Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

Online password requirements have gotten ridiculous

  1. Aug 15, 2014 #1
    I've noticed that websites have started getting ridiculous with password requirements. I like to use the same password for everything, so I don't get confused about which account has which password. It's a pretty good password. It's a combination of letters and numbers and it's 8 characters long. But it seems like as time goes on, 8 characters just isn't good enough anymore. Now websites want you to include letters and numbers, with at least one of them being in caps. Or maybe they want you to have the first character being a letter, which means I have to change my 8 character password, because it doesn't start with a letter. Or maybe 8 characters isn't long enough anymore. They want you to have 15+ characters for your password. That's what my school password is. I had to basically double my old password.
    Another school I used to attend, but I still took classes at after graduating, requires you to change your password every once in a while. I guess that keeps everyone out of your account, including you, when you inevitably forget which password you chose for that specific time frame.

    I just finished changing my Ebay password, because my old password wasn't working. They could have simply just told me my password in the email instead of forcing me to change it. You'd think I could have used my standard 8 character password, since that obviously wasn't correct when trying to log in. Well, when I tried to use that, the website tells me I can't use passwords I've already used. So if I've already used that password... and I can't use that password to log in... then what's going on? They basically said "You can't make that your new password, because that's your current password." Yet it won't work when I try to log in. That's absurd.
    I guess that's not really a problem with passwords, it's a problem with Ebay. But that was the impetus behind this thread.
    When I was making my new password, it said my 8 character password was weak. I remember when I was a kid, I had 5 character passwords that were actual words. Websites would say that it was weak, and I agree. Now, my 8 character password is a combination of random letters and numbers and websites considered it strong. Now it's weak.

    Is it really the character limit that's making people's accounts get stolen? Or is it keyloggers or some such programs that copy what you're typing as your password, and let the hacker know what it is? If that's the case, then your character limit can be 20 characters, and it doesn't matter.
    Are websites making the character limit so high just to give the users a false sense of security? I think so.

    This isn't just a rant, this is a legitimate concern that eventually we're going to have to write our own novels, and use that novel as our password; a minimum of 50,000 characters.
  2. jcsd
  3. Aug 15, 2014 #2
    You think typical websites have become restrictive? Work for the Department of Defense! :eek:
  4. Aug 15, 2014 #3
    I always have to groan a little when I still see on TV, and in movies and books, people able to break into other peoples computers by figuring out the password turns out to be their daughter's nickname or their wedding anniversary date backwards. In other words, the key, in fiction, is in fathoming the account holder's psychology. Maybe 20 years ago, but not lately.
  5. Aug 15, 2014 #4


    User Avatar
    Staff Emeritus
    Science Advisor

    I hate password requirements. I have so many different passwords for different accounts because what's good for one isn't good for another. Some places require 6-12 characters, others 8 and more, some have to have a capital, some a number etc. The worst is the university I am at which requires 8-12, letters and numbers with at least one capital and must be changed every term. It's a nightmare, every few months I have to come up with something different and the system tracks if it is in any way similar to your previous password, including if the pattern on the keyboard is the same.

    I find this topic quite interesting because it seems like such a system encourages un-secure behaviour. I have a few friends who use password manager software rather than remember everything. Whilst this is all well and good it means that if you can find out one password you can go onto their password manager and get everything, from their bank to their facebook via their amazon account. I also know people who write down their passwords in a planner or on their phone.

    It seems to me that it would be quite secure to scrap all the complicated and diverse requirements we have now in favour of a phrase. What is the likelihood that anyone could guess or break a password along the lines of "My green toad Timmy likes to eat peas." Its length along would seem to make it much harder to brute force hack.

    Perhaps I'm missing some key element that makes having several variants of "MniEl990" safer than the above example but I somehow doubt it.
  6. Aug 15, 2014 #5
    In a nutshell, it all comes down to the tools that the cracker is using. Shifting to a phrase-based password structure would only temporarily render the tools used today unfit.
  7. Aug 15, 2014 #6

    D H

    User Avatar
    Staff Emeritus
    Science Advisor

    "Black hats" have hacked a number of different websites and stolen password files, some of them in the clear. "While hats" have purchased those stolen passwords and analyzed them. Per those analyses, people still use incredibly bad passwords. Until 2013, the number one password on the internet was "password". That password fell to the #2 slot in 2013, with the password "123456" taking the #1 slot. See "Password" unseated by "123456" on SplashData's annual "Worst Passwords" list for details.

    I am warned many times a year about social engineering, thanks to the ridiculous number of security refresher courses I have to take. I am warned that I might go to jail if I go to the corner bar and some sweet young thing sweet talks me into telling her that my mother's maiden name was Jones, that my first car was a Volkswagen, and that my first job was in Denver. (BTW, none of those is the correct answer.)

    Even now, weak passwords and social engineering remain at the top of the list of techniques used by "black hats" to break into other peoples' accounts.
  8. Aug 15, 2014 #7


    User Avatar
    Science Advisor
    Homework Helper

    It's not just users that choose bad passwords. My employers have outsourced their computer systems management to a well known international company (best left nameless, to avoid embarrassment or lawsuits!). We bought a number of high performance computer systems with access controlled on the basis of "need to use". The so-called computer professionals decided the easiest way to set up new accounts was to set the password equal to the userID and flag it as time-expired, so the user had to reset it the first time they accessed the system.

