Should You Enforce Password Restrictions?

Tweet

I dislike password restrictions. Passwords may be a necessarily evil, but they’re more repulsive when a perfectly reasonable key is rejected. We’ve all seen “errors” such as:

  • Your password is too short.
  • Your password must contain letters and numbers only.
  • Your password must be between 8 and 10 characters, use letters with at least one in uppercase, and have between one and four numbers. Please close your eyes, face north and recite Shakespeare while typing it.

Then, after you’ve spent 3 hours devising a reasonable password which adheres to the rules, you’re forced to change it again 7 days later.

I can understand banks and Government departments don’t want novices choosing “password” as their secret key, but are users so naive? (OK, don’t answer that.) Actually, “password” could be a reasonable option: do hackers bother trying it? One of the best passwords I ever defined had zero characters — no one ever attempted to enter nothing! (Just to be absolutely clear, this is an anecdote based on real attempts to access a non-essential offline server — I certainly don’t recommend you use blank passwords and few systems would allow it anyway.)

Does your Twitter client, photo gallery or blog comments form really require a password restriction? There are a number of issues with the approach:

  1. It’s an irritation for users — especially those who understand the security implications.
  2. Strict rules provide hackers with a template — they know not to bother trying passwords which are less than 8 characters, more than 12, have no numbers, etc.
  3. The rules make passwords far more difficult to remember — especially if you’re forced to change them regularly. Many users will simply write it down on a post-it note and stick it to their screen.
  4. If you specify what constitutes a “good” password, does it mean you’re partly responsible when a user’s account is compromised?

In my opinion, users should be allowed to choose whatever password they want. You can show a warning message when an easily-broken password is entered but, if they want the letter ‘p’, why not let them use it?

If you can’t trust users to enter a decent password, don’t let them choose one: create a random string and post it to them via email or snail mail.

Do you use password restrictions on your system? Has it been more or less successful than no restrictions whatsoever?

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • richthegeek

    The zero character password is fine when it’s only a human attempting to get in… machine’s force-breaking it would get that one in the first attempt!

    My uni’s main password gets changed every 6 months and has these annoying requirements:
    – no dictionary words
    – no keyboard sequences (qwerty etcetera)
    – at least 2 numbers and symbols
    – at least 2 upper case characters
    – no part of your name
    – no reusing previous passwords

    As a result everyone forget’s their passwords quickly and takes up the IT dept’s time getting them changed every fortnight.

    Contrast that to the CompSci departments internal passwording which is basically “whatever you want, but if someone cracks it, on your head be it”

  • joezim007

    Personally, I think that password restrictions are extremely annoying. I’ve found places that put a maximum of 8 characters for the password. My normal password is 9 characters! I use the same password just about everywhere and I understand the risk, but if it’s a solid password and you don’t tell anyone, what risk is there really? Now, when there are restrictions, there’s an additional password to keep track of. And not only do you have to remember the alternate password, you have to remember which site the alternate password is for.

    I totally agree with the statement that the more restrictions you have, the easier it is to crack. The only type of restriction I would put is that there has to be at least 1 character and if, for whatever odd reason you have, you need to parse the password and a special character can cause troubles, don’t allow that character. Other than that I might also add a max number of characters, but it’d be a HIGH number (not 8).

    Overall good article. I’m glad to hear I’m not the only person who feels this way. :P I just wish you would have done a little more proof reading before you posted it.

  • http://www.aikon.com.ve joaquin_win

    With openID, facebook connect, and others, passwords wont be that commonplace anymore I guess.
    One of the principles of information security is non-repudiation (http://en.wikipedia.org/wiki/Information_security#Non-repudiation). So sometimes it makes sense to require a password as means as preventing the user from saying “it wasn’t me”.
    I do think that something very stupid is to set a maximum character count…

  • Insomn3ak

    …Oh my. I find myself wondering…did you really write this Craig, or did someone hack into your account and post this as a joke/warning?! ;)

    Seriously though, it’s important to remember a couple key points about this subject…

    1. When “hackers” are trying to find passwords, they’re not guessing off the top of their head. They’re using automated password cracking software, and the weaker a password is…the less time it takes the software to crack it (especially if they’re using rainbow tables http://en.wikipedia.org/wiki/Rainbow_table). Do they even bother trying “password”? Absolutely. Please don’t use anything silly like that.

    2. Lots of people use the same password for ALL they’re online activity. If one site is compromised, all their other accounts are at risk too (online bank accounts?)

    3. If the users password is hacked, it’s not just an minor irritation for the user…it could potentially risk other users accounts as well, and possibly the entire web app. Smart web admins should enforce a strong password policy for their own sanity, and job security.

