Perilous Password Policies
Ridiculous password policies are a constant frustration to users and security professionals alike. They aren’t making us more secure and contribute to the problems of managing passwords.
One of the most terrifying moments when signing up at a new web site is when I see that dreaded screen — the one that prompts me to create a username and password. So many people struggle coming up with passwords but I use a password manager so I shouldn’t have to think about that kind of stuff. Yet I still do.
The process goes like this: I enter a username and click on my password manager to generate a strong, unique password for me. I prefer a long password — usually 30–50 characters with a mix of letters, numbers, and punctuation. I create exceptional passwords.
But sometimes there is a sizable (and terrifying) list of bullet points to the side of the password box outlining all the things my password can and cannot be. And sometimes there is no indication at all what the requirements are (which is more terrifying).
Either way, I click on the password manager’s button to generate a new password. The password manager fills out the form for me and saves the new password in its database. Back on the registration form I click on submit and wait a few seconds. I know it’s coming but it’s still upsetting nonetheless: the invalid password message.
Yes, all those red those red words. Those red words are my worst nightmare. Fed up, I decided to do something about it: I decided to complain on Twitter.
My PWTooStrong Twitter account is dedicated to tweeting and retweeting all those horrible password policies. At first I thought I’d have a few example and then I’d run out of policies to complain about. But I was wrong, there are thousands of horrible policies. There’s just so much to complain about.
What Makes a Bad Policy?
Password policies are interesting. Over the years we developed them in response to users’ bad habits. For example, users chose weak passwords so we said they couldn’t use short passwords or dictionary words. They still chose bad passwords so we made them change the passwords frequently to at least limit their exposure. But users still chose bad passwords so we made them use much longer passwords. Then we made sure they added numbers. And then special characters.
Honestly, it’s all your fault. But admins did go a little too far. Okay admins went way too far— to the point where we have so many policies but users still have weak passwords. The irony of this all is that many of us want to create strong passwords but find us limited by those very same policies.
Some of the policies that cause the most difficulty with password generators are:
- Limiting the length of passwords to an unreasonably low max length
- Not allowing special characters or only allowing some characters
- Not allowing users to paste in their password
And let’s face it, some policies are just dumb and show that admins are either not storing passwords correctly or don’t really understand security.
For example:
- Not allowing more than three or more consecutive identical characters, such as aaa.
- Cannot begin or end with a number
- Not allowing scary characters like < and >
- Not allowing spaces within a password
- Having so many requirements no one reads them
And yes, it gets worse. Much worse. Here are some real-world examples from actual password policies:
Most of these policies don’t contribute much to security and only make password policies more confusing. Take, for example, the policy above that lists all the reserved words. In this case a minimum length of 9 characters would prevent using any of those words as a password. Moreover, if you make the minimum length 12 characters, does it even matter anymore that the password contains one of those words?
I like to think that somehow shaming all these organizations will some day make a different. But know it probably won’t. In the meantime, it is fun mocking all those awful policies.
Mark Burnett is a security consultant and author of the book “Perfect Passwords”
