Consulting – P4ssw0rd1!

Password policy considered harmful…

We’ve all been told for years (decades!) that we need to have complicated passwords. MiXed CAsE, numbers, $¥ḿß()|$, the works.

The maths behind this is simple: the longer your password is, and the more characters that might be in it, the longer it takes for a computer to guess. Unfortunately, the usual format of “UPPERCASE lowercase number symbol” makes passwords that are hard to remember, likely to be reused, and not actually effective against the brute force, “try lots of passwords” attacks.

Most passwords require you to use at least one uppercase and lower case letter, one number, and one special character !@$%^&*()-+_=# and be at least 8 characters long.

Theoretically that’s quite complicated; 360 trillion combinations! But in practice the vast majority of passwords follow the format “Word1@” – an uppercase word with a numeral and special character at the end. Most people know around 40,000 words, and there’s only a dozen or so special characters that work reliably on all systems, so that’s easy for a computer to check through even if you try substituting numb3r5 f0r l3tt3r5 and around changing the order. That makes such passwords around 10 million times easier to guess; if a hacker could brute-force a “true random” one in 20 years, it’d take them about a minute to get the second.

This kind of password is also quite hard to remember, so most people come up with one and use it everywhere. “Petname89!” “fL0w3r$123” and the like. Chances are, you do this too…

You really shouldn’t.

If Mom&Pop Pet Supplies Co that you bought a novelty dog toy from back in 2002 gets hacked today and their database is stolen, if you’ve used the same email and password for your social media/bank/work/email accounts the hackers have access to all your accounts now. Eek!

So what to do?

NIST – the (American) National Institute for Standards in Technology – recommends that people setting password policies insist on at least 8 characters, and allow as many as you like, but drop the requirements for numbers, case and special characters. Just using more words makes passwords significantly harder to guess, and a lot easier to remember. This makes it a lot easier to use a different password for every service.

This has been best practice for a few years now, but you still see a lot of websites requiring the old “Password1!”-style passwords, often because they are being audited against obsolete standards. There’s no technical reasons for requiring these daft password policies:

– Short maximum length of passwords
– Requiring @!$%^ characters
– Requiring numbers
– Requiring users to periodically change their password
– Preventing users from using certain characters

If you are a developer or system admin, I’d recommend you review and implement NIST’s recommendations. If you are required to use an outdated standard for compliance reasons, flag it up that it is obsolete. Complain. Make a noise!

If you’re an end-user then, unfortunately, you might have to put up with daft password policies. The big take-away here should be to use a different password for every service, and try to use a good, random-word passphrase instead of bad, random-ish passwords – if the system doesn’t allow it, then submit a bug report!

Comments are closed