Rant on Password Rules

Posted on by waregin

Everything you actually need to know about how to make secure passwords is in an xkcd strip. I’m going to rant about it anyway.

I’ve encountered a few awful password rules in my time.

Of course, from a purely “this is something I attended a lecture on” standpoint, the absolute worst rule a website can have is a length limit like only 8-12 characters. That can be brute force hacked fairly easily, especially if people go for only 8 characters. Even the most complex 8 character password can be hacked in about a minute on the best machines.

I know a lot of people have complained about complexity requirements, and I largely agree just on general principle. There are good reasons for forcing you to have a mix of upper case and lower case letters, with at least one number and special character thrown in. They do make especially short passwords more secure by making them harder to hack with a brute force method. However, one of the worst rules I see, and I come across it surprisingly often, is “no special characters”. I understand NOT requiring special characters, that’s fine. But requiring your users not use them is asking for your website to be hacked.

However, that isn’t even the worst. The absolute worst password rule I have ever encountered was for one of my work passwords. I entered what I wanted my password to be, and it met all of the listed complexity requirements, but when I submitted it, it was rejected. Why? It did not meet all of the complexity criteria in the first eight characters! There is no sense behind such a requirement. Absolutely none.

Really, the only rules any password system should have are “at least 20 characters” and “not all the same character or sequential characters”. Why?

If you already know how brute force hacking works, you already know. If you’d rather play with it and see for yourself how length is superior to complexity, go here (it’s a fun little password testing site I learned about in that lecture I mentioned earlier).

Here’s how brute force hacking works. They have a way to tell if a string of characters matches your password. Then, they test thousands of strings until one works. Let me give an example assuming starting with 6 characters.

  • aaaaaa
  • aaaaab
  • aaaaac
  • aaaaad
  • aaaaae
  • bbbbb
  • bbbbc

You get the idea, I hope. If you have a six character password of only lowercase letters, there are only 26^6 possible combinations it could be. That’s 308,915,776, which sounds like a lot. But a computer can cycle through all of those options in about 3 days, so it’s really easy to hack. However, look what happens when you change “qwerty” to “Qwerty”. That’s one of 19,770,609,664 combinations! Suddenly, this password can take months to hack, or less than a second on a really good computer. But add a 1 to the end to make it “Qwerty1” and it becomes one of 3,521,614,606,208 combinations.

Seriously, play around with that site for a while if this isn’t making sense. You’ll soon see why complexity requirements exist, but length requirements are better.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s