back to article 'Use 1 capital' password prompts make them too predictable – study

A new study has found that password structure is a key flaw in making login IDs hard to guess. Security firm Praetorian analyzed 34 million stolen passwords from the LinkedIn, eHarmony and Rockyou breaches and found that 50 per cent of all passwords followed 13 basic structures. This lack of entropy makes it possible to use …

  1. bigtimehustler

    Yes, the alternative being that if I followed best practice for passwords on every single site I use then I would never remember any of them and would have to reset my password every time I wanted to log in, may as well just make two factor compulsory and stop relying on passwords as the sole gatekeeper.

    1. AMBxx Silver badge
      Coat

      No it doesn't

      Just write them on a post-it, then stick to your monitor. Problem solved.

      1. Mark 85 Silver badge

        Re: No it doesn't

        At home, that will work very well... unless you have unwelcome visitors. Even then... maybe not a problem. They'll steal the computer and ignore the Post-It notes.

        At work.. I use a small notepad that's kept in a locked drawer. (We're not allowed to put a PW manager on company machines). I note that many (most) of the employees do the same notepad kept away from prying eyes thing. But there's a few who use Post-It notes... usually managers who won't listen to the reality of locking those away. Go figure...

        KISS works for most of us.

      2. Anonymous Coward
        Holmes

        Re: No it doesn't

        @AMBxx - "Just write them on a post-it, then stick to your monitor. Problem solved."

        That's a horrible system. What if you lose the post-it note?

        Take a picture of your post-it note with your phone, send it to your computer as a jpg, and then regedit the LockScreenImage string to use the image as your login screen.

        Problem solved.

    2. FartingHippo
      Holmes

      Trust

      I think you have to make a leap and trust something to hold everything.

      Pick a password safe (carefully) and lock it with the one complicated password you make the effort to commit to memory. Then write down that password on an anonymous and otherwise blank piece of paper and leave it in that decorative tea-pot your mother has. Just in case :)

      1. theModge

        Re: Trust

        I've gone for that approach, via lastpass, as such all my new passwords are now the maximum allowed length and support the maximum allowed range of characters. I let it import my old passwords and I'm changing them piecemeal.

      2. Captain DaFt

        Re: Trust

        "I think you have to make a leap and trust something to hold everything."

        I find that this works best these days: http://www.angryflower.com/986.html

      3. Rich 11 Silver badge

        Re: Trust

        Then write down that password on an anonymous and otherwise blank piece of paper and leave it in that decorative tea-pot your mother has.

        You mean the one I keep her ashes in?

        1. Kubla Cant Silver badge

          Re: Trust

          Then write down that password on an anonymous and otherwise blank piece of paper and leave it in that decorative tea-pot your mother has.

          The paper's not going to last long if she keeps making tea in the pot.

      4. Stevie Silver badge

        Re: Trust

        ...paper and leave it in that decorative tea-pot your mother has. Just in case :)

        Add one (1) snake for piece of mind as per my useful anti head-boiling burglar tips.

    3. Triggerfish

      I think the safer way is have a generic pattern for sites that don't mean much and don't leave your information on the sites if it asks you to store your credit card details etc for ease of use next time, just as many of these sites are losing their info from poor internal security practices.

    4. asdf

      easy

      KeePassX. Only have to remember one password (for the AES encryption on the internal app DB) but you can then have different 20+ random character passwords for each site (it can generate for you). Plus its free, open source, cross platform, not tied to a single browser and no cloud bullcrap. Plus it comes by default in Tails OS which is why I started using it.

  2. Charlie Clark Silver badge

    What's the real issue?

    A key part of the problem is with the websites themselves…

    The key part of the problem is passwords themselves as they're so difficult to remember.

    mnemonic + capitalisation + substitution + user/service salt will produce a strong password that you should in theory be able to remember but only if you're systematic about it and this always adds to the risk.

    1. janimal

      Re: What's the real issue?

      yes and inevitably some websites enforce password rules that prevent you from using your system because they won't accept the length or won't allow punctuation characters.

