More than a decade after first examining the issue, research by the University of Plymouth has shown most of the top 10 English-speaking websites offer little or no advice guidance on creating passwords that are less likely to be hacked.
Some still allow people to use the word 'password', while others will allow single-character passwords and basic words including a person's surname or a repeat of their user identity.
Professor of Information Security Steve Furnell conducted the research, having carried out similar assessments in 2007, 2011 and 2014.
Have password restrictions ever helped?
This discussion has been archived.
No new comments can be posted.
Decade of Research Shows Little Improvement in Websites' Password Guidance
|
Log In/Create an Account
| Top
| 32 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
(1)
(Score: 3, Interesting) by nobu_the_bard on Tuesday July 17 2018, @06:34PM (17 children)
One of my banks still requires between 8 and 12 characters in the password, only uppercase/lowercase/numbers, no symbols or spaces. When they started that like 15 years ago, it was very proactive of them (compared to others). Now it seems absurdly underdone. I have passwords twice the length with symbols not even on the keyboard for the local credit union!
(Score: 0) by Anonymous Coward on Tuesday July 17 2018, @06:47PM (8 children)
so why is it still ur bank
its totes obvs they dont consider the security of ur money a priority
(Score: 2) by Snow on Tuesday July 17 2018, @07:02PM (6 children)
The password is just a secondary authentication.
The real authentication happens by logging in from a known computer and doing 'normal' things. If you connect using a strange computer, you get asked super-secret authentication questions like "What was your favourite pizza place in 1994?" "Where did you meet your wife?", etc. Those super-secret questions are the real 'password'.
Banks can also claw back money for days after it has been transferred which minimizes risk further.
(Score: 2) by SomeGuy on Tuesday July 17 2018, @07:34PM (5 children)
super-secret and already known to those that mine social media, websites, and other public/private info about you.
Unless you are the one in a billion tin-foil hatters who's favorite pizza place in 1994 was 3T%Zb%Y+Qs*8cSd9 and met his wife at B:fBwB2`LB]hz"8J
(Score: 5, Funny) by bob_super on Tuesday July 17 2018, @07:45PM
> Unless you are the one in a billion tin-foil hatters who's favorite pizza place in 1994 was 3T%Zb%Y+Qs*8cSd9 and met his wife at B:fBwB2`LB]hz"8J
Really ? Really ?
Fuck, gotta go change my security questions. Thanks for spilling the beans, SomeGuy !
(Score: 2) by edIII on Tuesday July 17 2018, @08:14PM (1 child)
I'm one of them. I've always recommended to family members that they treat those like a password and *never* enter a correct answer. Usually there are three questions, so I recommend a password rearranged three times. That way you have a 1/3rd chance of getting it right without having to use a password manager or anything.
Regardless of the questions, the password is AppleBee45Squirrel, Squirrel45AppleBee, or 45AppleBeeSquirrel. Still sufficiently strong as a password, reversible, and has nothing to do with the questions.
I actually prefer that over two-factor authentication which is complete and utter bullshit. That's why there is such a rise in Porting attacks to take over people's cell numbers. I don't want to authenticate with Google anything either, and not every website supports something like a Yubikey [yubico.com] yet.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by legont on Wednesday July 18 2018, @12:59AM
Some suckers ask two questions and want them both correct. However, your idea is good, thank you.
I personally use a private password generator with two seeds - master one and one related to the name of the target. This way I don't have to store passwords and they are sufficiently difficult. Works fine except the algorithm can't fit sometimes opposite requirements.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 1, Insightful) by Anonymous Coward on Tuesday July 17 2018, @08:16PM (1 child)
Nobody goes to 3T%Zb%Y+Qs*8cSd9 any more. It's too crowded.
(Score: 3, Funny) by Phoenix666 on Tuesday July 17 2018, @08:50PM
I order their take-out. Beats the rush.
Washington DC delenda est.
(Score: 2) by nobu_the_bard on Tuesday July 17 2018, @08:33PM
Fair concern, but actually I'm stuck in a contract with them through 2020 for some things. Won't bore you with the details.
