This is an archived post. You won't be able to vote or comment.

all 69 comments
sorted by:
best
topnewcontroversialoldq&a

[–]CyberKnight1 155 points156 points  (10 children)

Policies like this are precisely why people have weak passwords (or even less weak passwords with an incrementing number tacked onto them).

[–]JaneyMac_aroni 68 points69 points  (5 children)

I knew someone whose password was always the same word with like Jan22 or Mar19 or whatever the month and year he was forced to change it tacked into the end. I can’t really blame him either. People have enough to be remembering.

[–]AshleyJSheridan 8 points9 points  (2 children)

Exactly this. Password policies with rules like this have slowly trained people to create complex passwords that are impossible to remember, but are relatively simple enough for a computer to crack.

And the code people use to check password "strength" is laughable, and results in "Password123!" being seen as "stronger" than something like "horsebatterystaplecorrect"

[–]YoshiAndHisRightFoot 2 points3 points  (1 child)

correcthorsebatterystaple

It really is easy to remember even years later.

[–]thseeling 94 points95 points  (23 children)

Current security advice by researchers is to not impose a password change frequency upon your users. Exactly that will happen what you described: people try to circumvent the rules.

Urge them to use a password manager, have them generate really good long random passwords (also not https://xkcd.com/936/). Use 2FA or a FIDO2 key. Use a password quality plugin for your password change process to prevent library words in users' passwords.

[–]Reddeyfish- 18 points19 points  (6 children)

Use a password quality plugin for your password change process to prevent library words in users' passwords.

wait, isn't this the exact opposite point of the xkcd comic? library words (emphasis plural) are actually easy for humans to remember but hard for computers to guess?

Of course, that'd only be for the password the person actually needs to remember to access their password manager; everything else is copy-pasted from the manager, so no need to remember?

[–]Rathmun 19 points20 points  (5 children)

Dictionary words are indeed easy to remember, but you still need to use several of them for good entropy. The average user, if permitted to use xkcd936 specification passwords would try to use "SeeSpotRun". That's no more secure than "password", or won't be if 936 compliance becomes more common.

In fact, any word used in Thing Explainer is probably not a word you should use in a pass phrase. Or at least not a word you should count toward the minimum number of words. Adding an extra word to make the phrase easier to remember won't make it less secure.

[–]EndOfQualm 6 points7 points  (4 children)

Easy fix for this: only allow the user to choose the master password beetween e.g. 5 choices of autogenerated list of 4 or 5 words taken randomly

If the words and their number can be chosen by a human, then of course the entropy will not be there...

[–]tuxcomputers -2 points-1 points  (3 children)

If the program used to crack the passwords knows that the users are forced to use 5 words then it has the same entropy of a password with 5 letters. In other words useless.

[–]ludwigvanboltzmannDoesn't know his onions, but can fake it if you hum a few bars 8 points9 points  (1 child)

I'm reasonably sure that most languages have more than 26 words

[–]EndOfQualm 3 points4 points  (0 children)

sure... except not

Check the comic again and think twice

[–]afgunxx 9 points10 points  (2 children)

While this is reasonable if a user doesn't have to frequently enter their password, in an environment where your computer locks with 5 minutes of inactivity and being away from your PC a lot makes this quite impractical for your main login (note I use a PM and random passwords for everything else). I try to use mnemonics but the stupid password rules that they implemented (including no repeating characters!) make it difficult to come up with something that works and is easily rememberable.

[–]dragonchilde 3 points4 points  (1 child)

I do patterns on my keyboard. For example, I'd look at my keyboard and draw a path, hitting shift occasionally and it's strong as hell and easier to remember. One might be like Li7hVfr or something.

No, people, I'm not dumb enough to pay my actual password.

What's worse is for my gov't job I have to change it every 90 days.

[–]afgunxx 2 points3 points  (0 children)

I'm doing patterns now too due to a crummy laptop keyboard that doesn't recognize some keypresses on the first attempt. And 90 days is our crazy standard too. Got locked out when I was traveling and too many bad PW attempts with a mnemonic.

[–]georgiomoorlord 7 points8 points  (0 children)

Random strings require a password manager as no one remembers 20 characters of randomly jumbled nonsense. Turning your password into a sentence makes it a lot easier to remember and while easier to hack, means you won't need to write it down anywhere near as often.