      The ones that really annoy me are those who won't let you use a password you have used previously. Surely this means they are storing all the passwords you have ever used with them before - so if that data gets robbed it provides an even richer source of password material :/

      1. Charlie Clark Silver badge

        Re: What's the real issue?

        The ones that really annoy me are those who won't let you use a password you have used previously.

        Add a cycler, but yeah some restrictions are simply stupid.

      2. Number6

        Re: What's the real issue?

        Not necessarily, they can just hold a hash value (although with brute force they can recover the password that generated the hash). Most of these things only store the last n passwords anyway, so you can always repeatedly change your password until it lets you have your old one back.

        1. edge_e
          Facepalm

          Re: What's the real issue?

          I think the real issue is that by having any rule, you're limiting entropy.

          1. Michael Wojcik Silver badge

            Re: What's the real issue?

            I think the real issue is that by having any rule, you're limiting entropy.

            The real issue is that passwords are terrible authenticators. They make precisely the wrong trade-offs. They're a relic of resource-constrained systems from decades ago, and no new systems should be using them.

            Passphrases are a little better.

        2. DropBear
          Facepalm

          Re: What's the real issue?

          I got uneasy and started racking my brain where else did I see this "have one more than the last N values the system checks and denies" scheme, then I remembered - certain printers refuse to use the last (chipped) toner cartridge even if you refill it / reset it / whatever successfully, because they store its read-only serial number (and that's stored in the printer not in the cartridge so you can't just reset it) - so obviously, people just use TWO sets of cartridges because only the last serial is remembered. Yeah, life is strange...

  3. Filippo

    I'd love to just go the correct-horse-battery-staple route, but most sites won't let me. Rejecting a 30+ characters password just because it's all lower-case is stupid.

    1. Anonymous Coward
      Anonymous Coward

      Had this very problem today

      Tried to enter a 30 character password, with 4 caps, 3 digits, 5 special characters and the rest lower case. Too long. Bleh. Damn you char(20) !!!

      1. This post has been deleted by its author

    2. Graham Marsden
    3. Michael Wojcik Silver badge

      I'd love to just go the correct-horse-battery-staple route, but most sites won't let me. Rejecting a 30+ characters password just because it's all lower-case is stupid.

      Well, it's not hard to have a long passphrase and scatter some capital letters and punctuation into it to satisfy "strength" requirements imposed by a moron.

      The real problem with using passphrases is length restrictions, which are even more idiotic. The number of web sites - web sites, for the love of god - that impose password length or entry restrictions is truly amazing. Microsoft's Outlook Web Access, for example, silently truncates the password entered by the user, as I discovered when I couldn't get it to accept my 38-character passphrase.

      Even worse: Schwab's online banking site limits passwords to 8 characters. There's no excuse for that - it's sheer incompetence. (Even if their backend is a legacy system with password-length restrictions, hash longer passwords and then express them in base-n, where n is the size of the password alphabet for the backend system. Then converting longer passphrases to allowable passwords is trivial.)

  4. Eddy Ito
    Facepalm

    Let's not forget the sites, like some banks, who implement this policy then limit you to 10 characters or less.

    1. Charlie Clark Silver badge

      There's a reason for that: they'll be able to blame you when your account is inevitably hacked. Solution: use HBCI only.

  5. Josh 14

    I get annoyed when some of the sites require exactly the mix of letters, numbers, symbols, and caps that the specify, and will not allow anything more.

    I don't know how many times I've run into one that wants exactly eight characters, with one being caps, one a number, and a certain subset of symbols (which it does not state, until it rejects an attempted password...)

    1. Alan Brown Silver badge

      "I don't know how many times I've run into one that wants exactly eight characters"

      It's as stupid as PHP email validation routines which disallow "+"

      limiting to 8 characters makes password cracking trivial once the crypts have been obtained.