I think the credit union will have an app for phones to do deposits inside the next year, so I'll probably start using them more. They've never jerked me around so much.
(Score: 2) by urza9814 on Tuesday July 17 2018, @06:56PM
Could be worse. Like the AIX servers we've got at my office...although I think those have finally been fixed, but only about a year ago.
They had all these rules...capitals and lowercase, numbers, symbols, at least 8 characters, no reuse, changed every month, etc. Except it turns out it has to be *exactly* 8 characters -- less than 8, your password gets denied. More than 8, and it gets silently truncated. Which meant that you could "use" a 20 character password just fine, as long as you had all they symbols/numbers/etc within the first eight. Then your password expires, so you make a new one, and it keeps telling you the password is already used because the first eight chars are the same, even if you changed all of the rest. I was working here for two or three years before I finally figured out that my passwords weren't actually what I thought they were...
(Score: 0) by Anonymous Coward on Tuesday July 17 2018, @07:17PM
Wait, so I couldn't use my password (hunter2) to log into your bank?
(Score: 2) by bob_super on Tuesday July 17 2018, @07:51PM (1 child)
Citibank requires a "special character" and a number, but the actual letters are not case-sensitive ...
Someone must have decided that the additional security was not worth the "call because caps lock" stats.
(Score: 0) by Anonymous Coward on Wednesday July 18 2018, @01:24AM
Fun fact, my back used to be special character insensitive. If you typed a "5" instead of a "%" or a "/" instead of a "?" it would accept it anyway. Unlike case-insensitivity, that had to have taken a monumental bit of effort to code around people being bad typists.
(Score: 3, Funny) by NewNic on Tuesday July 17 2018, @08:19PM (3 children)
Banks!
My bank actually sent me an email that was indistinguishable from a phishing email. The email included an obscured link (a URL shortener). It did not come directly from the bank (it came from an outsourced email service). It didn't have my real name in the "To:" field. There was no way to tell by looking at the email (including the headers) if it was legitimate.
They did not respond when I forwarded it to the email address they set up to report phishing: perhaps because I told them that they were stupid to send out an email that looked just like a phishing attempt.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by NewNic on Tuesday July 17 2018, @08:22PM
I should add that this bank also uses certain characters of the password (eg. 1st, 3rd, 6th) to log on. This means that they have stored my password in a fashion that allows for recovery of the full text.
On the other hand, they use 2FA for any money transfers. They provide a card reader, which can read chip-enabled cards.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by FatPhil on Wednesday July 18 2018, @08:10AM (1 child)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by NewNic on Wednesday July 18 2018, @07:49PM
Right country. Wrong bank. NatWest.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 1, Informative) by Anonymous Coward on Tuesday July 17 2018, @07:08PM (1 child)
...a full range dictionary attack to be performed without noticing the traffic spike that's not a problem with the password policy.
(Score: 2) by urza9814 on Tuesday July 17 2018, @07:14PM
Such attacks are often conducted offline. Still indicates a problem with other security (ie, someone let the hashed passwords get out), but a good password policy provides an additional layer of defense.
(Score: 1, Insightful) by Anonymous Coward on Tuesday July 17 2018, @07:25PM
If you think users should have passwords that are stronger than what users will pick, then assign them.
dd if=/dev/urandom bs=1c count=12|base64
96 bits of randomness there. Let the user keep it in a password manager or whatever.
Bank password policies are a mix of CYA cargo cult procedures, and likely associated limitations on big iron hardware. They really need to let the user pick passwords of any length using the full gamut of ASCII, even if that requires hashing down the password to something their legacy hardware can support.
(Score: 2) by opinionated_science on Tuesday July 17 2018, @10:52PM (1 child)
oh nevermind...:-)
(Score: 2) by captain normal on Wednesday July 18 2018, @05:11AM
Guess we've outgrown the oblig xkcd.
