Friday March 10, 2017
Software Development

Jeff Atwood wrote a post on Coding Horror today calling out bullshit password rules. And he’s dead on. Password rules, as most sites implement them today, are not improving security. They might actually be hurting it. Even NIST agrees.

Personally, I agree with everything Jeff says. He makes several really well-researched points. But there’s one particular topic he did not mention that I want to bring to attention. Password expiration is bad (within reason). I’ve heard of (and, unfortunately, used) services that expire passwords as frequently as every 3 months. That’s just stupid. Seriously. Sometimes I don’t even visit a website that frequently! Why does it need to expire that soon? What, they store their passwords in MD5 and expect to be hacked 4 times a year? There’s no reason to expire passwords that frequently. Moreover, it’s actually harmful - what do most people do when their password expires so often they can’t remember it? They write it down on a sticky note next to their monitor. Yeah, real secure.

Really, the only time a user should need to change their password is if a website is hacked and a database is compromised. If your database hasn’t been compromised and you make your users change their password on a regular time interval, you’re providing a bad user experience with no real benefit for your users.

OK. Now that that’s off my chest, let’s talk about solutions. As a user of websites with vastly different password rules, your options are somewhat limited and they kind of suck.

## What Makes a Password Secure?

### Length

As it turns out, password length is probably the biggest factor in making your password more secure. Jeff’s post has all the data to back this up. Today, lots of computing power is easily available with things like Amazon EC2 and GPU parallel processing. Passwords around 8 characters in length can be cracked in minutes. The best weapon against these attacks is password length because each additional character increases the number of possible passwords exponentially. A “secure” password would be roughly 14 characters or longer.

Password dumps exist on the internet. If the password you’re using exists in one of these dumps (even on someone else’s account), it’s not secure. As you might imagine, that means you can’t use simple words, “123456”, or anything like that.

### Different Passwords on Different Sites

You’ve probably heard it before. Don’t use the same password for your email account that you use for your bank account. Websites get broken into all the time. If you use the same password on every website, a hack on any of the websites you visit becomes a hack on all the websites you visit. If you use a different password for each website, you limit your exposure in case any of the websites you use gets compromised.

### Multi-Factor Authentication

Where it’s offered, multi-factor authentication can provide better security than a password alone. Multi-factor authentication fixes many of the problems with passwords. Accounts protected with multi-factor authentication are likely to be difficult to compromise even if the password protecting them is weak.

## What are the Options

As a user, it’s hard to use good passwords. Passwords (or even password algorithms) that work on one site often won’t work on another. Websites make you change your password at random intervals. It can all be very not-user-friendly. Here are some strategies that can help.

### Use Single Sign-On

Many websites are allowing their users to sign in using a Google or Facebook account. Where it’s available, I think this is a great option. I’m usually already logged in to my Google account anyway. And I trust Google to do a better job verifying my identity than most other websites. If other websites can use Google to verify my identity, that’s one less password I need to manage.

I’ve been using this trick for a while on some websites. It solves the problem of using a different password on different websites without having to remember a large number of different passwords (and without using a password manager). It works like this: Start with a “base” password. For example, ILikeDoughnuts. Then, add something about the name of the website you’re logging in to. If you’re logging into your bank, you might use BILikeDoughnutsank, combining the works Bank and ILikeDoughnuts to form your password. Now you’ve got a different password for each site, but you only have to remember one algorithm.