      1. codebeard

        It's as stupid as PHP email validation routines which disallow "+"

        That's hardly PHP's fault. They even provide a working function to test email addresses:

        filter_var('user+name@example.org', FILTER_VALIDATE_EMAIL)

    2. Crazy Operations Guy

      My previous company requires passwords in the form of 5 letters, a special character, then 3 numbers. This was caused by some ancient mainframe system and a home-brewed password encryption system. The company's name has 5 characters in it, and people tend to increment the last three digits each time they reset their password... I discovered my old boss's password, it was just Sunil&### with ### being which cycle, started at 001 then was incremented to 002 and so forth....

      And these are the people that are designing your phones, running your cloud systems and in case of one division, guiding your airplanes.

      My new company requires a minimum of a 16 character password and requires white space. The employee manual actually has a whole guide on pass phrases and recommends that people use sentences and phrases like:

      " Chapter 5 starts with 'But alas, he was alone!' "

      or

      "This book cost me $19.99."

      But overall, it recommends using sentences like that that you would logically write on a piece of paper or type several times a day to defeat people finding it by snooping around or even using a keylogger. For a while my password was "Where is the 10:30 meeting today?" a reasonable reminder (not that I needed one) could have been a post-it with just 10:30 meeting written on it and no one would be the wiser.

      1. Allan George Dyer Silver badge
        Facepalm

        @Crazy Operations Guy - So the first thing you typed after returning from lunch every day was, "Where is the 10:30 meeting today?"

        1. Michael Wojcik Silver badge

          So the first thing you typed after returning from lunch every day was, "Where is the 10:30 meeting today?"

          That's shorter than my current Windows domain passphrase, which I enter several times a day. I don't let any software remember my passwords, so I have to enter it when I reconnect to the VPN, unlock my laptop, etc. I don't think I've mistyped the current one yet, and I've had it for a couple of weeks now.

          Typing a 32-character passphrase quickly and accurately isn't hard if you're a decent touch-typist.

          I generate my passphrases with a simple (Cygwin) bash command line, using $RANDOM/sort/head/strings on aspell's English dictionary. That gives me a screenful of words chosen at random from the dictionary. I put together a nonsense but memorable phrase (as in the XKCD method, which has been recommended by various security researchers for decades), then scatter some numerals, capitals, and punctuation to make the group-policy password constraints happy. Jot down a hint in case I forget it and put that in a safe location, and I'm good to go.

    3. Zane

      Yep - sometimes I will even send them a mail that their password policy is plain stupid. So far I never got an answer.

      /Zane

    4. Platelet

      My personal bugbear are those that won't even tell you why they're rejecting your password, so you keep having to shorten and simplify it till you get one that works.

  6. This post has been deleted by its author

    1. Cliff

      Emoji Passwords are the way forward :-)

    2. Bill Gray

      "...What would help is if more sites would let you use Unicode..."

      I've wondered about this. Why the (censored) _can't_ I use Unicode? (To send a password: switch keyboard layout to Russian, type something in English that comes out as Cyrillic gibberish, switch back to English.) And why, oh why, can't I use spaces or more than 20 characters? (Honest question here: am I correct in assuming these last two limitations mean the site is probably storing an unhashed password? Or are there actually valid reasons for crippling security in this manner?)

      -- Bill

      1. DropBear
        Trollface

        Re: "...What would help is if more sites would let you use Unicode..."

        Awesome idea. Now please access the same system from a smartphone keyboard. I'll even let you install Cyrillic support on it! Just hold on until I fetch the popcorn...

        1. Bill Gray

          Re: "...What would help is if more sites would let you use Unicode..."

          @DropBear :

          "...Now please access the same system from a smartphone keyboard. I'll even let you install Cyrillic support on it! Just hold on until I fetch the popcorn..."

          True, not a system for all people or purposes. Or possibly, even very many. But there are those of us (myself included) who use phones as little as possible. I make the occasional traditional, 19th-century style "call" from time to time, where you talk and listen, just like Great-Grandma used to do. And, on rare occasion, a text message or two. No passwords. And in any case, this is 2015; the world extends beyond nations with languages fitting conveniently into eight bits

      2. Michael Wojcik Silver badge

        Re: "...What would help is if more sites would let you use Unicode..."

        am I correct in assuming these last two limitations mean the site is probably storing an unhashed password?