But the whole thing boils down to: most people cannot remember long random character passwords. So they write them down on post it notes and stick them on or near the computer. Or they create a text file with a name something like WFB-PW and stash it in Docs. The thing is that with modern computing power, long many character passwords are no safer than a 4 character Password. If you are worried about being hacked just don't do financial transactions over the internet.
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 2) by MichaelDavidCrawford on Tuesday July 17 2018, @10:56PM (1 child)
Whenever I register with a site that has onerous password requirements, I use some completely random gibberish which I soon forget.
After that I request the password reset link EVERY SINGLE TIME.
That cannot possibly be secure.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Funny) by DannyB on Wednesday July 18 2018, @03:22PM
Password standards are helpful. Especially if you provide guidance to the user to avoid frustration while ensuring best password practices.
For example [ba-bamail.com]
Please enter your new password:
"cabbage"
Sorry, the password must be more than 8 characters.
"boiled cabbage"
Sorry, the password must contain 1 numerical character.
"1 boiled cabbage"
Sorry, the password cannot have blank spaces.
"50bloodyboiledcabbages"
Sorry, the password must contain at least one upper case character.
"50BLOODYboiledcabbages"
Sorry, the password cannot use more than one upper case character consecutively.
"50BloodyBoiledCabbagesShovedUpYourArse,IfYouDon'tGiveMeAccessnow”
Sorry, the password cannot contain punctuation.
“ReallyPissedOff50BloodyBoiledCabbagesShovedUpYourArseIfYouDontGiveMeAccessnow”
Sorry, that password is already in use!
The lower I set my standards the more accomplishments I have.
(Score: 2) by Snotnose on Tuesday July 17 2018, @11:42PM (5 children)
You can't fix stupid. In the 90's/00's I spent a lot of time as a sysadmin. Telling my users I was running password crackers 24/7, I caught the same people every fricken week. The response was always "fuck off, don't you have work to do?".
When the dust settled America realized it was saved by a porn star.
(Score: 0) by Anonymous Coward on Tuesday July 17 2018, @11:57PM (1 child)
Fuck off. Don't you have work to do?!
(Score: 2) by DannyB on Wednesday July 18 2018, @03:31PM
Hey, try entering "penis" for your password. I'm sure the computer will respond: "sorry, not long enough".
The lower I set my standards the more accomplishments I have.
(Score: 1, Touché) by Anonymous Coward on Tuesday July 17 2018, @11:59PM (2 children)
If you didn't have management buy-in, then didn't you have work to do?
(Score: 2) by DannyB on Wednesday July 18 2018, @03:29PM (1 child)
Management should buy in. If Snotnose can crack people's passwords, then so can someone else.
If management doesn't buy in, this is indicative of an attitude which makes it more likely that:
1. security is weak elsewhere
2. a hacker will penetrate your systems
3. they will steal your password file
4. the password file will be easy to crack, as Snotnose has demonstrated
5. Other system penetrations, data theft, malware installation, and other nefarious things will occur
If management doesn't buy in, then they need to be replaced. There is probably somewhere to report such poor security. (other than an anonymous online post)
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Wednesday July 18 2018, @11:05PM
Look at Dilbert's PHB and then, knowing what management should be doing, tell me by what likelihood they are actually going to do it.
(Score: 2) by The Archon V2.0 on Wednesday July 18 2018, @03:21PM
Depends on the restriction. Stopping someone from using a 1 character pass or "password1" is reasonable IMO. However, I've seen some insane ones. One system used by HP in the early 2000's (no idea if it's still in use) would reject anything with a dictionary word anywhere in it. Including two letter words like "to" "at" and "AI". It almost forced you to use an alternating letter-number sequence for a password, unless you wanted to spend an hour changing letters one at a time (and then two at a time) and waiting for the system to either accept it or re-reject it, trying to figure out why "rXeLy013GBf2nh1" was "insecure".
Oh, and the password expired every three months. Almost everyone I knew just found something that worked and then incremented the final digit, meaning if you had an old password and a rough idea when it was from, you'd guess their current one in 1-3 guesses.