Passwords: Before I write my article about this, can someone explain its "logic"?

[Ron_Tomkins]

Passwords: Before I write my article about this, can someone explain its "logic"?

So, basically, I am unable to access my existing account at Copyright.gov, nor to create a new account, due to its insufferable, extreme list of requirements for password creation:

Minimum password length must be 8 characters and consist of at least 2 alpha characters, 1 number and 1 special character.
A password must have no consecutive repeated characters.
A password must not include your user name or any part thereof.
A password must not include the names of a spouse, children, pets or one's own name.
A password must not include any regional sports teams or players.
A password must not include any office symbols.
A password must not include your social security number or any subset of your social security number that is more than a single number.
A password must not include words that can be found in any dictionary, whether English or any language.
A password must not be any of the 11 most recently used passwords for the account.

Some of these are plain laughable and feel like the site creator is literally mocking us: "A password must not include any regional sports teams or players" Could this be more random? First of all, why sports teams/ players? Why are those a no-no, but not Martial Arts fighters or movie directors? Is the person who created the site someone who hates sports? Or is there an actual logic behind this stupid requirement?

Some are, simply absurd: "A password must not include your social security number or any subset of your social security number that is more than a single number." First of all: If I'm a completely new user who's opening their account for the first time, then that means I haven't even entered such information as my Social Security Number. How in the Blue Hell then do you even know if any of the numbers I'm entering in my new password are found in my Social Security Number??

Finally, they completely destroy any possibility for you to create a password that you would remember and that would make sense to you by dictating that "A password must not include words that can be found in any dictionary, whether English or any language." This means, you are left with nothing but strings of random letters, meaning, this will be something you will need to write down in a piece of paper and save it so you can remember it.


But aside from the fact that this one site is being a real bitch with the whole password creation, most of the sites where you create accounts have a list of requirements for your password.

But why???

The way I see it: it's my account, my responsibility. If I decide to create a password that's just "1234", and that means it has an extreme risk of being deciphered by others, that's MY PROBLEM. Some services such as gmail allow (at least for now) for you to create whatever the hell you wanna create as a password, so we know this is not universal to all sites/services.

Second of all, as I mentioned earlier, by introducing such a large list of demands, you make it so that I have to create a password that I wouldn't remember, because it ends up being something crafted to the site's individual desires. So I have to write it down somewhere, because I just won't remember. Especially considering each site has their unique list of requirements. That means that, at the end of the day, I'm still at the risk of having someone find that list and have access to all of my passwords. So, the rationale that this makes your password more secure, isn't precisely true.


Since recently I was looking for ideas to write a new article on my blog, it goes without saying that this subject has infuriated me so much, and for such a long time, that I'm gonna make this my new subject. However, before I start writing an article complaining about this, I would like to hear the opinions of some tech-savy people (preferably people who are code programmers, and who have hands-on experience with this stuff) to patiently explain me, in as concisely as possible, why this **** makes sense at all.

 

[Hellbound]

You'll be happy to see this, then:
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/



ETA: NIST's new password recommendations say get rid of all that crazy stuff that makes users either use the same password everywhere or forget them all the time. You don't need artificial complexity to generate a strong password.

ETA2: Try converting a phrase or sentence, with punctuation and case, substituting 2 for to/two/too and 4 for "for". For example, take "I have not yet begun to fight!" and convert it to Ihnyb2f!.

 

[Ron_Tomkins]

You'll be happy to see this, then:
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/



ETA: NIST's new password recommendations say get rid of all that crazy stuff that makes users either use the same password everywhere or forget them all the time. You don't need artificial complexity to generate a strong password.

ETA2: Try converting a phrase or sentence, with punctuation and case, substituting 2 for to/two/too and 4 for "for". For example, take "I have not yet begun to fight!" and convert it to Ihnyb2f!.

Man, thank you!! Not only is this AWESOME news, but it will also serve as updated complimentary information for me to include in my article.


So basically, what this new law is saying is that I was right! This whole ******** is only annoying, unnecessary and it's not even safer!

 

[Beelzebuddy]

I would like to hear the opinions of some tech-savy people (preferably people who are code programmers, and who have hands-on experience with this stuff) to patiently explain me, in as concisely as possible, why this **** makes sense at all.

It does not. There is a boss somewhere demanding these silly rules in response to complaints of "hackers" because a dumbass used their SSN as their password and now they're threatening to sue.