    I use LastPass.com which creates a 20 character random pass for each website account I have. That way, I only have to remember 1 master password for LastPass to log me into all my accounts. Admittedly, this creates a single point of failure if someone were to get my master password…so…I supplement LastPass with YubiKey which prevents anyone from logging in without the USB touch key.

    Paranoid?…maybe. But google Wireshark, then tell me if you think it’s overkill lol.

    • http://r.je TomB

      For dictionary attacks the easiest way is to enforce a maximum number of attempts per time period (e.g. 10 attempts every 15 mins), this makes it take way too long for any hacker to brute force the password.

      On topic because of silly restrictions like these I made a script which generates a password with random letters/numbers/symbols based on an input key (the actual “password” I’d type in), rather than having to remember a silly password. It puts it in my clipboard for 30 seconds. Not 100% secure but better than trying to remember arbitrary passwords.

  • tiggsy

    I find it Very annoying when there are restrictions. I’ve developed a set of passwords for different requirements, but still there are some sites that won’t fit any of them, so I end up with an impossible to remember password. I generally don’t bother going back

  • rozner

    I think passwords should have a minimum length restriction, otherwise I find the others pretty annoying. Things like:
    must have a special character
    cannot start with a number
    must have one number
    must have upper and lowercase letters

    People end up forgetting passwords and having to get them reset all the time which is annoying. And with the reset they tell you, “you can’t use that password since it was already used”. Very annoying.

  • jackbenimble4

    I hate password restrictions. More than once I’ve turned away from a site rather than craft a password that meets ridiculously stringent requirements.

  • http://logicearth.wordpress.com logic_earth

    If you are storing passwords correctly, hashing them is always a good idea. It won’t matter how long or what the password contains it will translate to the same length and Hexadecimal output.

    I use LastPass to handle generating complex passwords and storing them, I assume in the cloud. Lets me have my password manager on all my computers and I don’t have to remember them. So ya I hate password restriction in terms of max length.

  • PeteW

    Quite mindboggling. Have you ever tried leaving all your doors and windows open to see if it confuses burglars? Passwords are vital to protect sensitive data (read: anything that would aid criminal hackers to rip you off), and an easily-cracked password creates only a false sense of security. Few people know what constitutes ‘easily-cracked’ so we have to enforce password restrictions to educate them. That is not as annoying as having your bank account cleared out.

    • http://www.optimalworks.net/ Craig Buckler

      I don’t think that metaphor’s quite the same. Password restrictions are more like saying you must have locks on all doors and windows, each requiring a different type of key and a different turning ‘method’.

      No one’s saying that passwords and other forms of authorization aren’t essential. What I object to is silly restrictions, especially when placed on non-essential systems. Banks and government sites are a possible exception, but these often use additional methods of authentication and do not necessarily rely on “strong” passwords.

      If you can’t trust users to enter a decent password, don’t let them do it (that’s certainly the case with some government tax sites I use).

      • PeteW

        No, the metaphor is quite accurate. One password almost always guards all entry points to (at least) one site. Doors and windows are entry points to one site. A blank password = leaving all entry points wide open. The Web is not one site.
        I’ve never seen a ‘silly’ password restriction, perhaps with the exception of the maximum password length. Nor have I seen them used to protect information that couldn’t be abused by criminals – because almost any personal information can be. Security specialists know what constitutes a weak password, average users – and apparently, you – don’t. When unfamiliar tech benefits people, they call it ‘magic'; when it annoys them, they call it ‘silly’. Neither are informed points of view, and neither will help anyone “become a better developer.” So I’m quite shocked to see this on SitePoint at all, opinion piece or not. “Being controversial to encourage comments” is just tabloid journalism, not educational.
        On your last point, passwords are the only cost-effective option for many site owners. Hopefully, the tax sites you refer to have other modes of authentication in place; the equivalent in such cases is often to specify a secure password, and not to allow that to alter. That’s such a strong restriction that most folks just accept it. It’s certainly not the same as allowing blank passwords or predictable non-passwords like “password”.
        These restrictions will only get tougher, as computers become more powerful and more adept at cracking more sophisticated passwords. OpenID etc. are only slightly more sophisticated than the “putting all one’s eggs into one basket” one-password approach. I’d like to see a discussion of cost-effective alternatives to passwords, but may I suggest you read something like Chris Shiflett’s excellent “Essential PHP Security” before making any more frankly unhelpful suggestions?
        Sorry to be so blunt, BTW – but it’s important to get this stuff right. In security, convenience to the user is usually ten times as convenient to the criminal hacker. No one needs prompting to dislike password restrictions – but the determination of criminals determines how much security is needed, not developers with time on their hands.

