Wednesday, August 23, 2017

Now can we stop the password madness?

I've ranted about this plenty of times, and now it seems like the world has come around to my point of view.

Um yeah, right.

I think pretty much anyone who's had to deal with restrictions like "This password must be eight characters long, contain at least one number, one uppercase letter, one lowercase letter, one special character and the characters Pa$$w0rd in order" has recoiled in disgust.  So maybe it wasn't my vast influence.

In any case, headlines are now circulating that the person who promulgated those rules (one Bill Burr of NIST) has said "Sorry, it was all a horrible mistake."  So the person responsible has fessed up and the annoying rules should be history in, oh, let's say ten or twenty years.

As usual, I think the real story is a bit more nuanced, as they say, but it looks like the Naked Security blog at Sophos has already done a better piece on it than I will.  Basically, the advice in the original guidelines in 2003 wasn't bad at the time and it's not Bill Burr's fault that people cargo-culted it into the annoying mess we see today.

Now if we can just get rid of "security questions" ...


earl said...

What about a password of only 1 character (assuming the website would let you)? Do the algorithms even look at those?

David Hull said...

The point being that no one would guess a password that short?

If the rule you're actually using to generate your password is "N characters, which may be empty", it's conceivable that a one-letter password would pop out, but pretty unlikely. There are only a small number of possible ways for this to happen, and the overall password space should be huge. And you don't gain a lot of password space by allowing for empty characters. Better to say "16 characters taken from A-Za-z0-9" than "15 characters taken from A-Za-z0-9 + empty".

But the real question is what attackers will be guessing, particularly whether they thought to include one-letter passwords in their dictionary of things to try. My guess is they typically will, because why not, and one-letter passwords will be pretty quickly cracked.