        Probably not, actually. These sort of restrictions are more likely due to legacy limitations in input systems, poor coding in applications that accept passwords and submit them to the verification back end, or artificial constraints imposed by programmers who weren't sure if there might be a problem, and rather than find out simply restricted the input.

        One common case is where the back end is, or originally was, a system with terminal input that could only handle a restricted character set: IBM EBCDIC mainframe, for example, with something doing ASCII-EBCDIC translation in front of it, or an old UNIX system. Since these back ends only let users enter a limited character set, when people put web or GUI-application front ends in front of them, the developers would restrict the input.

        So, for example, while RACF on modern zOS uses strong password hashes, an old COBOL transaction program running in a zOS CICS region and doing an EXEC CICS SIGNON is limited to 8 printable EBCDIC characters for the password. Put a fancy web front end on that, but if you're passing the user password directly to that old COBOL app, the user's password will have to be no more than 8 characters, and they'll have to be ones that map to printable EBCDIC.

        Now, as I pointed out in another post, it's certainly possible to hash longer passwords into short printable strings; and the same goes for reducing the character set.1 But few organizations doing this kind of legacy-application modernization seem to understand that, or be willing to implement it.

        1An idea this obvious - why, I ought to patent it.

  7. Ken Hagan Gold badge

    Case sensitivity

    Don't forget that there are some sites out there that are case insensitive on passwords and others that are case sensitive on email addresses.

    Fortunately, the worst offenders often perform all the validation in Javascript so if you View Source on the offending web page it is possible to reverse engineer the rules. (Dunno what "normal" people do, though.)

    1. Crazy Operations Guy

      Re: Case sensitivity

      Like sprint and their case-sensitive usernames and passwords shorter than 15 characters with no punctuation. Screams "client-built SQL query"...

  8. Hilibnist
    Unhappy

    Password rage

    This. Largely caused by having to remember* a complex never-before-used upper/lower/numeric/punctuation password for a supermarket loyalty card** to protect my largely spurious personal information. And trying to follow good practice by not duplicating another password and not being systematic.

    Just because the eager beaver who put the system together *could* tick all the security boxes, it doesn't automatically mean that it was absolutely necessary.

    * okay, not remember. Just reset when I use it. Like that stupid Verified by VISA thing.

    ** yeah, but there are some convenient savings sometimes.

    1. Anonymous Coward
      Anonymous Coward

      Re: Password rage

      I up-voted you for mentioning the idiotic Verified by VISA thingy.

      Using my credit card number and my birthday as only requirements to reset the password it is plain stupid because they are not so secret. Besides that, the reset being done into a small frame of a hidden website for which you can not verify the validity of SSL certificates is close to dangerous.

      I makes me sick to think a cretin turned into developer takes pride in pushing that as a security measure.

      I even called my bank to talk about it and they refused to discuss that matter insisting it's being done for security purposes.

      1. Ben Tasker Silver badge

        Re: Password rage

        Yup, VbV is a complete waste of time.

        I actually made the effort to try and remember the phrase I used a while back (rather than setting a random string knowing I'd just reset next time). Got one, ONE character incorrect the next time I tried to use it, and as a result of that single borked attempt they made me reset and wouldn't let me reset to the phrase I'd bother to remember.

        So I'm back to 'forgot my password' -> set to a random string -> make no attempt to remember it

        Which means it, once again, provides bugger all value whatsoever.

        1. Crazy Operations Guy

          Re: VbV

          What is even worse is when you get the password wrong and they lock your card. Had that happen to me while booking a last minute ticket out of Ukraine last year. Passwords are pretty hard to type on a smartphone with such a ridiculous password policy when you're in the back of cab that is red-lining the engine and blowing every stoplight...