      • http://www.optimalworks.net/ Craig Buckler

        Again, I’m not saying passwords are not necessary. Nor am I suggesting that blank passwords should be accepted or the user shouldn’t receive a warning when using ‘easy’ passwords. Isn’t it better to passively educate users than make them jump through hoops?

        If strong security is vital for blog comment forms, Flickr, Twitter, etc, why do some sites implement maximum lengths? If the user wants a highly-secure password that’s longer than “War & Peace”, why not let them enter it?

        Ultimately, no restrictions is far more secure than arbitrary rules.

      • PeteW

        Saying that ‘one of the best passwords’ you ever used was blank strongly implied support for blank passwords. If that wasn’t intentional, fair enough – those who only read the post may still get that impression, though.
        Educating users passively would be ideal, but as new users join the web every day, it’s just not possible. Many will not even read advice next to a ‘choose password’ field before typing in their birthday, house name or somesuch. That’s how even those ‘nonessential’ bits of a profile become useful to crackers, and why they need to be adequately protected. In any case, fostering resentment about password restrictions and publicly querying why they’re needed without even reading about them doesn’t do much to passively educate users to use strong passwords.
        The rules used to assess password strength are in no way ‘arbitrary’. Far from it. Nor are they complex. Most of it is aimed at preventing brute-force attacks (using permutations), dictionary attacks (avoiding common patterns) and (sometimes) still allowing passwords to be memorable.
        Longer passwords are harder to crack by brute force, so yes, maximum password lengths goes against basic security advice. However, whilst the implicit strength of a decent 8-character password far outstrips that of a 9-character one, a decent 20-character password is so secure that another letter has little security impact. That’s when things like storage limits and the character limits of underlying encryption algorithms can take precedence.
        Again, I’m sorry to be blunt, but your suggestion that “no restrictions is far more secure” is nonsense. “Can be,” perhaps – assuming an environment in which you could successfully educate every user – of which I can’t think of a single example. Users are people, many people just won’t learn, nor will they accept that having their identity was stolen is their fault because they used a simple password. Certainly they should, but if you tell them so, they’ll just go away and grumble that you were unhelpful, and tell themselves that it’s your fault because you let them use a poor password. It’s not logical, but it’s what happens. Developers have a duty to protect their clients from such bad press, by protecting their site visitors from themselves.
        Further to that, developers have a duty to protect visitors from other site visitors, too. Try telling customers that their accounts were accessed not because they chose a poor password, but because someone else did, and that allowed crackers in far enough to exploit flaws that gave them elevated privileges. Many would just see that as an attempt to shift blame, and again, would say that you shouldn’t have allowed such weak passwords.
        Password restrictions may be irritating, but they’re the lesser of many evils. Really, read Shiflett – 100 pages of best-practice. It’ll save me trying to explain it all here. :-)

      • Insomn3ak

        “If strong security is vital for blog comment forms, Flickr, Twitter, etc, why do some sites implement maximum lengths?”

        The only reason I can think to have a MAXIMUM password length would be for compatibility on legacy web-servers. However, if the password is being hashed correctly in the DB, a long length shouldn’t matter.

        There’s really no excuse in this day-and-age to have a max password length, and I cringe every-time I see it.

  • http://www.clerkendweller.com/ Clerkendweller

    There were a couple of recent research papers on how password policies might be being selected, and how other aspects (e.g. storage, recovery mechanisms, protection in transit) contribute as much to the security of individual accounts. Summary and links at:

    http://www.clerkendweller.com/2010/7/30/Economics-of-Website-Users-Passwords

  • http://www.yacare.fr McBenny

    Yes, password restrictions are annoying, as passwords by the way. But if the site requests passwords and a certain type of password, it’s their concern : they estimate they need this to provide security to either their users AND their system. Whether it’s accurate is not the point.
    If you can’t stand those secured doors in front of your bank office, you do agree that it may be necessary to avoid hold-ups. Some of those doors are “comfortable”, some others have cameras, little space, ask you to press several buttons and so on… because the security manager thinks it’s necessary. As a customer you don’t know what the threat is, so you shall not estimate that their protection is “too much”. It’s needed. If it annoys you, go somewhere else.
    Maybe we could have exactly the same password policy everywhere, that would be simpler and no more annoying as it would be the same everywhere. But would’nt it be simpler too to crack ?

  • @developish

    In my opinion, the only sensible password restriction is a minimum length.

