Why don't we have password standards?
It seems like each website has it's own password standards.
Some want 5 letters, some want a minimum of 10, some want a maximum of 8, some want a number, some want a mix of capital and lower case letters, some want an underscore, some want a special character @#$%@#@%@#%...others don't allow special characters etc.
Obviously there is absolutely no need for something that restrictive. All it does, is that people are stuck using uncommon passwords...which in turn means that they end up writing them down or constantly forgetting them, which bypasses the security.
So how about we create a common set of password standards...one that doesn't force the user to deviate from their common passwords, yet one that does the bare minimum to make brute forcing it with bots complicated.
12 comments
[ 3.1 ms ] story [ 40.1 ms ] threadMy password has been letters + numbers at the end for a long time and I know it's secure because it's not a common word or numbers that have to do with me. No capitals, no punctuations, only lowercase letters and numbers. When a website forces me to use other letters in my password, I keep forgetting it and I am forced to use "Lost my password" all the time, which makes me want to use that service less and less.
Were you inspired to post this by today's XKCD comic? Link : http://xkcd.com/936/
This is a joke! We're in the 21st century, people should be able to have their own set of password standards. I know we, as programmers, are always looking out for the most noobish of the end-users. But is it really necessary to go as far as to FORCE EVERYONE into picking a blatantly obviously brute-force-safe password?
In the end, the bulk of these users are just going to forget their password, add it to their password manager, and become frustrated with this chosen system. This in turn is insecure for its own reasons.. I think what we need is to remove these silly limitations altogether (although a set standard minimum/maximum character limit is completely understandable imo), and allow people to pick their own standards. The newbies out there will eventually get their accounts hacked, its inevitable imo. And when that happens they will learn to set better passwords.
The great thing about standards is that there are so many to choose from. Here in Britain the Financial Services Authority sets minimum password standards for online banking. I expect similar regulators in other parts of the world have their own subtly different requirements.
https://www.owasp.org/index.php/Password_length_&_comple...
That should be enough? I can't imagine that you are lamenting the lack of an oversight body to to adopt and enforce a standard. Were you?
For example, if they are using brute force they will start it using 8characters, or use dictionary words with 8c +. Still 8c is better then 6.
Just install a password manager, or "develop" your own "algorithm" of how you create your passwords. For example a password "Hackernews"; move each character once to the left, which would give: Jsvlrtmrd. Obviously this "algorithm" has to be change every few websites, or somebody will find out your pattern.