Question about passwwords

[Siwastaja]

The 72 byte case have been explicitly separated multiple times from your example, and it’s a reply to Siwastaja’s statement.

I still think that input validation for setting a password should be mandatory. Truncating a "too long" one, or extending a "too short" one with e.g. symbol '0', are incorrect ways to deal with user being stupid. Requirements for password must be known and checked; there is no excuse for this.

[Halcyon]

Is this good pratice or is there a problem with this method ?

It's terrible. Easily guessable combinations of permutations of passwords are a risk (and crooks know the tricks!)

If you have trouble remembering passwords (and you should because you shouldn't be recycling passwords), then use a password manager like Bitwarden. Or, if you prefer a low-tech solution, a physical password book you keep at home. That way, you only have to remember one strong master password (or passphrase).

Don't keep them in insecure places on your computer, like a text document or Excel workbook.

[5U4GB]

Worse, some allow any length of entry but internally truncate, leaving you with a fantasy of greater security. This is very unhelpful if you choose a pass phrase rather than a random string, because ~3 words is not a proper pass phrase whereas 15 random characters is a decent one within such a constraint.

I know of one bank here that does this, or was as late as last year.

There was an airline whose web site would truncate your password to either 4 or 6 characters because that was the size of a PIN .  I was going to add that it's the one where when you send in a service request they ignore it and then send you a survey asking you to give them five stars for service, but that's about half the airline industry.

[Analog Kid]

Don't keep them in insecure places on your computer, like a text document or Excel workbook.

You mean you don't think this would be secure?

File: c:\Users\Me\My Documents\password.txt

Contents:  password

[Siwastaja]

Worse, some allow any length of entry but internally truncate, leaving you with a fantasy of greater security. This is very unhelpful if you choose a pass phrase rather than a random string, because ~3 words is not a proper pass phrase whereas 15 random characters is a decent one within such a constraint.

I know of one bank here that does this, or was as late as last year.

There was an airline whose web site would truncate your password to either 4 or 6 characters because that was the size of a PIN .  I was going to add that it's the one where when you send in a service request they ignore it and then send you a survey asking you to give them five stars for service, but that's about half the airline industry.

Related pet peeve: people and companies who can't understand the difference between password and Personal Identification NUMBER.

Specifically, the use for a PIN has been as an extra check (additionally to security from physically having something), and in system that can seriously rate-limit false attempts, and do things like lock out the physical thing with too many false attempts. For that, even 4 digits (10000 counts) suffice.

[golden_labels]

Related pet peeve: people and companies who can't understand the difference between password and Personal Identification NUMBER.

Specifically, the use for a PIN has been as an extra check (additionally to security from physically having something), and in system that can seriously rate-limit false attempts, and do things like lock out the physical thing with too many false attempts. For that, even 4 digits (10000 counts) suffice.

We may extend this even further. Many institutions use “secret values” as passwords. In their naïve understanding, the threshold for “secret” is: I can’t guess the value by just knowing person’s name, so neither could “the bad guy.” 🤦

In Poland this is commonly the PESEL number. An identification number each citizen has. Not only it’s revealed to dozens entities while signing any major agreement or a support list, but in many instances it’s a public information available in official databases due to a person holding a high-ranking post in legal entities.

Could it get worse? Yes, never underestimate stupidity. In some instances organizations don’t use the full 10-digit⁽¹⁾ number. Instead, “to increase security” they choose a subset of digits. In the worst case this can be the first 6 digits, which happen to be calculated directly from the birth date.

⁽¹⁾ The full number contains 11 digits, but one digit has a linear relationship with the other 10. This doesn’t hold for invalid PESEL numbers, but those are too rare to have any real influence on security.

[RoGeorge]

Hah, fixed! 

To the OP, the initial topic title can be edited. 

[Zero999]

If you don't want to use a password manager and want to remember passwords
then you simply need to make up some rules you can use to create a password for any website.

This is just an example, come up with your own rules.

Start by coming up with a silly sentence you will always remember.
eg   my cats like to shit on the carpet.
Turn that into a password by using the first letter of each word and changing to=2 and for=4 etc..
mcl2sotc
This becomes the first part of your password and you will use it a lot and it's easy to type because you
can say the sentence in your head as you type it.