    A lot of web services could do without a password requirement at all. For example, I’m not really concerned about the security of my Pandora account. There’s literally nothing valuable there to steal. A password (and a minimum password length) is only necessary to protect data that needs to be protected. As a developer and server administrator, I’m the kind of guy who disables password and uses encrypted key pairs instead. On the other hand, I went months before I set a password on my Instapaper account.

  • Khurt

    I’m glad PeteW said something. This was the most ignorant article about passwords I have ever read. And yes, it’s okay to write down your passwords. Just make sure you secure the paper.

  • http://www.jeepstone.co.uk petersen

    There seems to be a feeling that making your users jump through hoops drives them away. Whilst I comprehend that some people are put off when a site requires 8 chars plus numbers/symbols, these are the same people who are at risk when something like http://www.dailymail.co.uk/news/article-1218272/Microsoft-Hotmail-accounts-hacked-posted-online.html happens.

    You can’t have it both ways and prompting the user to be secure, is exactly what we should be doing to improve the situation.

    On a personal point, I use Lastpass and always generate unique passwords for each site, but this isn’t ideal for my grandparents etc.

    • Insomn3ak

      Yeah I would agree that LastPass is great, but it has it’s some usability issues that keep me from recommending it to the non-geeky types like family and friends. Hopefully as it gets more mature, it will get smarter and easier so the average joe will use it.

  • config

    I think it’s a matter of applying restrictions where appropriate.

    If you’re talking access with admin privs or visibility to sensitive information, then I see nothing wrong with demanding minimum of 8 chars, must contain mixed case and numerics, not offer a “stay logged in” option and force a password change periodically.

    However, if the worst that could happen is a bit of mischief, then I’m with you Craig – let ‘em go wild in their brevity. Just make sure they know its not a great idea and that it’s their responsibility.

  • http://lachy.id.au/ lachlanhunt

    One of my banks has a password restriction preventing me from using symbol characters, like @$%*, etc, and another has a maximum length. They’re the most stupid restriction ever, because I’m prevented from using more secure passwords.

  • http://www.dmgx.com Michael Morris

    My main gripe with passwords is that every system out there does the ****** business. That’s fine for short passwords, but when you move to passphrases it becomes a pain in the tush.

    I mean, what’s the point of ****** anyway? So someone won’t read over your shoulder?? Outside of an ATM when is that ever really a concern?

    And yes, I know that’s a browser thing to set the password input fields to ***** but I’ve been tempted to use normal text fields on a password entry. After all, which is more secure.

    okwl1i$5

    or

    The Lord of the Rings Book 3: The Return of the King

    I’d venture that they are equally secure, but the second is a Hell of a lot easier to memorize. Good luck typing it with *************** though.

    It’s just an example where a “security” feature prevents real security. Passphrases use mnuemonics to prevent users from resorting to stickying passwords to monitor screens. Further they can be memorized by a human being while being devilishly hard to crack.

  • Darrell

    There is convenience or there is security. One comes at the expense of the other. This is as true for a website as it is for an airport. Everybody will complain in either case. And I’d rather get a flame mail from a pissed-off user than a letter from their lawyer.

    I’ll bet anything you like that the author, who thinks it was a great idea to set a password as “”, would be the first to sue if his sensitive data were compromised as a result. I can see him now, sitting in court looking at the developer sternly while his lawyer shouted, “Why in the name of God did you allow my client to use an empty password? WHAT WERE YOU THINKING??”

  • Michel Merlin

    Site should SHOW, not require, PWD strength
    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
    What a PWD needs, is to be hard to guess. The more restrictions the site puts onto the invention and variation from the user, the smaller the field of invention, the easier the PWD breaking. For instance, if the web continues as now, in a few year every site will be requiring a “strong” PWD, all with the same rules (say: at least one Uppercase; one digit; one punctuation); at that time the strongest PWD will be the one no hacker will try: plain lowercase alpha!

    So if a site has an idea about what PWD is strong or weak, it should just show it, e.g. “strong” (if all rules complied); “average” (2 rules); “weak” (1); “very weak” (0 rule); “dangerously weak” (e.g. if the PWD length is zero). Some site are already doing this, in a pleasant and efficient manner, showing the degree with the length and color of a bar.

    Meanwhile the user should remain totally free (hence responsible) for the choice of his PWD.

    Versailles, Thu 12 Aug 2010 19:22:20 +0200

  • Insomn3ak

    I re-read this post again, and I feel compelled to specifically address some of the authors points…

    “We’ve all seen ‘errors’ such as: Your password is too short. Your password must contain letters and numbers only. Your password must be between 8 and 10 characters…”

    This is a usability mistake that many sites make. All requirements for a password should be clearly spelled out before the user hits the submit button.

