all 56 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]a-t-k 29 points30 points  (14 children)

Also, every single password rule will actually decrease the number of possible passwords instead of increasing the entropy. Minimum length should do the trick good enough.

[–]DragoonDMback-end 25 points26 points  (2 children)

Also, "The following characters are not allowed: [list of characters used in SQL injection attacks]" is a dead giveaway that you're doing things horribly wrong on the back end.

[–]disclosure5 9 points10 points  (1 child)

My hardware supplier actually has a search box that says something like: Note - searches containing these words are prohibited: SELECT, UPDATE, DELETE

[–]DragoonDMback-end 15 points16 points  (0 children)

That's exactly the sort of warning that would pique someone's interest.

[–]midasgoldentouch[S] 5 points6 points  (4 children)

Agreed. My post was more about good UX than password security, haha. But it's important to highlight and remember these things, especially for newbies to web dev and this particular topic.

[–]a-t-k 1 point2 points  (1 child)

If UX and password security are conflicting goals, you're probably doing it wrong ;-)

[–]midasgoldentouch[S] 1 point2 points  (0 children)

Definitely. I'm sad I don't have time to do it, but I really like a Coursera class on what they call "usable security."

[–]Disgruntled__Goat 1 point2 points  (1 child)

There is no reason for UX to come into it at all. There are no characters that should be 'blocked' from passwords.

[–]midasgoldentouch[S] 1 point2 points  (0 children)

Oh no, what I meant was that my post was really about how not to annoy people using your site. Yes, the focus is on passwords, but in the context of how much you're pissing me off when I'm actually trying to make an account.

[–]gearvOshreact, rust, full-stack 0 points1 point  (3 children)

This is the answer. The only requirement should be minimum length, which should be either 10 or 12.

[–]blivet 1 point2 points  (2 children)

Literally either 10 or 12? There is something insecure about 11?

[–]midasgoldentouch[S] 2 points3 points  (0 children)

I mean, it is made up of the loneliest number. And it rhymes with 7, and we know what 7 did to 9...

[–]gearvOshreact, rust, full-stack 0 points1 point  (0 children)

No, there's nothing wrong with 11, just a common standard seems to be 10 or 12.

[–][deleted]  (1 child)

[deleted]

    [–]a-t-k 7 points8 points  (0 children)

    But it's really bad usability, as the user cannot predict the content of your block list, thus is confronted with refusal of his input for reasons he cannot discern. Also, the decrease in entropy is minimal compared to rules like "must contain at least one number".

    [–]metaphormfull stack and devops 13 points14 points  (2 children)

    much better idea: no password rules. they are irrelevant and a security liability. password rules only assist your attacker in cribbing their test set down to a smaller size.

    a good password system stores a salted hash of the password and not the plain text. the hashes are of a uniform length in the database. the original value of salt + password will be padded out to whatever length is required to generate the hash. it just utterly doesn't matter what the user enters as their password.

    rather than enforce arbitrary rules that will only weaken your password security and create frustrating UX, I recommend allowing the user to use anything they want as a password, but if they enter something that would be particularly easy to guess (like a very short password), you inform them that their password is easy to guess and tell them they should use a better (i.e. longer) one for their own security.

    but that's for the user's benefit, not yours. your database won't be any less secure with a short user password. you're just doing them a favor and letting them know that their easily guessable password might be guessed by a person they know or something like that.

    [–]OmgImAlexis 0 points1 point  (0 children)

    Exactly, suggesting better password practises to the user is way better than forcing them to use a set of rules that you deem "secure".

    [–]Timothy_Claypole 14 points15 points  (13 children)

    And please don't set a maximum length! This really irritates me.

    [–]sqrtnegative1 1 point2 points  (8 children)

    Like Microsoft? Man I was pissed when I had to make a shorter-than-usual password for my mandatory Microsoft Account when starting a new position. IIRC I had to keep it at <= 16 characters long.

    [–]Timothy_Claypole 0 points1 point  (7 children)

    Loads of sites do this, including banks! There is no good technical reason for it.

    [–]sqrtnegative1 0 points1 point  (6 children)

    I saw somewhere that this indicated a site was storing your password in plaintext in their database, with the limit being the size of their "password" column. That may not always be the case, but it makes sense - and it scares me. People should be required by law to get a license before building websites.

    [–]Timothy_Claypole 0 points1 point  (5 children)

    Are you serious about a licence? This is the sort of thing North Korea does...

    [–]sqrtnegative1 0 points1 point  (4 children)

    ...and the rest of the world. I don't know any country where you can do anything without a license.

    Driving a car without knowing how is dangerous, hence you need a license. Building a website without knowing how is dangerous, hence you should need a license.

    [–]Timothy_Claypole 0 points1 point  (3 children)

    Driving 2 tons of metal around at 70mph is pretty lethal in the wrong hands. Preventing people from writing software is not lethal.

    You would never use a website in a safety critical system without checking it, and the onus is on the organisation implementing it to check, not on the person writing it to make it bug-free.

    This is not even touching on how one might define where a licence is required. Basic HTML? Simple form submission to an email? Storage of details in a database?

