“These are stupid rules that annoy everyone”: discussion of password field practices
Photos – Andre Hunter – Unsplash
Unknown password length
Almost all sites have restrictions on the length of the password. Jeff Atwood, author of Stack Overflow and the Coding Horror blog, notes that a minimum bar of ten characters reduces the user's chance of entering a weak or popular password by 80%. But there are resources that report a minimum password length, but do not indicate the presence of an upper threshold. In the selection you can find examples of sites of large vendors, where phrases up to 20 characters are allowed in the password field. But you can learn about this limitation exclusively by trial and error.
The developers of the site of the electronic system of payment for roads in the United States went further. The password field generally truncates the "extra" characters. Users do not immediately understand why the passwords do not match when they are entered in the appropriate fields. A similar problem exists on the website of one New Zealand carrier. Moreover, it does not appear on all pages. There are many such resources – a Hacker News resident notes that he has already lost count, how many times he had to manually modify JS scripts in the Source tab of the browser so that passwords are processed normally.
There is an opinion that the problem with the “reduction” of passwords is hidden in the method of their storage. Perhaps the accesses are in the clear (without hashing) – for example, in a database with the varchar field.
Change password regularly
It is believed that if the password is reliable and was not highlighted in leaks, then changing it makes no sense. At the beginning of the year, even Microsoft refused to regularly change passwords. But not everyone followed in their footsteps. For example, an American company that develops applications for credit and mortgage organizations requires users to change their password every six months.
One of the residents of Hacker News says that his company needs to change the password every three months. This annoys him greatly. At the same time, the software that is responsible for rotation confuses the order of special characters while saving new authentication data. Logging in with the changed password becomes impossible. Until the situation is corrected, he is forced to use weaker alphanumeric phrases. The requirement to regularly change the password also leads to the fact that employees of the company begin to reuse past identifiers. Another user, HN, said that he worked with one telecommunications provider, where an employee used only two passwords to enter the account: “Apr1999!” Or “Mar1999!”. They met the password requirements only formally: uppercase and lowercase letters, numbers and symbols.
Input management
It is not known for certain how the practice of blocking password insertion appeared. Engineers from the US National Cybersecurity Center note that no one has seen any scientific article, study, rule or RFC on this subject. They also say that this is bad practice that impairs security. Resource visitors lose the ability to use password managers and generators. As a result, they choose simple passwords so as not to waste time and gain access to resources faster. At one time, Microsoft regional director Troy Hunt and Wired editor Joseph Cox also spoke out against blocking inserts.
Photo – Matthew Brodeur – Unsplash
Note that the Don’t F * ck With Paste plugin for Chrome and Firefox can work around the problem. Also, the problem can be solved manually in the settings. For example, for a "fire fox" flag about: config: dom.event.clipboardevents.enabled need to switch to false. However, this may disrupt copy / paste in Google Docs. To combat copy / paste blocking, one of the Hacker News residents wrote his own script – AutoHotKey. It reads data from the clipboard, and then prints them one after another in the input field with a delay of 100-200 ms.
Who standardizes password policies
There are organizations that develop standards for working with passwords. For example, the US National Institute of Standards and Technology (NIST) compiles the NIST 800-63B framework. It states that the password must be at least eight characters long. At the same time, sites are asked to set a maximum password length of at least 64 characters.
The selected password should not be included in the list of the most popular phrases and contain repeated letters and numbers ("aaaaaa" or "1234abcd"). A brief squeeze with explanations of these rules was prepared by engineers from Sophos, a manufacturer of information security tools for servers and PCs. The NIST standard already has many sites. For example, the login.gov resource, which provides authentication services for US government portals.
There are other frameworks (for example, HITRUST), but they still have outdated practices like regular password rotation. But they, like NIST, are gradually being improved.
Additional reading on 1cloud blog:
What's new in Linux kernel 5.3“How We Build IaaS”: 1cloud materials
Screening electronic devices at the border – a need or violation of human rights?Why mainstream browser developers again refused to display the subdomain
