I just got done resetting my password for one of my online accounts and I’m fresh off of that experience and feel the need to rant a bit on some simple topics dealing with passwords.
Reader beware, I am emotionally bias right now and will probably make illogical conclusions. Keep reading if you are ready for a bumpy ride.
I would expect by now that there would just be a standard to what you could expect when creating a new username/password combination. I feel it is safe enough to say that as long as you are >= 8 characters and have a moderate amount of complexity(upper, lower, special) then you are good to go. If you decide to though, you should be able to create a longer password that is fairly complex(> 14 characters, any character). Lets examine some common scenarios I’ve experienced that lead to me yelling at websites(Quite literally, I yell at my computer pretending it is the developers on the other end who have come up with some absurd password policy).
Scenario 1 – Worthless Error Messages
Typical username/password create/update form.
Enter in your typical password.
“Invalid password” or “Your password does not meet the requirements”
This is a great way to trigger the response that extracts words from my mouth that are not suitable for an PG-13 movie. Obviously there are some password requirements, but you want to make this a painful experience for the user by not letting them know what it is. Maybe my password is complex enough but not long enough? Long enough, but not complex enough. Random error messages to confuse the user? Ohh God, how do I procede?
Scenario 2 – Requiring weak passwords
Typical username/password create/update form.
Enter in your typical password.
“Your password is too complex”
Seriously? I can’t tell you how many times I run across this. Since I have relatively complex passwords, I make the mistake of using them for most username/passwords. So when I go to use one of my complex passwords on a site and it spits back that it only accepts < 8 characters or something stupid I really freak out. I sometimes even get out of my seat while I’m yelling at the screen. DON’T EVER LIMIT PASSWORDS! The internet will punch you in the face.
Scenario 3 – Requiring Overly complex passwords and then requiring them to be changed frequently
Typical username/password create/update form.
Enter in your typical password.
“Your password does not meet the requirements. It needs to contain more than 14 characters and must meet the following requirements:
- At least one Uppercase Character
- At least one Lowercase Character
- At least one Digit
- At least one Special character
- At least 12 characters long
- …
These requirements are actually quite good on their own. I take an issue when you are required to change your password every 3 months or less. It isn’t that I can’t forget 1 password of this complexity, it is that I have to remember 10 of them that are constantly changing because of the above 2 scenarios mixed with this one.
Scenario Wrap-Up
So since we have the above scenarios, they lead to us into possible social engineering situations or other security concerns. I’m pretty sure that due to password complexity and the fact that everybody wants to enforce their own policy, it leads to the security problem that is worst than just enforcing a simple password policy. The security problem I like to call, “The Sticky Note Scenario.” That is, I can’t remember what password is for what website/program/computer so I’ll just write them on a sticky note and stick it to my screen. I do not support the Sticky Note scenario, but if you do get to that point I would at least write random things on the same sticky note that look like passwords to confuse any potential malicious person. Also, don’t ever put your username AND password on the same sticky note.
Conclusion and Suggestion
I’m surprised you have made it this far, or maybe you just skipped all the blather above, but here is the good stuff.
The “tubes” and all other things related need to just conform and unify on one single standard. Why not just go with the baseline of what is considered “secure.” Don’t go below these standards or above them. Just use them everywhere. Another wonderful idea is to use unified login like OpenID
Making a realization that it really has nothing to do with the complexity of the policy you enforce, but instead how people use and create their password is in your best interest. It has become very apparent that people will use amazingly simple passwords and then use them for everything. Have a read through this page if you want to get some good info about passwords.
Just remember, the NSA already knows your most complex password….probably.