    “Then, after you’ve spent 3 hours devising a reasonable password which adheres to the rules, you’re forced to change it again 7 days later.”

    Hmm, I’ve never encountered a website that required me to change my password over time. It’s well known that this would be too cumbersome and frustrating for users to deal with. On internal systems, yes that’s best practice…but not online.

    “One of the best passwords I ever defined had zero characters — no one ever attempted to enter nothing!”

    …and how do you know your account was never compromised? Just because nothing was changed or vandalized, doesn’t mean it was never accessed by a third party. In fact, if that account was on the open internet, it almost certainly would have been accessed by a bot at some point.

    “Strict rules provide hackers with a template — they know not to bother trying passwords which are less than 8 characters, more than 12, have no numbers, etc.”

    Get rid of the misconception that “hackers” are sitting behind a computer in a dark room trying to break into accounts. The reality is that automated software is run by someone, and left to do it’s thing. The so-called hackers go about they’re daily lives as normal, and review a daily report to see what the program found. They might even get a text message when it finds something. It’s no “bother” for a computer to try combinations. It just takes longer when the password is more complex.

    “Many users will simply write it down on a post-it note and stick it to their screen.”

    That’s FAR safer than using a weak password. Think about it…someone has to PHYSICALLY see the post-it note in order to get your password. The amount of people who can access your data is exponentially more than those who have physical access to your desk.

    “…if they want the letter ‘p’, why not let them use it?”

    Because ‘p’ will be cracked in like 2 seconds.

    “…create a random string and post it to them via email or snail mail.”

    Most users don’t use encrypted email, so passwords should NEVER be sent in emails. Best practice is to have them reset the password, so only they know what password they’ve used (even the web master or IT guys won’t know…assuming the password is stored in an encrypted hash within the DB).

  • http://codefisher.org/ codefisher

    Personally I think that accounts on the web are over used, let alone requiring hard passwords. I think the web would be a better place if fewer sites wanted them, then I can remember better passwords for the few import site that actually do need them.

    For the record I allow guest posting on my forums, and then just use a good spam filter.

  • oeyvind

    Tip: If you have the password “secret” and you’re asked to change it, change it to “secret1″. Next time change it to “secret2″ etc.

  • JWaterworth

    As previous posters have said, rules that prevent you from choosing strong passwords are really dumb – maximum length, no punctuation characters, etc.

    My favourite (?) was a system that used a tool to generate easy to remember initial passwords made up of a word, a punctuation symbol and another word … but then required all passwords to match the pattern of the passwords produced by the tool. So anyone who used another tool or their own mental pattern was screwed.

    I also think the “it’s your own fault if you choose a weak password” defence doesn’t stand up well. For many companies the bad PR from frequently hijacked accounts would be unacceptable.

    But let’s be careful. For an e-commerce site a hard to use identity and security system would clearly be a considerable competitive disadvantage.

    And as other posters have suggested, the effectiveness of a security policy or mechanism is strongly influenced by its usability. If it’s easy to follow it gets done. If it’s hard people put the key under the mat. And

    For example, forcing users to change their password(s) regulalry can make a system less secure. Faced with frequent changes lots of users forget their passwords (and security questions) and require assisted password resets. Eventually, under pressure from a disgruntled business, admins are forced to relax the password rules and ‘streamline’ the password reset procedure opening up the system to social engineering attacks.

    Similarly with allowing too few attempts. Users who choose longer and more complex passwords and have different passwords for different systems make more mistakes entering passwords. Frightening them with ‘you have 1 more attempt’ teaches them to use one short and simple password for all systems, just like most of their colleagues do.

    So yes, have strength rules. But make them flexible enough to accommodate many different patterns, give the user a visual indication of the strength to encourage and reward, and give them a reasonable number of attempts.

    Finally a note about paper. We are becoming increasingly mobile and access systems from different devices in different locations. So writing down means writing down and carrying. That sticky note with the passwords on is stuck to the latptop in the bag you left at Starbucks.

    John

  • MOH

    My other half recently set up a online banking for a business account with an Irish bank. Login requires not one but two passwords, both of which are subject to a number of restrictions, including that they have to be exactly 8 characters long.
    Forcing an exact number of characters is probably the daftest restriction I’ve seen .
    Although no characters allowed in the same position as previous password is another – I know it’s to stop secret1, secret2, etc, but something like no 3 characters in the same position would be a lot more reasonable