2. Asking people to create complex passwords.

I can see half of you (especially the programmers) rolling your eyes now.

Pffff, but complicated passwords are safe, are you stupid? You must be a designer or some other lower form of life…

No they are not, shut up. It is the length of the password that makes safe password, not complexity.

Complex password is the one where silly developers ask the user to enter something like one upper case letter, one number, and sometimes even one special character. In their minds, this for example is a secure password:

5-Nope!

It has a number, two special characters (minus and exclamation mark), and one upper case letter. Let’s do basic math now.

In each slot we can put 52 letters (upper + lower case), 10 numbers, and about 12 commonly used special characters. That is 74 different options for each slot. Hell, let’s round that up to 80.

By forcing the user to enter a minimum of 7 characters, this gives us a minimum of (80ˆ7):

20 . 971 . 520 . 000 . 000

password variants.

Now, let’s see what “insecure” password would give us. Say we allow only upper and lower case letters but we increase minimum by one, to eight characters. In each slot we can put 52 characters, this would give us (52ˆ8):

53 . 459 . 728 . 531 . 456

See? 53 trillion versus 21 trillion. A password which is easy to remember because user does not have to fiddle with pesky characters is actually safer and harder to brute-force hack.

This by comparison is safer & harder to penetrate:

yourmomah

Furthermore, enforcing complex passwords will make them extra unsafe because users tend to write such passwords down. Let’s be honest, every ordinary user has a set of passwords (Ha! I said set! More like one…) that they use constantly. Yes, that is not safe. Yes, that is even a bit stupid. But yes, that is how people use the internet. As long as we have password as a locking mechanism, that is how it is going to be. When you force the user to enter a password which is completely out of their comfort zone — it will be written down. So by making your website “safe” (and math shows us even that is not true), you make it double unsafe. Stop that.

Oh, you have a clever idea to force users entering long and complex password? Good luck with that.

Besides, the main way some malicious person will get to the passwords will not be by brute forcing or doing some hacker-movie-style-Matrix-code thing. It will be either through Social Engineering (where dumb users basically just give away their password) or by acquiring entire website’s database, including passwords and email addresses. Do the back-end implementation of security good, and do not pester the users with complex passwords.

EDIT:

After a storm of comments regarding how wrong I am about “yourmomah” and how this is all nonsense, allow me to retort.

First, it seems that only a few got the joke about yourmomah being hard to penetrate. I guess my jokes are too subtle, I should use something more obvious next time.

But secondly, more importantly, here is a comment from one of the enthusiastic security people. Not that there is anything wrong with being enthusiastic about security.

From the notes.

And exactly there lies the problem. Developers taking security too far stating that password should be something you cannot remember. Do you understand how messed up is that? Making a website that follows that rule would make it impossible for the 99,99% of the internet population to even register, let alone come back to that website.

There is about 200 people on the whole internet who can never forget X0!pS92MFs;… type of password and generate dozen of those. That is not how people use the internet!

Folks, regular people, like your parents, and complete computer illiterates use the internet daily. They actualy make the bulk of it. Let’s make their everyday use of the internet simpler and frictionless, and at the same time deal with security on our side — the developer side. Like preventing entire databases to be stolen.

Furthermore, this does not say that we should stop enthusiastic people from using insane complicated passwords. By all means, type a 40 character random string if you are so paranoid, it is up to you! But let the old grandpa purchasing Christmas present for the first time on some online shop use “ilovemygrandson” as a password. Why make it complicated for him and deny him with errors Wrong password, you need one capital letter, and then Wrong password, you need one number, and then Wrong password, you need one special character,…

The frustration of using the internet comes from small pieces, it is a death by a thousand cuts. Account generation and with it password generation is the first of those cuts. Stop pestering the user!

Request: could someone actually run a Dictionary attack on “yourmomah” and post results? How long does it take?