Now you can add on the end something that relates to the service or website you are signing up to.
Do this in upper case.  eg, for facebook you might do mcl2sotcFB
Or, if you want to hide the fact the password is for facebook, just in case someone sees it in plane text,
then you can scramble it a bit more. Like using the next letter in alphabetical order, so FB becomes GC

If the website forces you to keep changing your password every month you can optionally add the month/year on the end. This really isn't a good way to do it, but its up to you to come up with something more interesting.
mcl2sotcGC125 for jan 25,  mcl2sotcGC225 feb 25 etc..

You can add a special character into the rules if you want. So websites that need one are happy.

Now you just have to remember the rules and you know the password for any service/website.
- Easy to create long passwords that don't use common words
- Easy to remember even when they are long.
- Different password for each website
- Has lowercase, uppercase and numbers. etc.

It's not a perfect system, but it's easy to remember because you have to remember the rules every time you use a password for any site. The rules stay fresh in your memory. Unlike trying to remember a random passwords you used on a website 10 years ago.

The problem with that is, some websites/services/networks require you to change the password, after a certain period. That's fine when I'm using it every day. I just increment a number, or letter, but it's a pain with I don't use it very often. I've given up with bothering to remember passwords I don't use regularly and need to be changed often. I just ask for it to be reset every time I long in, which involves receiving an email or text.

Heck there isn't strong evidence that forcing users to change passwords often increases security. It increases the risk of them doing silly things such as writing them down.

[golden_labels]

Heck there isn't strong evidence that forcing users to change passwords often increases security. It increases the risk of them doing silly things such as writing them down.

There is evidence for the contrary.

Last month NIST also published Digital Identity Guidelines (800/63B/4) (PDF) with advice regarding passwords. In 3.1.1.2. we see (emphasis added):

Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.

And that was already stated in previous version (PDF) in 2017.

Even if mandatory password cycling had no negative impact on security, it would still be nonsense. In the best case, the idea is based on a threat model that became irrelevant a long time ago. More often it’s not based on any analysis at all. Instead it merely copies actions of others or relies on perceptions from literal ancient times.

[Siwastaja]

Required password changing is like asbestos, it was known to be harmful for a very long time, yet stubbornly used regardless of increasing amount of unofficial and official statements that it should not be used.

[5U4GB]

Required password changing is like asbestos, it was known to be harmful for a very long time, yet stubbornly used regardless of increasing amount of unofficial and official statements that it should not be used.

Yeah, it's weird watching this in effect, I've been in security review meetings where every single participant agreed that it was a bad idea and then every single participant agreed that they had to do it.

In their defence, the reason was that if everyone else does it and they don't then it looks like they're not taking security seriously.  Same reason why something innocuous like the USDA puts you through a security checkpoint when you go in, they can't be seen to be the only government agency that doesn't have security checkpoints.

[5U4GB]

Specifically, the use for a PIN has been as an extra check (additionally to security from physically having something), and in system that can seriously rate-limit false attempts, and do things like lock out the physical thing with too many false attempts. For that, even 4 digits (10000 counts) suffice.

It depends on how the PIN is applied, if it's to a secure device like an ATM then it's fine.  If you can enter it online then it enables a PIN-spraying attack where you try the same PIN across all accounts, which doesn't trigger the lockout and gets you into one in every 10K accounts, in practice a bit more since PINs are quite unevenly distributed.

[golden_labels]

(…) in practice a bit more since PINs are quite unevenly distributed.

That “a bit more” is off by two orders of magnitude! Details: All credit card PIN numbers in the World leaked.

In 2010s I conducted a research on a forum I was administrating. The details are now lost in the past, but the bottom line was: 30 most popular passwords were used by 1/30 of the accounts.

[5U4GB]

Ah, thanks for doing the legwork.  There was a conference paper on this some years ago at somewhere like Usenix Security but I quick google failed to locate it so I handwaved :-).

[Psi]

The problem with that is, some websites/services/networks require you to change the password, after a certain period. That's fine when I'm using it every day. I just increment a number, or letter, but it's a pain with I don't use it very often. I've given up with bothering to remember passwords I don't use regularly and need to be changed often. I just ask for it to be reset every time I long in, which involves receiving an email or text.

Heck there isn't strong evidence that forcing users to change passwords often increases security. It increases the risk of them doing silly things such as writing them down.