          1. Number6

            Re: VbV

            when you're in the back of cab that is red-lining the engine and blowing every stoplight...

            In some places that's normal behaviour for a taxi.

            1. This post has been deleted by its author

        2. BristolBachelor Gold badge

          Re: Password rage

          I wrote down my VbV password once (the horror) just to prove to myself that I wasn't going senile, and it still didn't work. When I managed to complain to someone knowledgeable there, he admitted to me that the password was automatically retired after 4 weeks of no use, so that was the reason why. Now I just reset it every time.

  9. Anonymous Coward
    Anonymous Coward

    Use a high-entropy password generator

    Low entropy in your passwords is the weakest link in any crypto-system.

    Use a high-entropy Random Bit Generator

    1. Charlie Clark Silver badge

      Re: Use a high-entropy password generator

      And exactly how memorable are high entropy passwords?

    2. Michael Wojcik Silver badge

      Re: Use a high-entropy password generator

      Low entropy in your passwords is the weakest link in any crypto-system.

      There's a whiff of Poe's Law here, but I'm assuming this isn't meant as a joke.

      The "weakest link" in most security systems, regardless of the use of cryptography, is human beings. To claim that it's "low entropy in ... passwords" is simply stupid.

      Even if we restrict ourselves to the cryptographic operations per se, in many cases of actual deployed systems, low password entropy was far from the most serious problem. There have been many systems that used weak mechanisms for generating password verifiers, for example - sufficiently weak that even optimal password entropy didn't significantly increase the attacker's work factor.

  10. Nick L

    Try signing up to Boots...

    Try signing up to Boots.com. The password requirements are quite frankly ridiculous, and ended up with me typing in garbage - which is probably what they want.

  11. Andy Nugent

    Password generators

    I've also had trouble using a random password generator on various sites because it was:

    (a) too long

    (b) didn't match their rules (despite being 16 random characters of lower/upper/numbers).

    (c) the website blocked the ability to copy 'n' paste into the text box, forcing me to use a password I could be bothered to type out twice.

    It's almost like the developers don't understand the maths and think creating rules makes it harder to crack (tip, a 20 character phrase all in lower case is harder to crack and easier for humans to remember than a 6 character password with uppercase/lowercase/numbers/symbols).

    1. Ben Tasker Silver badge

      Re: Password generators

      Max lengths piss me off, given the things should be salted and hashed in the database anyway (long passwords are all reduced to the same length as short passwords in terms of DB storage). So why limit me to 8 characters??

      I can understand having some kind of a limit so I don't try and set a 10KB string as a password, but low character limits are just stupid.

      1. Crazy Operations Guy

        Re: Password generators

        Even typing a 10KB string shouldn't be a problem either. A hash should just work on a string no matter its size or even its contents. I should be able to use an executable as a password. I suppose the issue is memory exhaustion for the hashing process, but RAM is cheap nowadays anyway, so even if the hasher requires 1 MB per session, you could still support 10s of thousands of users on a modern web server.

        1. DropBear
          Trollface

          Re: Password generators

          "A hash should just work on a string no matter its size or even its contents."

          Well, yes, but the dev defined the 8-letter password input buffer as char[8] (well, char[9], if you're lucky)...

    2. Anonymous Coward
      Anonymous Coward

      Re: Password generators

      Since so many developers are "self taught" or come in via some kind of trade school, you can't expect that they've had any exposure to theoretical concepts like entropy. Their managers are usually even worse off.

      When anyone asks about this sort of thing I always point them to xkcd # 936, not because it contains the most mathematically accurate presentation of the subject, but because it gets people to start thinking about the problem in the right way.

