broken chain

Your Password Rules Are Not Good Enough

Instead of telling you, let me show you, how a top e-commerce platform in South Africa shamed and praised my password.

This is classed as a weak password

The above password has 14 characters, capital letters and some digits. What you should note is the password strength meter. See how it shames my weak password for being weak and inadequate?

A password stronger than Thor on steroids

Do you see that?! I added 1 special character and the password became strong. The password became so strong, the password meter overflowed to the next 3 pages I visited on the website.

Have You Met The Cloud

The fact that you are here means you know cloud computing is more than just a place to store your cat’s pictures. An invested hacker can afford a good cloud computer with a mid range graphics card. A mid range GPU can boost password cracking by around 250x, while a high end NVIDIA GTX 30 series card can give you a 500x boost over a decent i7-9th Gen CPU. Elcomsoft has a more technical blog for those who are interested. Let’s break down some of your archaic password rules then.

It’s Too Short

The user’s password is too short? Have you met people? Here, meet these people:

passwordpassword

qwertypassword

Iamthegodofthunder

Add A Digit and Special Character

Are you even trying to enforce any sort of security on your platform? Meet more people:

I@mtheG0dofthunder

MyN@ame1sJohn

Our GPUs will make quick work of these passwords, not to mention they are among the top 50,000 commonest passwords on the internet. If you have a maximum password length I am going to climb out of this computer and The Ring you.

I tried to insert a The Ring gif but it would not upload. No idea why

What on Earth is a maximum password length? The one on your platform is probably 12 characters. And you probably do not enforce UNICODE but allow ASCII to trim off some characters and the passwords become shorter.

Show Us The Way Oh Sensei

We can try to protect our users and our platforms. There is no one size fits all solution but the following can add some level of security beyond pretense:

  1. Your password rules make random password generators useless. My password generator can spit out a password that does not have all the classes of characters your rule-set demands. Does that make the password weak? No it does not.
  2. Check for common passwords. You do not have to check against every common password out there as some databases contain 100,000. It will not be user friendly to have potential new users wait while you run the check and the server time will slaughter you. But at least check. 10,000 will take a few milliseconds if you have decent server resources.
  3. For the love of all that is sacred in these bits and bytes we live in, be sure to check if users just copy their email or name and surname into the password field. Check if the password contains any part of their birth date too. People are lazy, remember that.
  4. Enforce a minimum UNICODE password length. The key here is UNICODE because some locales use characters that get trimmed down in ASCII. Your maximum length must also be something reasonable and secure. 16 characters is too short.

I will leave you with this

  • Van Lee Chigwada ← No spaces allowed.
  • VanLeeChigwada ← Passwords must include a digit.
  • VanLeeChigwada2010 ← Passwords must include a special character.
  • VanLeeChigwada%2010 ← The % character is not allowed.
  • VanLeeChigwada_2010← Passwords must be shorter than 16 characters.
  • Password_1 ← Accepted.