Whining About Passwords


There's a lot to complain about with passwords. Mostly it comes down to scale: A handful of accounts is easy enough to deal with. But nowadays who has only a handful? You have to get an account for most anything of real value on the Internet. Each of those accounts comes with a password to manage, and each of those passwords is subject to a different set of rules about what constitutes a valid password. In the computer security field, those rules are called "password policy".

People can't memorize that many unique passwords, so they employ a lot of bad strategies to help out: using the same or similar passwords on all their accounts; creating passwords from regular words with certain letters substituted with other characters; or writing down all their passwords. I have over 200 accounts on the Internet and at one time or another, I've done all of these things. But they all seriously compromise the security of your accounts, defeating the purpose of the passwords. A password manager solved most of these issues for me. If you don't have one, I highly recommend it. I use the free version of Bitwarden.

My complaints now have more to do with how password policies themselves subvert security.

The purpose of a password is to protect access to something. And the purpose of a password policy is to ensure that passwords meet a minimum strength standard. This is all good.

A password policy should set a minimum standard, but not a maximum standard. In other words, a password policy should never make passwords weaker by imposing arbitrary limitations that reduce the number of possible combinations of characters in a password. To me, this should be obvious, but I've run into so many web sites that violate this seemingly self-evident principle.

There should be three rules added to every web software developer's philosophy regarding password policy:

  1. Encourage long passwords – Ideally, passwords wouldn't have a maximum length. But there are a few valid reasons to have them, including long password denial of service attacks, and password length limits imposed by encryption algorithms. If a maximum length must exist, then it should be long. 14 characters at a bare minimum, but even that is woefully inadequate in my opinion. I believe it should be 64 or more. As a point of comparison, the maximum password length on Microsoft Active Directory is 256 characters. If your encryption algorithm can't deal with sufficiently long passwords, then it's time to get a new one because not doing so is negligent. In this day of password managers, users have the ability to create and manage very long passwords made up of random characters. From a security standpoint, that's a very good thing. Don't be an obstacle to it!
  2. Allow any character – Policies should never disallow certain characters. Any character, including symbols and punctuation, should be allowed in a password. The more different types of characters allowed, the more combinations possible and the stronger the password system.
  3. Implement self-service password reset from the start – The lame excuse I've read for not doing these things is that they will increase the odds of a forgotten password and the need to reset it. Agreed. I can see how that would be the case. But the solution isn't to make your password system weaker. Instead implement a self-service password reset function from the very beginning. This will deflect most of the support calls you'd get from forgotten passwords and still preserve users' ability to use very strong passwords.

And the most important rule of all: When a user tries to set their password to some value that violates the policy, tell them what the damn violation is! Don't make them guess. In fact, at that point you should tell them all the policy rules so they don't have to discover them one-by-one through trial and error. Disclosing the password policy to users is not a security risk if your password policy is strong enough.

So get with it, developers!