard password construction rules. correct horse battery staple is strong primarily because it's long.

That 44 bits of entropy is actually rather low. The author of the comic assumed a dictionary of only 2048 words and also assumed that the hacker had that dictionary. Using a larger dictionary would make it even stronger.

The title of this thread names the key problem with passwords. The rules have indeed gotten ridiculous, and because of that, they are making computer systems less rather than more secure. We use schemes like that illustrated by Tr0ub4dor&3. To make matters worse, the next time we need to change it, we'll probably use something like Trou6ad0r#4. We use the same password on multiple systems. We write them down on a sheet of paper.

 

[zoobyshoe]

OK. Back to the cartoon. It bases the times to hack on 1000 guesses per second. I have no doubt a computer can generate 1000 guesses per second, but what account on Earth allows 1000 guesses per second? Most shut you down for 15 minutes after 5 wrong guesses.

 

[D H]

OK. Back to the cartoon. It bases the times to hack on 1000 guesses per second. I have no doubt a computer can generate 1000 guesses per second, but what account on Earth allows 1000 guesses per second? Most shut you down for 15 minutes after 5 wrong guesses.

Again, he was simplifying things, intentionally so.

The problem isn't a hacker typing account name/random password over and over again until they get a hit. The problem is

• Hackers who have sniffed transactions when you use a public WiFi. You might be going to an https site, but the first bit of that transaction that you send back is your username and password, encrypted. Now they have the luxury of making billions of guesses, offline.
  
  
• Hackers who have broken into a website and stolen their password file. That password file is organized user name, encrypted password. Now it's just a matter of determining which encryption scheme they use and then grinding through the list making millions or billions of guesses. They'll get matches, lots of matches. These hacked password files are the sources of those stories about tens of millions of passwords being in the hands of black hats one month, then another 38 million hacked passwords a few months later.
  
  
• Hackers who have used social engineering against you. Suppose you like watching The Matrix; you bragged at the bar while drinking your favorite German beer how you just watched it for the 20th time. Suppose you also happen to bragged about your 1965 Mustang. That means your password AltbeirNeo65stang! is toast. Hackers use Associative Word List Generators to find a list of words particularly applicable to you.

 

[Ryan_m_b]

Fixing that for you:

If you use 4 randomly selected words that's more than 10^20 total possibilities which I'm almost sure means game over for a dictionnary attack.​

Using phrases that contain four words such as "four score and twenty" is attackable. Using four randomly chosen words such as "correct", "horse", "battery", and "staple" is not attackable, at least not so far.

That's such a simply an easy system I'm really surprised it's not used more often. A random word generator using a large dictionary isn't exactly NASA level technology and most people could easily remember four words. Especially if you're encouraged to remember them as a scene. For example using this random generator I got:

• Ladybird
• Stretcher
• Laundry
• Parachute

I could easily remember that by making up a story about how a Ladybird once landed on my Stretcher after a skydiving accident. Next time I'll make sure to go to the Laundry and pick up my Parachute. I made that up in about ten seconds and I'm probably going to remember it without trying for a really long time. Assuming a dictionary of just 100,000 words, no repeats and the order being important it would take nearly 2*10¹⁸ guesses to get it right. At a billion guesses a second it would still take up to thirty years to break.

 

[zoobyshoe]

Again, he was simplifying things, intentionally so.

The problem isn't a hacker typing account name/random password over and over again until they get a hit. The problem is

• Hackers who have sniffed transactions when you use a public WiFi. You might be going to an https site, but the first bit of that transaction that you send back is your username and password, encrypted. Now they have the luxury of making billions of guesses, offline.
  
  
• Hackers who have broken into a website and stolen their password file. That password file is organized user name, encrypted password. Now it's just a matter of determining which encryption scheme they use and then grinding through the list making millions or billions of guesses. They'll get matches, lots of matches. These hacked password files are the sources of those stories about tens of millions of passwords being in the hands of black hats one month, then another 38 million hacked passwords a few months later.

I'm not exactly following how this would lead to "strong" passwords being better. It seems like in both cases they have gotten your password. The trick would be in breaking the encryption. Once they break that, they can simply read the screen and see your password, be it strong or weak. The encryption used is beyond the individual user's control.

[*]Hackers who have used social engineering against you. Suppose you like watching The Matrix; you bragged at the bar while drinking your favorite German beer how you just watched it for the 20th time. Suppose you also happen to bragged about your 1965 Mustang. That means your password AltbeirNeo65stang! is toast. Hackers use Associative Word List Generators to find a list of words particularly applicable to you.[/list]

This is clear, and this is what I was complaining about in fiction: humans guessing other humans passwords by getting to know their psychology. But if statistics demonstrate people still chose passwords this way, I guess I have to accept it.

