Why do password systems have so many stupid rules?

[pmv]

I recently spent some time struggling to come up with a password that satisfied the arbitrary rules of a certain site.

It had the usual random variations on must/mustn't have non-alphanumerics, minimum and maximum lengths etc. All of which are exasperating.

The problem is

(a) that so many sites don't tell you what the rules are till after you've tried a password. This is especially ridiculous when there's a maximum length yet the form allows you to enter passwords longer than that length, and only _then_ tells you off for doing so. This happens a lot.

(b) that the rules vary so much from one site to another. One will insist on punctuation characters, another will ban them. Some insist on variable case, some don't, some say exactly one numeral...all kinds of random variations.

Also this one added the weird restriction that passwords must be 'non-offensive' (what is the logic in that? Who is it going to offend, if they are encrypted as they should be? Are they just taking it for granted that their password file is going to be stolen by hackers, who might then complain about bad language or controversial political sentiments?). I think I fell foul of that one when I lost my temper on my Nth attempt at an acceptable password and put a rude word in it.

Surely in 2017 there should be a set standard for 'password choosing' by now?

 

[TheELF]

Surely in 2017 there should be a set standard for 'password choosing' by now?

Yup,it should be 256bit aes but then nobody is gonna remember that or even be able to put it in correctly.

 

[John Connor]

I hate those stupid websites. Some do this, others don't. Really pisses me off when I use a very good password mechanism and yet I still didn't satisfy their criteria.

 

[Murloc]

yeah this pisses me off, luckily most websites have none of these bs rules except minimum length which I understand.

 

[lxskllr]

yeah this pisses me off, luckily most websites have none of these bs rules except minimum length which I understand.

You're lucky. I make good passwords(Read Keepass makes good passwords), and I run into all kinds of obstacles. There should be a sensible maximum length; maybe 32 characters, and an entropy check. If it meets minimum standards, anything should be usable.

 

[PliotronX]

This is why..

 

[John Connor]

This is why..

I would never enter my password in one of those sites.

 

[Murloc]

This is why..

any all character password gets lower grades because it assumes it could be a word subject to dictionary attacks.

 

[PliotronX]

I would never enter my password in one of those sites.

That's why one would test with like passwords.

any all character password gets lower grades because it assumes it could be a word subject to dictionary attacks.

That's the entire point. Watch how much computational power it requires just by adding alphanumeric characters.

 

[Murloc]

That's the entire point. Watch how much computational power it requires just by adding alphanumeric characters.

is a combination of random alphabetical characters worse than a combination of random alphanumeric characters, if the attacker does not know that it does not actually contain numbers?

 

[pmv]

This is why..

I tried that with a typical random, spur-of-the-moment-invented password and it said it would take 7 quindecillion years to crack, so quite good. But that password would have been thrown out by many sites as being too long and for not having numerals in it.
The thing is, it's not rules insisting on numerals or punctuation that I get irritated by, it's just that those rules vary so much from one site to another, and don't tell you clearly in advance what they are, obliging you to go through multiple failed-attempts to find out what they want.

I particularly dislike sites that insist I use absurdly short passwords. I don't see the logic in that at all.

 

[John Connor]

Worse yet is when your password, username, E-mail and everything else is hacked and then you find out the damn data was stored in plain text.

Here's a great website. They are down for maintenance right now though.

https://www.leakedsource.com/main

Here's another one. https://haveibeenpwned.com/ I'll get an E-mail if my Info. shows up in a hacked database.

I found out freeadvice.com was hacked and I never so much as got an E-mail. So was Webhostingtalk.com.

 

[ch33zw1z]

I use Safe in Cloud as a password manager and creator.

This is why..

I tried a couple passwords genned in SiC and it claims >450 million years to crack it. Seems good enough lol

 

[Red Squirrel]

Do realize that when they say it takes NN years, they probably mean with a single computer using today's known tech. ex: not a huge data centre full of dedicated ASICs and/or quantum computers designed for that specific algorthm. The big boys like the NSA and GCHQ can probably do it in less than a year with the the technology they have. But if a site is hacked and the password info is stolen, chances are good that the info that password was protecting was also stolen anyway. So what the hashing will really serve a purpose at here is to buy you enough time to change your password everywhere else if you use the same one. Consider the info that was on that website compromised either way. Even if the info itself is encrypted it will eventually be decrypted offline.

 

[ch33zw1z]

yea, it's cool. https://safeincloud.uservoice.com/k.../426580-what-is-the-crack-time-for-a-password

Nothing is perfect. If you're password is compromised, then changing it is a must.

 

[tidy]

.

 

[quanghnn]

I think that nothing is perfect and they are doing anything to protect systems

__________________________________________________________________
thi cong op alu - bang quang cao

 

[mikeymikec]

This is why..

It might be a useful site for people who literally have no clue about password security, but there are plenty of reasons that the figures it gives out aren't even vaguely accurate in many scenarios (e.g. NTLM passwords, wifi passwords, scenarios where unauthorised access to the password database was successful, scenarios where no prior unauthorised access was managed and brute-forcing say an e-mail server over the Internet, then add security precautions like servers telling possible brute-forcers to take a hike for an hour after three wrong passwords... the list goes on).

It also reckons that 'password123' could take a month to crack. Yeahhh, no.

 

[Ketchup]

This is why..

I put in a password similar in length and character type to one of my current ones and it said 3 trillion years. OK, I'm good with that. For reference, I put in one similar to a very early password that I still remembers (late 90's) and it said 2 hours. Well, I guess that means I have improved. I wonder how long my old password would have taken to crack back then.

 

[C1]

The more rules you have about a password, then once the rules are known, there are fewer combinations available (ie, reduced sample space) and the easier it would be to "crack" for someone who also knows the password formulation restriction rules (eg, for the particular site).

Classic Bayes Theorem

"One way to think about this problem is to consider the sample space, which Monty alters by opening one of the doors that has a goat behind it. In doing so, he effectively removes one of the two losing doors from the sample space."

http://mathforum.org/dr.math/faq/faq.monty.hall.html

 

[Red Squirrel]

Yeah to me the only rule should be minimum length and that should be rather conservative. Like I'd say even 6 characters is fine. Having to brute force that extra 6 and 7 possibilities adds extra work to anyone brute forcing. Something like $&1(n` would be more secure than something like Words12!

Though I wonder how many crappy web systems out there would croak at certain special characters like quotes. I like to put quotes in random forms sometimes to see if they're being escaped properly. If you get a database error you know they aren't.

'; drop table xf_users;

Hey, I had to try.

 

[lxskllr]

'; drop table xf_users;

Hey, I had to try.

 

[Ken g6]

Jeff Atwood agrees.

 

[13Gigatons]

=f:>Px%#K7a;B9R^p@*YmQh5b]5545XC

That is all.