This is getting silly. We’re all familiar with password complexity rules intended to help us create “strong” passwords that are harder to crack. Those of us who have been paying attention will know that the real outcome of this approach is to create passwords that are surprisingly easy for computers to crack but really hard for people to remember. I first wrote about this more than six years ago: https://blog.rappidly.com/2013/01/16/why-cant-people-get-the-message-about-passphrases/
So, why the dead thread resurrection? Because Barclays Data Security Manager – their PCI-DSS platform – has come up with this comedy gem of a policy:
Your password should be a minimum of 8 characters.
Your password should at least contain 1 upper-case letter.
Your password should at least contain 1 lower-case letter.
Your password should at least contain 1 special character (e.g.: #?!@$%^&*-)
Your password should at least contain 1 number.
Your password shouldn’t contain more than 2 repeating characters in the same case.
Example: “Bob” = 1 “B” & 1 “b” = is allowed.
“bob” = 2 “b’s” = is allowed.
“Bobby” = 1 “B” & 2 “b’s” = is allowed.
“bobby” = 3 “b’s” = is not allowed.
Seriously? It took me four attempts to come up with something I had any chance of remembering long enough just to type it into the confirmation box. It’s as if these people are in the pay of password manager vendors. It’s madness.
A reminder: passwords (or better, passphrases) need to have these characteristics (none of which appear in the list above):
- Memorable to the user
- Not easily guessed by someone who is well-informed about the user
- Different for each system
- Computationally infeasible to crack
That last one is the kicker. Passwords are stored as hashes – the outputs of a one-way mathematical function. What makes your password hard for a hacker to crack, assuming you’ve not used “password123” or a similar commonly-chosen example, is the mathematical complexity of that output. The easiest way to drive up that complexity is to have a long passphrase. So 16-character password limits are idiotic. Yes, Microsoft, I’m looking at you. Mixing cases and adding special characters is only necessary if your length is restricted – otherwise, frankly, more is always more.
B4rc14ysWTF? is a strong (-ish) password. But it’s a much weaker password than Barclays should read my blog. Really:
Strength: Strong – This password is typically good enough to safely guard sensitive information like financial records.
Entropy: 61.8 bits
Charset Size: 84 characters
Barclays should read my blog.
Strength: Very Strong – More often than not, this level of security is overkill.
Entropy: 147.4 bits
Charset Size: 75 characters
Overkill? I like overkill. Especially when it’s delivered by something I can actually remember, and type correctly the first time.
My colleagues tell me I should try mindfulness to control my anger issues. I think I prefer blogging…