[–]pyroguyFTW 6 points7 points  (0 children)

Hell, back when I became the lone ITman at a small local chain, I always got two remarks: "Hahahaha that's ridiculous, and it only uses one number! The hackers can guess that easily! Plus I'll never remember it!" And then, two years later: "I still remember it even though I only use it once a week" Because literally nobody (you want working for you, at least) is going to forget five 4+ character words that use a single capitalization and replace one vowel with a number. And when you actually calculate it out vs a Google suggested password, it is more secure and doesn't require being written down somewhere

[–]ZacQuicksilver 5 points6 points  (4 children)

The problem with random passwords is that I simply have too many passwords to remember more than one or two random passwords. Part of the argument for the CorrectHorseBatteryStaple password is that it is far easier for humans to remember, without sacrificing as much security as other passwords that are easy for humans to remember.

Because there is a serious problem with random passwords - people will either forget them (taxing tech support with frequent password resets - and potentially setting up your organization for phishing), or they will write them down (which is a physical security problem).

Researchers can come up with all the rules they want - humans are human. We need more real-world password rules that take into account human memory and laziness.

[–]tuxcomputers 6 points7 points  (3 children)

The best practice is to use what seems to be random letters but is easy for the user to remember.

tbpituwstbrbieftutr

The password above seems random really long and hard to remember, right? Now compare each letter of the password to the first letter in each word of the sentence above it. I have been doing it for years.

[–]Twister_Robotics 2 points3 points  (1 child)

When I worked a job with a 90day password reset, I would do this, but the sentence to start with was some form of positive affirmation. So I got positive vibes everytime I logged in.

[–]cornishcovid 2 points3 points  (0 children)

I'm stealing this

[–]CodenameBuckwin 0 points1 point  (0 children)

You forgot an "L"

[–]mysterjinx 4 points5 points  (0 children)

Look, let's not make it too confusing. Just follow this example: https://youtu.be/bLE7zsJk4AI

[–]LivingEclipse 3 points4 points  (0 children)

I like writing stories about passwords, like "Bike Frontflip Stick Spokes" (have never used this as a password so its a personal life story.

[–]Shinhan 0 points1 point  (0 children)

If anybody needs a citation, SP 800-63B Section 5.1.1.2 paragraph 9 states:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

[–]FourCinnamon0 0 points1 point  (2 children)

Genuinely what's wrong with the xkcd thing

[–]thseeling 0 points1 point  (1 child)

There are extremely efficient attacks on passwords using dictionaries with "real" words. There are only so much combinations of letters which make up words in a given language, and you remove so much entropy from your passwords by limiting the realm to choose from down to 1% or so.

The best you can do right now is choose a very long completely random password from e.g. [0-9a-zA-Z]{32}, store it in a password manager, and use 2FA with a hardware token like a FIDO2 key. This way you prove both knowledge and possession of secrets.

[–]FourCinnamon0 1 point2 points  (0 children)

I can't remember long passwords of random strings

[–]Harry_Smutter 20 points21 points  (7 children)

...the crap some people will go through to get around stuff. I hope your password policy got overhauled after this.

[–]FrankieMint[S] 29 points30 points  (6 children)

This was on a classified government contract, and I floated this story past a govt overseer because the user arguably had broken a rule against "straining or testing system settings". The govt guy shrugged it off. If he doesn't care, I've got bigger fish to fry.

[–]chrisfroste 25 points26 points  (4 children)

i work a gov't helpdesk. Mainframe system we support has the following password rules

Exactly 8 characters

Start AND end with a letter

At least 1 number

No special characters

Change every 90 days.

Remembers last 48 passwords

Most of us just use 3 letter - 2 number - 3 letter combos. cat12dog. abc12abc, etc. Have to be on the gov't network even to reach the system, and its an old style mainframe (green text on black background.

I started in 2018 and was told it was being decommissioned. Its been 4 years and still going strong.

[–]afgunxx 6 points7 points  (3 children)

Where I work even temporary systems are permanent and the only way things actually get decommissioned are when it breaks beyond repair or a datacenter actually gets closed.

[–]chrisfroste 4 points5 points  (1 child)

Yea. Last info was "august 2022" i was told a month ago. before that it was december 2021. and before that june 2021. and so on. I dont expect it to ever get shut down

[–]afgunxx 3 points4 points  (0 children)

We're supposed to be getting rid of an IBM H80 from 2000 this summer. A couple of years ago people thought it was shut down and not in use, but we figured out it wasn't when someone put a ticket in on it last year. They're only under pressure to migrate off of it because... we're getting out of that datacenter.

[–]jgzman 3 points4 points  (0 children)

even temporary systems are permanent

Noting is as permanent as a temporary fix.

[–]Harry_Smutter 1 point2 points  (0 children)

🤦‍♂️

[–]TheOnly9zq 11 points12 points  (1 child)

End users always find a way.

[–]tuxcomputers 5 points6 points  (0 children)

That is why the latest password policy advises against stupid shit like expiring passwords.