So I have to write it down somewhere, because I just won't remember. Especially considering each site has their unique list of requirements. That means that, at the end of the day, I'm still at the risk of having someone find that list and have access to all of my passwords.

That's actually the best course of action. Keep it in your desk or something.

The biggest threat to your account security is not that a random mugger or burglar will have a post-it note with access to your accounts, it's that a random script kiddie will. The mugger probably won't even know how to take advantage of them; he'll take the money and the credit cards and throw the rest away. But the hacker makes his living off exploiting exactly that sort of information.

 

[bytewizard]

What's even funnier is that the administrators of the passwords create a backdoor username and password for the programmers to use so they don't have to try and remember a complex one when they have to repeatedly log in. The backdoor username/password is usually something as simple as "Admin5/Admin5". Hypocrites.

 

[mike81]

I use a password safe called Keepass. It generates passwords with whatever requirements you select. When I need to login to a site, I just copy the password from Keepass and paste it in the login screen. I have no clue what most of my passwords are since they are just random numbers, letters, symbols, etc.

There are just a few important sites where I use a password that I can remember. That's in case I don't have access to Keepass and need to login to one of those sites. It's what appears to be random characters, but makes sense to me and is easy for me to remember.

 

[Kid Eager]

I read some time ago that a random sentence from a book is a better password than all that rule stuff.

 

[Hagrok]

Incidentally, if you really need to make a password that fits that silly arbitrary criteria you can use a site like this one: http://passwordsgenerator.net/

Then just write it down and file it somewhere, as was mentioned before. If it's your home office, anyone who breaks it could not care less what your password to copyright.gov is. You're significantly more vulnerable to attacks at work, however.

 

[Ampulla of Vater]

Here is an article supposedly by the guy who came up with the current rules:

http://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987

 

[Ron_Tomkins]

Incidentally, if you really need to make a password that fits that silly arbitrary criteria you can use a site like this one: http://passwordsgenerator.net/

Then just write it down and file it somewhere, as was mentioned before. If it's your home office, anyone who breaks it could not care less what your password to copyright.gov is. You're significantly more vulnerable to attacks at work, however.

Thanks! I think I'm gonna try that. Though I wouldn't be surprised if the *********** site still didn't accept it. I tell you, it just makes no sense. I'm doing exactly everything they require and they still don't accept my passwords. I seriously think their system is broken.

 

[Ron_Tomkins]

Here is an article supposedly by the guy who came up with the current rules:

http://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987

This source is also gonna come very handy for my article!


(By the way.... Bill Burr is the guy's name?? I had to re-read the first paragraph because for a moment, I thought they were joking, since Bill Burr is the name of a famous comedian. I guess that's just a coincidence then, but how ironic, considering this whole Password thingie is a big JOKE)

 

[Trebuchet]

I always enjoyed the "no word in any language" one. "A" and "I" are words in English. "Y" is a word in Spanish. "U" is a word in Textish. So much for four of the 26.

I was once, briefly and stupidly, the System Administrator for a VAX. I even went and took classes. I learned there were three default accounts on a system, with the following usernames and passwords: "System/Manager", "Field/Service", "User/User". (Not sure about the last one.) One of their customers, headquartered in Redmond, WA, had been hacked. They hadn't changed either of the first two fully privileged accounts. (35 years ago.)

My former very large aerospace company had become rather enlightened on the subject by the time I left. It helped that they were still using IBM mainframes, which couldn't do more than eight characters or use special characters, which they extended as the default to all systems. They also had a web-based app to change multiple passwords at once. That came in handy four times a year.

ETA: My next password is going to be "CorrectHorseSomethingSomething", because I can't remember the other two words.

 

[paulhutch]

Man, thank you!! Not only is this AWESOME news, but it will also serve as updated complimentary information for me to include in my article.


So basically, what this new law is saying is that I was right! This whole ******** is only annoying, unnecessary and it's not even safer!

Since you're going to write an article I thought I'd point out that it is not even close to being a law. It's simply best practice guidelines based on the best available science from NIST.

 

[Modified]

ETA2: Try converting a phrase or sentence, with punctuation and case, substituting 2 for to/two/too and 4 for "for". For example, take "I have not yet begun to fight!" and convert it to Ihnyb2f!.

Aren't password crackers aware of that by now. I wouldn't use common sayings, movie quotes, literary quotes, song lyrics, etc., but something more personal.