      Here's an entropy aware pass phrase generator I really like:

      https://www.fourmilab.ch/javascrypt/pass_phrase.html

      And a strength checker that uses the same principles to evaluate what you've created:

      http://rumkin.com/tools/password/passchk.php

      1. Kubla Cant Silver badge

        Re: Password generators

        Here's an entropy aware pass phrase generator I really like:

        https://www.fourmilab.ch/javascrypt/pass_phrase.html

        Yikes! I flatter myself that I have a good vocabulary, but a high proportion of the passphrases contain unfamiliar, foreign or obscure words.

        overnice bowline sceptic octopus pleopod sentient

        licorice patroon miler bondman tramline dicker

        par compo gyrus carolus rejoice jack

        whoreson winding digit lozenge skiplane hopper

        refer hyoscine nude ala fender piton

        resign hawfinch enshrine assignor boast heliport

        compos trigraph slacks genital corpsman akene

        matchbox squeaky plump haloid sapwood metallic

        byelaw smallish turbit marking afforest praetor

    3. Rimpel
      Unhappy

      Re: Password generators

      I concur with all of your gripes. Long password restrictions are particularly annoying. Sometimes the password field is a fixed length or the password is silently truncated somewhere before it is saved with the new account. Either way this means next time I try and log in my password is inevitably wrong and it is a case of trial and error to guess what length I need to truncate my password to. Usually I have to do a password reset and use a shorter password hoping it is short enough this time.

      If the password length is limited then it should be clearly stated when the password is created.

  12. MatsSvensson

    12AB.,

    I have "12AB.," on a speed-dial just for stupid motherfucking sites like that, and then I add it to the end of my actual safe PW.

    Assholes that think adding extra special little-princess predictable patterns into all of their users passwords, need to get taken out and shot in the head.

    (and then get shot in the head 2 more times, and then 1 time exactly 7 minutes later)

  13. Anonymous Coward
    Anonymous Coward

    Craziest implementation of restrictions

    The craziest implementation I have EVER come across is a company who really must remain nameless (hence the AC post.)

    Their rule states no consecutive letters. So, having used "B" for instance, you can't then use "A" or "C" ANYWHERE IN THE PASSWORD! Each letter you use effectively eliminates 2 others!!

    After several invalid passwords, and a phone call to find out what the restrictions are, I eventually managed to construct something suitable.

    1. Anonymous Coward
      Anonymous Coward

      Re: Craziest implementation of restrictions

      They probably thought that the Enigma was a good idea (no letter can be translated into itself). And look what that led to.

  14. Rufus McDufus

    Long passwords

    Password handling is one of the most borked aspects of websites. The amount of sites that don't specify a max number of chars but will let you enter (say) a 20 or 30 char password, and then mysteriously you're unable to login afterwards because presumably they've trimmed the password to some invisible maximum and you haven't got a clue what it is.

    1. Kanhef

      Re: Long passwords

      I encountered one site with a similar issue. On the account creation page, the password field had a length of 20 characters, but the login page only allowed 10. Somewhat concerning that no one at the company who developed, tested, or used the site had a password longer than 10 characters.

    2. Anonymous Coward
      Anonymous Coward

      Re: Long passwords

      I also ecountered something like this on a website...But I knew it was trimmed because upon registering I received my password in plain text in an email and noticed that it was shorter...

  15. Donald Becker

    This is clearly a company trying to make a name for itself, without addressing the real problem.

    Most security failings are not because of weak passwords. Once you move beyond dictionary attacks, your password is secure enough.

    The real vulnerability is everything else surrounding the password. As we have found out, major sites have stored unencrypted user passwords in spreadsheets, truncated passwords to only the first few characters, had trivially weak encryption, used no salt, and used a fixed salt value.

    In between you and the site with questionable security are people watching you type, keyloggers, fake login prompts, compromised DNS servers, rogue WiFi hotspots, spoofed sites, cross-site scripting, man-in-the-middle attacks, compromised identity managers, and too many more vulnerabilities to list.

    You are far more likely to be exposed by having your password revealed by something you can't control, and then having it added to a dictionary for later attacks, than a clever system guessing passwords using rules.

    1. Michael Wojcik Silver badge

      Once you move beyond dictionary attacks, your password is secure enough.

      A meaningless claim. Whether a password is "secure enough" (or just "secure") depends entirely on the threat model, and you haven't specified one.