 

[zoobyshoe]

That's such a simply an easy system I'm really surprised it's not used more often. A random word generator using a large dictionary isn't exactly NASA level technology and most people could easily remember four words. Especially if you're encouraged to remember them as a scene. For example using this random generator I got:

• Ladybird
• Stretcher
• Laundry
• Parachute

I could easily remember that by making up a story about how a Ladybird once landed on my Stretcher after a skydiving accident. Next time I'll make sure to go to the Laundry and pick up my Parachute. I made that up in about ten seconds and I'm probably going to remember it without trying for a really long time. Assuming a dictionary of just 100,000 words, no repeats and the order being important it would take nearly 2*10¹⁸ guesses to get it right. At a billion guesses a second it would still take up to thirty years to break.

But, as I said earlier, how do you entice the hacking computer to think in terms of a 100,000 member pool of possible terms when it can much more easily think in terms of a 62 character pool? It has no incentive whatever to think in terms of words when it can think in terms of upper and lowercase letters and the digits 0-9.

 

[Evo]

I use imaginary words with the extra mandatory odd unmatching capital letter, number, special character, do imaginary words make it more difficult? The imaginary words are familiar to me, but unknown to others, so easy for me to remember. Do they more commonly look for words or just an assortment of letters and characters?

 

[D H]

But, as I said earlier, how do you entice the hacking computer to think in terms of a 100,000 member pool of possible terms when it can much more easily think in terms of a 62 character pool? It has no incentive whatever to think in terms of words when it can think in terms of upper and lowercase letters and the digits 0-9.

You are missing the point. The whole point is that the hacking community *can't* attack a pass phrase made of four or more randomly selected words from a reasonably sized dictionary, even if the hacker knows the number of words and the dictionary from which those words were selected. Given four randomly selected words drawn from a 25,000 word dictionary where order matters, at a billion guesses per second with words drawn from the exact same dictionary, it would take 6 years to have a 50% chance of correctly guessing the password. Five randomly chosen words extends that to 6 years to 154,000 years.

You are right in that a 28 character long password randomly drawn from a 62 character alphabet is even more secure, at least with regard to random guesses. The universe will die before that long of a random character password can be hacked using random guesses.

However, a hacker doesn't need to use random guesses to find that password. Shoulder surfing will work quite nicely. There is zero chance a person could remember that password. If the user needs to type that password into a computer, that user will have it written out on a piece of paper or displayed on a smartphone so the password can read and typed in, slowly. That over the top password makes the computer less secure, not more secure.

Also note: This thread is most likely someone complaining about a system with a 12 character password rule, and the passwords have to satisfy certain rules. Those rules are not strong enough to connote a random-looking password. Humans would revolt at having to use a 12 character password tested for apparent randomness. Adding one more character to Tr0ub4dor&3 makes for what most systems would deem to be a "strong" password.

 

[zoobyshoe]

You are right in that a 28 character long password randomly drawn from a 62 character alphabet is even more secure, at least with regard to random guesses. The universe will die before that long of a random character password can be hacked using random guesses.

You have overly-charitably mistaken me for saying the opposite of what I was actually saying. I was arguing that viewing the password as being made up of 62 possible choices would make it easier to hack than if it came from 150,000 choices. I was making the (pretty stupid) error of assuming that 62²⁵(based on PF allowing up to 25 character passwords) would be a lot less than 150,000⁴. Having now calculated both I see that 62²⁵, which is 6.453454278 X 10⁴⁴ is actually vastly larger than 150,000⁴, which is 5.0625 X 10²⁰. (62 has, in fact, already surpassed 150,000⁴ with a 12 character password.) 62 is so much less than 150,000 I just didn't think it would catch up that fast.

 

[WWGD]

You have overly-charitably mistaken me for saying the opposite of what I was actually saying. I was arguing that viewing the password as being made up of 62 possible choices would make it easier to hack than if it came from 150,000 choices. I was making the (pretty stupid) error of assuming that 62²⁵(based on PF allowing up to 25 character passwords) would be a lot less than 150,000⁴. Having now calculated both I see that 62²⁵, which is 6.453454278 X 10⁴⁴ is actually vastly larger than 150,000⁴, which is 5.0625 X 10²⁰. (62 has, in fact, already surpassed 150,000⁴ with a 12 character password.) 62 is so much less than 150,000 I just didn't think it would catch up that fast.

It is more a matter of the ratio between 62 and 150000 than about their difference. 150000 is a little less than 2500 times as big as 62. Sub-in then:

150000^4 < (62 X 2500)^4 . But 2500< 62^2 (since , e.g., 2500 < 60^2 =3600) , so

150000^4 < (62 X 2500)^4< (62 X 62^2)^4= (62^3)^4=62^12 , like you said.

Or you can take log on both 62^25 and 150000^4 too .

 

[zoobyshoe]

It is more a matter of the ratio between 62 and 150000 than about their difference. 150000 is a little less than 2500 times as big as 62. Sub-in then:

150000^4 < (62 X 2500)^4 . But 2500< 62^2 (since , e.g., 2500 < 60^2 =3600) , so

150000^4 < (62 X 2500)^4< (62 X 62^2)^4= (62^3)^4=62^12 , like you said.

Thanks! Very nice analysis.