Something that really annoys me, annoys me to anger, is brain-dead password schemes for websites where I'm forced to adhere to some moronic schema for my password to "enhance" security.
Upper bounds on password length
The most common issue I see across the plethora of inept schemes for passwords is bounds on length. I'm all for having passwords with a lower bound, it's all about security after all and shorter passwords are much less time constringent to brute-force, 5-6 characters is the most oft seen bound. With that I'm absolutely fine.
But as soon as you start requiring that my password be no more than a certain number of characters a klaxon starts wailing in my head.
The initial suspicion is that if you have an upper bound on the length of my password, you must be storing it in plaintext. If you are storing my password in plaintext then you're either an idiot or a complete and utter fucking asshole, you can choose whichever you want.
For god's sake, salt and hash passwords before storing them.
Forms that cut off entry
An even worse offender in this area are sign up forms in which the password fields have a given length. That means that you can type in your 20 character password without realising that you've been clipped at an arbitrary 12 characters.
Then when you visit the login form, which obviously wont have the 12 character limit on the password field, and type in your 20 character password it will throw back errors.
Please stop making my passwords an arbitrary length and you should definitely have a uniform stance on field lengths in your forms.
Exact password length
Enforcing an exact password length is the bigger, uglier brother of having an upper bounds on length. Not only have you set the lower and upper limit on how long a password can be, you've also said that they must be the same!
Holy hell, you've completely and utterly missed the point. Aside from the fact that you're vastly limiting the number of permutations of passwords available to users, and of course the number of permutations a brute-force attack would be required to cycle through; you're making the password much harder for the user to remember.
If I have a 6 character password that I use everywhere, such as I'd wager most users do, and you enforce a password length of 8 characters then you're essentially forcing me to append two erroneous characters to the end of my password usually, I'd wager, a '11' or '00'.
Enforcing the inclusion / exclusion of certain characters
"Your password must contain at least one number", "Your password must have one or more non-alphanumeric character", "You are required to have at least one uppercase letter", "Your password must have--" ...fuck right off.
My password should be allowed to contain any alpha, numeric or non-alphanumeric characters; it should not be required to contain them. If you're trying to make me adhere to a given structure to my password then you're limiting the number of permutations available to me again.
"But what about the idiots who choose easy passwords?" They're still going to be idiots, just your special brand of idiot, making the password harder to remember just ensures that you end up with either a post-it note with the username and password posted on the side of a monitor or some super-secret-cia-level-symbol-substitution-cypher being used to swap out the characters in their god awful password.
- a = @
- e = 3
- i = !
- o = *
- u = well, still u
- s = $
- l = 1
- t = 7
- ...
My new super-secret, secure password should probably be p@$$w*rd
!
On a side-note, if any of your passwords resembles any of these you are a moron.
Post your password in the comments below and I'll tell you if it's secure or not!
- Chris