      Depending on your definition (which, again, you've failed to provide), "dictionary attacks" probably doesn't include rainbow tables, which certainly might be employed by attackers if the potential benefit justifies the cost. Or attackers might mount massive parallel brute-force attacks against a specific target; again, some password-protected resources justify the (now quite low) cost of using a cloud provider for that purpose - particularly if the cloud resources are stolen (by hacking some legitimate cloud user's account).

      Certainly the other attack classes you mention - observation, keyloggers, etc - are applicable to many threat models, and in many cases will represent more-prominent branches of the attack tree. But these are not universal verities that apply in every case.

  16. W Donelson

    Anyone?

    Someone explain to me why they don't set it so you must wait 10 seconds before trying another password?

    1. Crazy Operations Guy

      Re: Anyone?

      Wouldn't do a damn thing against most attacks. Digging through my logs, a lot of attacks will try the same password but cycle the username (password hash is the same). Then the attack switches to a different password and goes through the username list again. All an attacker would have to do is increase the number of usernames tried so that the cycle becomes 10 seconds long. And that is assuming that the attack has a short list of names, even trying 1000 names at 10ms a piece would mean that the attacker doesn't even notice a thing.

      1. Anonymous Coward
        Anonymous Coward

        Re: Anyone?

        Moreover, blocking a username for any amount of time verifies that the username exists in the system, which is a possible issue in itself. Time delays can be useful when dealing with password-only entry such as your mobile phone but not with username-password combinations

    2. Anonymous Coward
      Anonymous Coward

      Re: Anyone?

      Because automated password guessing attacks probably account for 0.1% of successful hacks, as opposed to the large majority of hacks that have nothing to do with whether you have a great or terrible password, and the remaining minority of hacks where your encrypted password (along with that of thousands/millions of others) are stolen and subject to leisurely dictionary attacks.

  17. Anonymous Coward
    Anonymous Coward

    Stupid rules

    For my work I have access to a certain computer system that contains private data for many millions of people. I also have write privileges and could do lots of nasty things if I were that sort. (Fortunately, I'm not.)

    What makes me wonder what the people who set this thing up were smoking is that all passwords for this system must be exactly "X" characters long, and "X" is not all that large.

    WHAT WERE THEY THINKING?

    AC for obvious reasons.

    1. Michael Wojcik Silver badge

      Re: Stupid rules

      WHAT WERE THEY THINKING?

      Probably either a legacy restriction carried over to a new system rather than doing a more intelligent mapping (see my previous posts), or someone failing to break out of a bad habit shaped by older systems.

  18. John H Woods Silver badge

    The metric ...

    ... there's only one measure of password quality, and that is approximate - it is how long a decent password cracker can run on it without success. Anything else, as shown here is actually scoring passwords on 'how well they fit our rules on passwords'. And when those are bad rules ...

  19. Terry 6 Silver badge

    Setting password rules requires two sets of skills

    One is the mathematical, knowing the cryptography rules that make the p/w "strong".

    The other is psychological.

    Knowing what can reasonably be expected of a reasonably sane user. And that doesn't mean what they could or should do, but what they would do.

    So, if you insist on a capital letter mathematically reasonable it may be but a user will place it where they can remember they put it - which is largely where they would expect to find it.

    So they might use "Password", possibly "PassworD" if they think they're being clever, but never "pasSword".

  20. Stork Silver badge

    I4got

    was a PW we used on a development server when I was in IT. Capital, check, Number, check. And fast to type too.

    At some time the company was taken over and we had to work with even more systems; I think I counted that I had to enter 10 passwords before I could actually do any work (managers did not like being asked what we should book the login time to). Of course, the passwords were subject to different lengths, accepted/required character types and lifetimes. Guess what the first hour after a holiday was spent doing?

  21. Sceptic Tank
    Facepalm

    Let me in! Let me in!

    I encountered the following snafu: Registered for a website and used a 30 character generated password. Then I could not log into the site again because the password box on the log-in page was restricted to 20 characters.

