FINALLY. Good God, how annoying those website signups with "a good password must use a, b and c" are... It seems a lot of site devs know shit about what a good password is.
The funniest password requirement I've seen was "must include a special character" but the special character selection was limited to #!$& and of course attackers know this requirement too. Combined with most people putting it at the end, that gives a little over 2 bits of entropy...
When I was creating a password for online banking, it required me to include at least one special char - but apparently they didn't consider the dollar sign ($) a valid character...
The good ol’ “Tell me you store passwords as plaintext without telling me you store passwords as plaintext”
The other message I get from sites like this is, “Our developers have no idea how to escape SQL parameters even though this has been standard since the 90s [80s? 70s?!] so we just do “‘“ + password + “‘“ “
Wait till you meet websites that simply truncate your password at 32 characters or 16 character without telling you and leaving you to figure out, why you cannot log in with your just a minute ago set password ... and what that says about how they store passwords. Either they are complete idiots and do not understand what hashing will do, or they are even more idiots and store passwords in plain text in their database, so that the length matters this much.
My default PW gen rule is only alphanumerics, far too many websites have issues with special characters. It’s also 24 in length because that tends to fit most, while 32 gives me frequent errors.
I also encountered discrepancy between different input methods: AIU the browser can encode the password in html or something like that, so punctuation characters can be mangled.
- Must be likely to enter correctly on the first attempt, on a bad mobile keyboard, or using a TV remote.
- Must be likely to be remembered in my stupid brain even if I haven't used it for many years. Must work even on places
where you can't use a password manager (Such as a smart TV, games console, ...)
Other less important requirements to me, in 99% of cases:
- It's hard to guess for someone else, unless it's an account where you mind someone guessing it.
The last point is key. I have thousands of accounts. And I care about people not breaking into maybe 4 of them.
I don't trust sites to have good lost password ("email login") flows. So for 90% of sites and services I use a password that is a) as simple as possible and b) as common as possible so I don't have to remember many. Yes I AM a developer. Yes I DO use a password manager. But I don't know whether I'll be able to use my password manager when I sign into a specific account next time. It's more likely than not that it ends up being on a smart TV or whatever. So I just use a stupidly simple password. Because for almost all sites, I don't mind it being guessed. Worst case I'll need to reset it. Or worst case someone starts a support request in my name at Logitech, or someone screws with my Netflix viewing history or whatever. But I don't care. Or rather, I care much less than I care about not being frustrated when desperately logging in via a TV remote 3 minutes after the game has started.
I guard the important accounts with 2FA (especially the mail account that in turn resets ALL these other poorly protected accounts!). But for 99% of stores, forums, services: I use the equivalent of "12345" as password. (really I use a small prefix word + the service name 'initials' as suffix and end with an exclamation mark to pass most password demands).
> where you can't use a password manager (Such as a smart TV, games console, ...)
I just open my password manager on my phone and type it in. On these passwords, I am likely to avoid special characters, since they are a pain to type on these 'keyboards'
That's WAY to much work. I used LastPass, 1Password and Keeper as password managers. None of them is good enough to use that flow. Either the password is short and simple enough that I want to tap it in with a remote (i.e. <8 lowercase chars forming a dictionary word with maybe a digit added for good measure) in which case I won't need the manager. Or it's longer or more complex than that, in which case I don't want to type it in. In any case, having to take out a phone, start the pw manager app, log in (even with face/thumbprint), search for the site and show the password before entering it, makes it like 5 steps instead of 1. Password managers that don't auto fill might as well not exist.
This is what diceware is the perfect remedy for. Sequence of randomly selected words with your choice of delimiter, reasonably easy to input even with a shitty touch-screen keyboard.
Surprised it's not a default option for modern password managers, to be honest.
You should only rely on your memory for passwords that you use frequently. Rarely-used passwords should be kept somewhere safe and well-maintained, such as a password manager and/or on paper.
Rarely used passwords is often a "reset password" anyway. But if it's some store or whatever that I use maybe once every 5 years, does it matter what the password is? My point was this: for most accounts, there is no risk involved with anyone guessing my password. It doesn't matter whether I return to a store and some hacker has guessed the password or they were poorly hashed and their database leaked and my 12345 password was swiftly reversed. Because all you can do with my password on that store is... I'm not even sure what it is. Post spam in product review pages?
Years ago I worked in a Wells Fargo call center that had all the usual requirements including forced monthly rotation that had to be significantly different than the prior one.
Guess what the most common thing written on a post-it note on a monitor in somebody's cube was?
This was an outbound call center doing credit investigations, processing huge piles of PII and financial information daily.
> forced monthly rotation that had to be significantly different than the prior one
No need to write any of them down! Work smarter, not harder: WelcomeDecember2023! -> WelcomeJanuary2024! -> WelcomeFebruary2024! -> WelcomeMay2024! -> ...
(don't do this, obviously)
The funniest password sticky note I've seen was someone whose password was the name of their child and their birth year. Not a great password in general, but apparently they didn't know their kid very well because they had to write it down and stick it onto their monitor.
I had a website keep rejecting my registration at checkout, and Customer Support explained that I was tripping the bot filter for my password being too random. I had to introduce them to the concept of password managers, in 2020. It's a wild world out there.
The absolute worst I ever encountered was the Mojang to Microsoft account migrator. The only thing I ever found it accepted was one of those indecipherable browser generated passwords unfit for human entry or memory. Ofc the rules were never stated, so you just had to guess.
I mean they could've not deleted the accounts of people who didn't migrate (and instead just stopped them from playing until they did) and they did delete them so that is definitely the case.
Why are you so happy about?! Those devs will continue to not know what a good password is. It's not like a new standard will telepathically transplant itself into their brains.
Uncaring devs will stay uncaring, but I feel the bigger problem is still corporate. NIST recommendations carry little weight with corporate IT security. Certifications, compliance, and insurance do - so little will change until the revised recommendation works its way through the entire mutual appreciation society of audit agencies, "cyber" insurance providers, industry certification bodies, certification consultants, and a whole mud ball of enterprise middleware companies.
I mean, take Microsoft ecosystem (Windows, SharePoint, Exchange, and other auth infra): it never had any bullshit password policies enabled by default - but every corporate Windows machine has them, because someone in corporate IT is setting it as central policy, and they're doing it because they "know better", or because the company is trying to get/keep their ISO:2007-whatever SOC2 stamp (or trying to secure a deal with another company that is), and some consultant came up the other day with a questionnaire asking if corporate systems are Secure, by for example implementing Specific Bullshit Policy. Easier to implement it and call it a day, than to contest every other checkbox on the questionnaire...
Generated another 16 character password, alphanumeric-only this time, and it worked.
If you're going to have forbidden characters, MAKE SURE YOU TELL ME WHAT THEY ARE!!!