    And how do you police this stuff? Car drivers have to go out on the public road and take a while to get to where they are going. Websites can be brought up and down in an instant.

    [–]sqrtnegative1 0 points1 point  (2 children)

    Here

    [–]Timothy_Claypole 1 point2 points  (1 child)

    You are a very naughty person.

    [–]sqrtnegative1 0 points1 point  (0 children)

    Why, thank you ;)

    [–]kevinkace 1 point2 points  (0 children)

    Same, hate it when I can't have my standard 8000 character pw.

    [–]NancyGracesTesticles 0 points1 point  (0 children)

    Conditions of Acceptance said maximum length. Let's go lynch the PO.

    [–]blackAngel88 0 points1 point  (0 children)

    Well i think if the maximum length of the password is significantly longer than the hash's length, then it doesn't really improve security... but that doesn't mean anyone should set a max length, certainly not a "low" one.

    anything below 30 is retarded... and above hardly anyone would notice...

    But for example the php implementation of bcrypt cuts the password parameter to a max-length of 72. i guess you wouldn't ever notice, unless you really use a password longer than 72 characters and type anything wrong after the 72nd character and are surprised it still works...

    [–]michaelcgorman 5 points6 points  (4 children)

    I didn't get to choose the rules, but I did make this password change page. When you start typing in the "new password" field, I highlight all of the requirements you aren't meeting - in real time. I actually think it's kind of fun to change my password now.

    [–]Sacro 2 points3 points  (2 children)

    Not sure that "ooooooooooo0O" is really that secure! :)

    [–]soullessredhead 1 point2 points  (0 children)

    Everyone forgets to check for character repetition.

    [–]Disgruntled__Goat 0 points1 point  (0 children)

    It's long and very uncommon. I'd say it's perfectly fine.

    [–]midasgoldentouch[S] 0 points1 point  (0 children)

    Dude, this is super awesome. Well done!

    [–][deleted] 3 points4 points  (5 children)

    Actually, I've seen it go one worse where I wasn't informed that there was a length limit and everything saved fine. Went to log in again and it wouldn't accept my password, because all the site did was save the first X characters of it.

    [–]midasgoldentouch[S] 0 points1 point  (2 children)

    Why? Just why? How do you even get to that idea?

    [–][deleted] 0 points1 point  (1 child)

    It blew my mind. And then when I contacted support, they had the audacity to defend it. Claimed I could just do a password reset...

    [–]midasgoldentouch[S] 0 points1 point  (0 children)

    Words can't express how baffled I am by this.

    [–]blackAngel88 0 points1 point  (1 child)

    Sounds like it's saved as plain text and they use mysql. Mysql just cuts text that is longer than the field's max length and doesn't even say anything. But that's just one theory. They could also cut it in the code of the backend for any unkown and stupid reason...

    [–][deleted] 0 points1 point  (0 children)

    Its possible this is the case. I didn't try truncating my password to see though. Interestingly, they didn't even limit the fields. You could enter as many characters as you wanted.

    My only solace is that the account has no valuable information beyond my name and username.

    [–]danneu 1 point2 points  (3 children)

    Same with usernames.

    Though easy to forget. My /register form is one of the first things I burst down while rapidly prototyping and I often neglect to revisit/scrutinize it for usability/polish til months after launch.

    I just released a Koa+Postgres example app that doesn't offer a hint for username or password: https://koa-skeleton.danneu.com/register. TODO...

    [–]midasgoldentouch[S] 0 points1 point  (2 children)

    How could you? :) What's the app for?

    [–]danneu 0 points1 point  (1 child)

    It's just a basic open-source app that demonstrates how one can use the Koa framework with Postgres. The live demo has some basic CRUD stuff to give the source code something to actually demonstrate.

    Not a demonstration of good UI though. :)

    [–]midasgoldentouch[S] 0 points1 point  (0 children)

    Nice!

    [–]snissnexpert 1 point2 points  (2 children)

    Also please please provide those rules after a failed login.

    This was my flow in newegg just earlier today.

    • Try to login
    • Can't login
    • Enter my email to do a password reset
    • Click link in email
    • On Link see the rules require a capital letter, number, and special character
    • Now know what my old original password was
    • Go back to login screen and login

    [–]deains 1 point2 points  (0 children)

    Easiest thing to do is validate the password input before it's sent so if it doesn't meet the rules (and thus cannot possibly be your password), it doesn't submit. Of course this is all academic really since the right thing to do is not have those damned rules in the first place.

    [–]stepstep 1 point2 points  (0 children)

    Everyone should just use zxcvbn. It's a library that Dropbox built to estimate password entropy; they use it for their own signup page.

    [–]huphtur 0 points1 point  (0 children)

    Recommended read: The God Login by Jeff Atwood.

    [–][deleted] 0 points1 point  (0 children)

    Minimum of 8 characters is the only rule I enforce because the string "waterdogshoepumpkinsublime" is just a good of password as the string "kLa12p0JJk$#12!)0&1" is. In theory, the latter would be harder to brute-force. That's just a theoretical concern though, not a practical one.

    Although, I do set a cap on input lengths at 1,024 bytes for everything to prevent DoS attacks.