  22. Velv
    Boffin

    Randomness

    "What was intended to increase randomness is instead creating structure that statistical analysis can exploit"

    Er, no. It increases the number of characters in the option set which increases the permutations required to brute force the password.

    1. John Robson Silver badge

      Re: Randomness

      But since the pattern is that the first char is a capital and the number is at the end it actually doesn't change the number of permutations at all...

      "Password1" is the new "password"

  23. Mike 137 Silver badge

    Nice research - obvious results

    A nicely conducted piece of statistical research, telling us what we've actually known for years. The entire "character set + template" approach to authentication credential creation is well recognised by both experts in systems and psychologists to be flawed, but we're stuck with it because the people defining login requirements currently have no understanding of either.

    The silliest recommendation after "character set + template" is the supposedly random character string. This is grounded in a misunderstanding (and misapplication) of Shannon entropy, and fundamentally fails because (even if generated by a true random process) no-one (OK, maybe one in a million) can remember it. It's actually impossible for a human to create because the mind can't wrap round true randomness - what looks like a "random string" to a human is usually biased to emphasise a small subset of the possible code space.

    Even the random word sequence advocates ("horse staple ...") have it wrong. The essence of a robust authentication credential subsists in three requirements:

    [1] it must be long enough to make brute forcing hard - the required length will change with time and the criticality of what is being protected;

    [2] it must be memorable to its creator - so in principle it must mean something to him or her;

    [3] it must not be readily guessable by anyone else - so a problem arises for folks who are not very original ;-)

    Within the string space fulfilling these three requirements, the strongest strings against guessing attacks will be the ones that conform least well to a common template. So the best rule set will contain the fewest, simplest rules. Here's my take with commentary in square brackets:

    "A logon credential [note that we intentionally don't say 'password'] is not to allow you access to our systems - it's to prevent anyone else gaining access by pretending to be you. It must therefore be easy for you to remember but difficult for anyone else to guess. To achieve this, here are some basic guidelines:

    [1] think up a memorable but not well known phrase or sentence of at least four words totalling at least 15 characters [reasonable length at time of writing, but may need to increase]. This phrase should mean something to you to make it easy to remember, so be imaginative, consider using humour and/or your native language.

    [2]certain obvious words are blocked and therefore cannot be used, including [e.g.] your user name, the company name or date words (month and day names) [but keep the excluded words list to a minimum to avoid user frustration].

    [3] you may, but are not obliged to, separate the words in your phrase with non-alpha symbols."

    Not the ultimate maybe, but probably a better start than the standard rules that render all words in any dictionary illegal (rather a challenge for a literate user) but permit 'Pa55w0rd!'. I've written about this elsewhere (http://intinfosec.com/library/policies/2011-Instant_Compliance_for_a_Grand.pdf)

  24. JimboSmith Silver badge
    FAIL

    Security

    So I'm called by a friend who has had her Yahoo! email account hacked and someone is sending emails to her friends as her. It's not just spam sending either this is I thought someone preparing for an "I'm on holiday and I've been mugged please Western Union me £800 to get home" scam. They'd been sending emails saying that this girl was off on holiday somewhere hot and might not take their phone etc. they were caught out by an out of office reply for an email my friend hadn't sent.

    So I go round and we talk about password security Dictionary Attacks, Brute Force etc. and did some simple maths about how long it takes to crack a password. I suggest using a phrase spaced unevenly with odd capitalisation and random other characters (e.g. thi smO nit Orn eed s!a rea lly gO, Odc lea n) but she settles on something far longer but easier to remember. So having had her change it (without my knowledge of the actual phrase) and check that everything else is the same like recovery email password reminders etc. I asked her what her initial password was and she says "football" she also acknowledged that this was a bit dumb knowing what she now knew about how easy that was to crack.

  25. Jin

    Wanted is hard-to-forget and yet hard-to-break passwords.

    Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another. ID federations (single-sign-on services and password managers) create a single point of failure.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020