Jeff Atwood, the founder of notorious online Stack Overflow, has published on his blog a detailed letter addressed to all without exception developers. His tirade Atwood titled lucidly and succinctly: “Rules of passwords is bad”.
Atwood writes that modern passwords there are many different problems, but the main of them – terrible rules of these passwords. Not to be unfounded, the developer gives several vivid examples and even gives links to two Tumblr blog (1 and 2), the main theme of which — the odd password requirements.
Atwood explains that it often happens that the password requirements go beyond the borders of common sense and simply not allow the use of a generator is really reliable and random passwords. Because according to the rules, such randomly the password can contain enough digits. Or special symbols. Or certain letters. In the end, the user is forced to manually create a short and simple combination, because automation fails. According to the expert, such rules only hurt and worsen the already unfavorable situation. While Atwood says:
“These days, given the power of cloud computing and the cracking password hashes using GPU to have any password length of eight characters or less is almost the same as not having a password at all.”
Password length in General, the expert has devoted a large part of the text, explaining that these days passwords must have at least ten characters in length. Even if we consider the list of the 25 worst passwords used and only five of them longer than ten characters. Call all the long passwords are reliable, of course, is also a mistake because “passwordpassword” or “0123456789012345689” can hardly be considered passwords.
So Atwood brings the reader to the main point of your post: “Seriously, for God’s sake, tie this heh*it and arbitrary rules of drawing up of passwords. If you don’t believe me, read the official NIST recommendations 2016 relative to passwords. All right there: “no rules of making a password”. However, here I see one error, there should write “no heh*oriented rules of making a”password”.
Further, the developer lists the methods of strengthening passwords that really work and can be useful. For example, he often advises using Unicode as this can significantly lengthen and complicate the password. Atwood also urged to check the entropy of passwords and understandable way to convey to users than a bad password “aaaaaaaaaa”, despite its length. In addition, he recommends that developers often consult the dictionary and database leaks, simply forbidding the users to use the most simple and common passwords. You should also prohibit and passwords coinciding with a user name and email address (the same principle applies to the URL, domain and application name for which you are creating the password). As an illustration of his words, the researcher gives a simple and very illustrative statistics:
- 1.6% of users have passwords from among the worst 10;
- 4,4% of users have passwords from among the worst 100;
- 9.7% of users have the password from among the worst 500;
- 13,2% of users have passwords from among the worst 1000;
- 30% of users have passwords from among the worst 10 000.