The image above sums up the issue with many password rules in many sites. More is less and less is more when it comes to password rules. By having more restrictions on what is allowed or not allowed in a password, we’re forcing users to make passwords that are hard for them to remember, but easier for machines to crack. The best passwords are long passphrases of a sentence that is memorable to the user. In this case, they wouldn’t need to write down their password on a piece of paper (very insecure). When in doubt about what is a good password practice or not, I recommend checking out the most up-to-date NIST security guideline.
Below I’ll list over some methods or common password practices I’ve came across with and why they’re good or bad:
Bad Ideas
Character Limits in Passwords
A common one I’ve seen are password policies that requires AT LEAST 8 characters or AT MOST 16 characters. This makes it harder for the user to make a meaningful passwords or utilize their password manager to generate a harder to crack password.
The bigger offender here are UPPER limits for passwords. You should allow at least 64 characters upper limit to encourage longer passwords, otherwise a brute force password algorithm will eventually find the password after enough tries.
Having a lower bound may seem helpful for the user of enforcing a longer password as someone who creates a 2 character limit password would be cracked in no time, it does add an extra rule for a brute force algorithm to ignore trying 2 character passwords for example. I don’t think it should be hard limit to not allow users to have a lower bound, but suggesting them to go with the higher bound is the better option. I personally am not opposed to at least 8 characters, but I’d NOT place higher bounds.
Arbritary Rotation of Passwords
This is the most common case I’ve seen in the workforce. From my experience, it just slows down the employee productivity rotating their passwords during important meetings or projects because their access was denied. If the password was never found in a file dump for a data breach, odds are the password hasn’t been breached. https://haveibeenpwned.com/ is a great resource to check if the password had actually been compromised.
Some places I’ve seen have an “existing password” database table, which furthers decrease security for a user’s password since if a hacker manage to get access to that table, this gives them more options to guess the correct password or find other possible password combinations to other site. The only passwords that should be compared are an exisitng list of blacklisted passwords.
From a user point of view, the general consensus they’d rotate their password with is appending “1” or an arbritary character to the end of their old password since it’s the easiest way to remember without throwing them off their workflow.
Complex Rules
I personally hate this one the most. “Please include 1 uppercase character, 1 symbol, …”. When I already use my password manager to generate a nice and secure password and it just isn’t enough for the website to accept so now I have to generate new ones. This is why people write their password down on a piece of paper and when someone steals that piece of paper, there goes all the passwords they ever own and get their accounts compromised.
The xkcd comic from the top of this blog highlights this issue the best. This is terrible usability and doesn’t really deter a machine from brute force breaking it. As a matter of fact, the machine can exclude simple password rules because those will never meet the criteria, helping them narrow down password possibilities.
Password in Your Email
There are some sites out there that send me my password in plain text… besides storing passwords in plaintext in a database, this is another way to make my password end up in the next data breach file dump…
Good Ideas
Password strength meter
Any usability aid improves the UX for the user. This helps the user try and make themselves a strong password before clicking accept and continue to prevent themselves from having an easy to brute force password. Since these aren’t hard restrictions, a hacker would be missing password possibilities if they exclude the easy checks from the rule.
Cross Checking Breached Password File Dump
https://haveibeenpwned.com/ actually have APIs that a developer can use and implement to cross check a user’s selected password on how close it is to a password that ended up in a data breach data dump. This would help users not choose a password that has already been compromised on top of giving clear and concise feedback to the user, informing them that their password has already been compromised.
Allow Authenticators
Having a second vector of defense after a user login in case someone does breach the user’s password can help ensure their account is safe. If a bad actor fail to pass the authenticator phase after hacking the user’s password, this can help lock the user’s account until password change.
Support for 2FA apps such as Authy or a hardware base such as Yubikey can help increase user account security.
No Limits on Password Combinations
By allowing free reign to use any character (including foreign letters) and no character limits allow a user to write a meaningful passphrase (this can also include foreign languages which is VERY difficult to brute force crack). By not allowing limits, it’s very hard for a brute force hacking algorithm to crack a user’s password as there’s many different possibilities and figuring out the correct password would be too costly as there’s too many different combination possibilities.
This is also easier to get a proper password manager to generate any password combination for your site.
Conclusion
Overall, the most important lesson when it comes to password rules are length and usability. Keep it long enough to rise against the machine, but keep it simple enough for simple minds.
I hope my band references make this rule easier to remember 🎸😄