 

[Ron_Tomkins]

Since you're going to write an article I thought I'd point out that it is not even close to being a law. It's simply best practice guidelines based on the best available science from NIST.

Nitpicky, but still helpful

 

[deadrose]

The point of having upper and lower case, numbers and symbols is that the pool of possibilities for each character is enlarged massively. Instead of 26 letters, you have 52, plus 0-9, and whatever symbols are allowed. It makes a dictionary attack useless, and a brute force attack much more difficult.

So even if you license plate it, l33t it or just turn it to txtspk, unless it's the current hot catchphrase or song title, it's unlikely to be broken, and yet is easy to remember.

 

[Babbylonian]

My preference is for strings of 3 or more words (English for me; your language may vary). As long as the website [properly] allows long passwords, and as long as you keep away from popular quotes or catchphrases, or easily discoverable personal information, nobody is going to crack your password without inside information. I find these not only easier to remember but much easier to type. Despite typing for 8-12 hours every day, I still have trouble at times typing nonsense, which is what short passwords with numbers and symbols end up being.

I only get into numbers and symbols when I'm forced by dumb password policies, including short password lengths which are now my biggest password pet peeve.

 

[DevilsAdvocate]

Maybe. Or maybe not. Mathematically, all those restrictions limit the number of possible permutations. Just cycling through all possible permutations, a great many could be eliminated without testing because they don’t meet the password criteria. There would still be a lot, though.

On the other hand, if there are no restrictions it may be easy to guess the password. The restrictions eliminate many passwords that would be easy to guess.

On yet the other hand, the restrictions can make the password somewhat easier to guess. Because it restricts what the user can choose for a password, it can become easier to make certain assumptions about likely passwords.

For example, the password is likely to be based on a set of alphabetic characters. That series of letters is probably 5-7 (or maybe 8) characters so that it is long enough to meet the password length requirement but not too long to be cumbersome. The letters may be based on the first letters of a common phrase (as is commonly suggested). That can narrow down the possible base of the password quite a bit. Or the letters may be a word. If dictionary words are not allowed, it probably has a l33t transformation.

Because many passwords require a capital letter, it is likely that the first letter in the alphabetic series is upper case and the rest of the letters are lower case.

The special character is probably the last character, unless a special character is used in the l33t transformation. If it at the end, it is probably ! or $ because those are easy to remember and are almost always allowed (in passwords that specify specific special characters that must be used) so it makes it convenient when using the same password for multiple sites.

The number requirement may be fulfilled by a l33t transformation if the base word is toward the longer side. Otherwise, the numbers are probably 1 or 2 numbers following the base word, or that the very end or very beginning of the password. If two numbers are likely, a good guess would be the current year (17) or the person’s birth year or other significant number. Repeated numbers are likely when they are filler to meet the number and length requirements, of if repeated characters are not allow then they are probably consecutive numbers like 12 or 56.

And so on. We end up exchanging one set of psychological determinates for a likely password with another set. If we continue to attempt to eliminate every possible likely password, we’ll end up with only a few possible permitted passwords left!

Of course there is a benefit in having a minimum password length and not allowing things like “password” or “1234”. But increasing those restrictions has diminishing returns, and can eventually even turn back and become less beneficial.

 

[DevilsAdvocate]

My preference is for strings of 3 or more words (English for me; your language may vary). As long as the website [properly] allows long passwords, and as long as you keep away from popular quotes or catchphrases, or easily discoverable personal information, nobody is going to crack your password without inside information. I find these not only easier to remember but much easier to type. Despite typing for 8-12 hours every day, I still have trouble at times typing nonsense, which is what short passwords with numbers and symbols end up being.

I only get into numbers and symbols when I'm forced by dumb password policies, including short password lengths which are now my biggest password pet peeve.

I think that is what NIST is getting at. Without restrictions, I could have a password like "gold ponydog" that would be easy to remember and type but would be pretty hard to hack given that I could have chosen anything. But with the restrictions in the OP, I would probably have to go with something like D3vil17! that looks like a "strong" password but that could actually be rather easy to guess.

 

[GlennB]

xkcd has this covered

(I once did something similar to generate passwords in Unix systems - take the first 4 letters from each of a pair of random words of > 4 letters, and plug them together. So green light would become the password greeligh. All the user had to do was remember "green light" and the way the system worked)