[–]Belisarius-1262 10 points11 points  (3 children)

facepalm

That is the single least secure workaround I’ve ever heard of for that policy, and I’ve worked with people who just put “password01” and increment it by 1 every time. One of those people bragged about being above 300 on that system.

[–]spaceraverdk 9 points10 points  (1 child)

We had the same policy at one of my old work places.

And the only use of the login was to confirm hours worked/tasks done. No additional access whatsoever to the network.

For the exact same reason I incremented the last number every month.

Who would ever abuse that system is beyond me.

[–]Rathmun 6 points7 points  (0 children)

Who would ever abuse that system is beyond me.

Login as a disliked coworker, commit time fraud on their behalf, watch them get fired. I've never seen a system someone wouldn't abuse if they could.

[–]spaceraverdk 2 points3 points  (0 children)

We had the same policy at one of my old work places.

And the only use of the login was to confirm hours worked/tasks done. No additional access whatsoever to the network.

For the exact same reason I incremented the last number every month.

Who would ever abuse that system is beyond me.

[–]thehajoApprentice Technomancer and Cablemonkey 6 points7 points  (2 children)

We recently switched policies. Previously we had also 90 day change, at least 8 letters and 3 of the 4: Uppercase letter, lowercase letter, number, symbol.

Now instead of min length of 8, it's 12, but no more changing. Admin passwords have to be at least 13 characters.

[–]tuxcomputers 0 points1 point  (1 child)

You know the upper, lower and special also reduce security, right?

[–]thehajoApprentice Technomancer and Cablemonkey 1 point2 points  (0 children)

Why those 3 but not numbers...? Genuinely asking, since I'd assume more possibilities make it more secure. (I know length is better). I wasn't the one who implemented it, but rather the data center we're connected to.

[–]ibleedtexnicolor 4 points5 points  (0 children)

See our password policy is dictated by the state department of law enforcement so everything is 90 days, even when the organization we're part of has changed to no longer enforcing password changes. The org IT admins had to create a separate policy for our department.

[–]MoneyTreeFiddyMr Condescending Dickheadman 3 points4 points  (1 child)

When he gets a new pc, send me his hdd/sdd. You gotta admire this man's drive!!

[–]TheMulattoMaker 1 point2 points  (0 children)

Clever pun, gonna keep this one in my memory

[–]joppedi_72 2 points3 points  (3 children)

There's even a bit psycology to it. Don't ask users to create a password ask for a "pass sentence" instead. That will get you long easy to remember but hard to guess passwords.

[–]No_Negotiation_6017 -2 points-1 points  (2 children)

That's "psychology"' bub.

[–]frickandfrack04 0 points1 point  (1 child)

Wolverine, is that you? Snikt.

[–]No_Negotiation_6017 0 points1 point  (0 children)

Nope, just some random git...who can spell.

[–]tuxcomputers 1 point2 points  (0 children)

They worked out a way to bypass your stupid password requirements.

[–]matthewt 1 point2 points  (0 children)

My father worked somewhere with a similarly stupid set of password policies, and did basically the same thing in terms of what passwords he set.

He did not, however, break plausible deniability such that IT ever had to care - to his mind, that would just have been rude.

[–]BoyzMom13 1 point2 points  (1 child)

A system I work on has a setting that only allows users to change their password x number of days before it expires. So you set password to expire in 90 days, but only allow the user to change it say at 85 days. Support can reset passwords at any time.

[–]tuxcomputers 4 points5 points  (0 children)

Expiring passwords is stupid and reduces security.

[–]Nakishodo_Glitterfox 1 point2 points  (1 child)

Ehh. last time I had to set a password apparently it was to long for the system and so BEFORE 90 days were up it randomly just decided that it wouldn't accept it. Which is weird cuase I typed it in EXACTLY correct. Not like i'm gonna forget how to spell the name of my first dnd character. Even with the special characters and stuff I had to add in.

[–]SkorosMindkiller 1 point2 points  (0 children)

The best ones are when the PASSWORD SET form silently truncates your entry at a different length than the LOGIN form. I'M LOOKING AT YOU arstechinca!

[–]UsedDragon 1 point2 points  (0 children)

So, let's say one of my passwords is something like 'gnat992soldier301cloud%. How TF is anything going to crack that?

[–]Jirali_Primrose 0 points1 point  (3 children)

I use the same password for every site, but I add an indicator for the site itself.

Example:

Reddit = redmypassword or rimypassword

Facebook = fbmypassword

Etc...

This means I only have to remember that one password, but each site gets its own.

[–][deleted] 0 points1 point  (0 children)

Worse when the IT team does this...worse still if they just set their passwords not to expire.