    Apart from the short-term security hole between setting up the account and its first use, they forgot about a basic fact of human nature: the person who sent in a list of access requests from a project or department often just listed everybody who might need access eventually. After a few months, it was easy to find dozens of accounts that had never been used, with known passwords. Oops......
  9. Aug 15, 2014 #8


    User Avatar

    No website should ever be able to tell you your password in an email - that would require that they have it either stored somewhere in plaintext, or that they could reconstruct the plaintext from what they have stored. Either way is horrendously insecure.
  10. Aug 15, 2014 #9
    I can believe this is true of average people on the internet, but in the works of fiction I mention people are trying to break into the computers of people like company CEO's, terrorists, master criminals, and police detectives. The trick always turns out to be to figure out what is the most important thing in that person's life and their password always ends up being related to that.
  11. Aug 15, 2014 #10


    User Avatar
    Gold Member

    Since no one posted it yet, I guess I will :)

    Attached Files:

  12. Aug 15, 2014 #11
    I don't understand this cartoon. Why is the first one easy to guess and the second hard?
  13. Aug 15, 2014 #12

    D H

    User Avatar
    Staff Emeritus
    Science Advisor

    Entropy. Physics and computer science have their own concepts of entropy, and they turn out to be closely related.

    Even if you follow the rules of what constitutes a good password, there just isn't that much information content in an 8 character password. If you follow the rules in spirit only (and that's exactly what most people do), there's hardly any information content at all in an 8 character password. That this is the case is what has provoked many websites and computer systems to go beyond the old 8 character password rule, and defiance against this is what provoked the original post.
  14. Aug 15, 2014 #13
    So, the single best thing you can do to optimize a password is make it longer?
  15. Aug 16, 2014 #14


    Staff: Mentor

    The best password discovery scheme was in the movie WarGames where Mathew Broderick finds the secretary's password to the school system written down on a piece of paper taped to the desk drawer (pullout). The tougher the password rules the more likely people will fall back on this scheme.

    Later on he uses his knowledge of Dr Falken to figure out the password. At that time, that trick would resonate with many computer users and so today we are cautioned against and even forced with the mix of numeric and punctuation characters.

    Nowadays, I can see hackers using a collection of passwords for the given user and discerning a pattern that could be used to attack a user account. As an example, some users may use a common base password and tack on some mnemonic related to the website.

    Another scheme I liked was the really long password where it could be some sort of sentence but many websites have limits on the number of characters allowed.

    I wish everyone would go to a zero-knowledge password scheme where its always different but it uses knowledge private to yourself for the questions making it much harder for someone to discern:

  16. Aug 16, 2014 #15


    User Avatar
    Gold Member

    You guys should use something like Keepass (or keepassX) or Lastpass...

    Both of them allow for two-factor authentication, (a masterpassword + a second factor to authenticate. For keepass, it's a password + keyfile, for lastpass it can be a number of things ) so it's pretty safe if you ask me. They also allow for you to create incredible strong passwords. My passwords are all +25 characters nowadays.

    EDIT: Keep in mind that LastPass is cloud storage (encrypted, but still) while keepass(X) is for offline usage.
  17. Aug 16, 2014 #16


    User Avatar
    Gold Member

    I personally keep a notebook with all my password close to my desktop computer.
    I've read that a random sequence of letters/signs can be easier to guess than 3 or 4 words stack together due to entropy as mentioned earlier. It is extremely unlikely that a human would guess 3 or 4 random words stack together (and apparently also too hard for a computer that uses brute force to guess). Plus, if you know more than 1 language you can mix languages, etc.
    The requirement to have at least 1 capital letter and 1 digit is kind of ridiculous IMO. The only requirement should have an entropy greater than a threshold.
    If you use google you'll find several websites that calculate the entropy for passwords (if you're paranoid don't put your exact password in there, but put a similar one)
  18. Aug 16, 2014 #17
    I don't see how one is easier than the other. The computer doing the brute force guessing would just treat the words as random sequences of letters, wouldn't it?
  19. Aug 16, 2014 #18


    User Avatar
    Gold Member

    What about dictionary attacks?
  20. Aug 16, 2014 #19
    I suppose that would make stacks of random words easier than random strings of letters and numbers, but allegedly the opposite is true.
  21. Aug 16, 2014 #20


    User Avatar
    Science Advisor
    Homework Helper

    It's much easier for a human to remember a long password made from a sequence of words than the same number of random characters. You can probably remember a phrase of 7 or 8 random words just as easily as 7 or 8 random characters. If you choose words that are not "random" for you personally, or sufficiently surreal, remembering is even easier.

    I was once responsible for the configuration of a commercial software package where the password (set by the supplier) to access the really low level features was "twoimpossiblylargeandridiculousredandwhitespottedinflatablecows". Hard to type, but even harder to forget, even though it's about 20 years since I last needed to use it.
Share this great discussion with others via Reddit, Google+, Twitter, or Facebook