Agreed, there isn't a good solution for those sort of websites.
And yeah, I don't think it improves security at all.

[peter-h]

Surely this comes down to what you believe is the risk.

If you use a pwd manager then somebody hacking into your PC, laptop, etc (or stealing it) could get all your passwords. Export in CSV addresses the backup policy issues but it doesn't help with security. And if security is not a worry then why not use e.g. the Chrome pwd manager? I am sure google has good security around that (due to the huge risk) and use that for everything, except financial sites whose pwds are stored in hard copy.

[sportinator]

For the last five years it has been impossible to remember all passwords without password manager, or, if you want them to be secure, a flashdrive. All important passes I save on the flashdrive

[Psi]

The best solution I could come up with is to write my own simple password manager.  I've not had time to actually do it, may never do, but at least it would be a bespoke system which makes it super unlikely any person or app running on my PC is going to steal the data from its data file. 

There's a lot of people trying to break the encryption of common password manager data files or break into the running apps memory. There's so many users that the payoff of breaking it is huge.  However virus and malware can only go after password managers they know exist.

One thing I'm not too sure about is how password managers actually populate password data into password entry boxes.
I'm assuming they don't just simulate keypress codes since any other app on the system could probably intercept that.
So writing your own password manager might not be as simple as it first seems. (encrypted DB + text output into the in-focus win control)
There potentially lots of obfuscation going on.

Then again, if you unknowingly have a dormant credential stealing virus on your PC perhaps you're already screwed even with common password managers. So maybe simulating key scan codes is fine as an entry method

[peter-h]

AFAIK if your machine is compromised then you are screwed, because windows messages can always be intercepted.

In fact the messaging system which is used extensively within windows has been a major security headache over the decades.

Banks etc nowadays assume your machine is compromised (because most normal people are simply too stupid / careless, and many use p0rn etc websites i.e. they are pretty careless what they browse) so setting up new payees involves a phone call or SMS.

Google's Chrome pwd manager might actually be more secure, on a compromised machine, than a 3rd party manager, because Chrome might be injecting the data internally, and just faking the pwd asterisks or whatever.

[madires]

One thing I'm not too sure about is how password managers actually populate password data into password entry boxes.

Typical solutions are:
- clipboard (often with a time limit, you do the copy & paste)
- auto-type (involving some optional simple scripting to cover special cases)
- browser-plugin

Some password managers can also pass SSH keys to an SSH agent, for example

[radiolistener]

The problem with that is, some websites/services/networks require you to change the password, after a certain period. That's fine when I'm using it every day. I just increment a number, or letter, but it's a pain with I don't use it very often. I've given up with bothering to remember passwords I don't use regularly and need to be changed often. I just ask for it to be reset every time I long in, which involves receiving an email or text.

yes, in practice these measures can significantly weaken security rather than strengthen it. Forcing regular password changes often leads users to adopt predictable patterns - such as appending a date or incrementing a number, simply to keep track of the changes. This makes the passwords easier to guess and undermines the very purpose of the policy.

Similarly, arbitrary restrictions on password composition (e.g., disallowing certain symbols, requiring a fixed mix of character types, or rejecting perfectly strong passphrases) can push users toward creating long but highly repetitive or formulaic passwords that satisfy the filter yet are far more vulnerable to attack. Worse, these policies often reject genuinely strong passwords for no good reason.


Such rules are often implemented by administrators who have a limited understanding of real-world security issues. I have repeatedly encountered situations where these policies and filters not only created unnecessary headaches for users but also introduced serious vulnerabilities. While to the uninformed they may appear as strict and reasonable measures, in practice they frequently weaken security and create a host of additional problems.

And you would be mistaken to think these issues are hypothetical. I have personally encountered attacks of this kind, where users were subtly steered into choosing easily guessable passwords under the pretext that their original choice failed to meet certain security criteria. Once the weaker password was entered, it was accepted without issue. This is a sophisticated attack method that combines elements of social engineering with a man-in-the-middle approach.


The use of such practices - frequent forced password changes combined with complexity rules - has a troubling parallel to the promotion of biometric authentication. Biometric systems are often marketed as a security enhancement, but in reality they make it easier for malicious actors to impersonate you once they gain access to your biometric data from government or corporate databases. By consenting to the use of biometrics for identity verification, you are in effect giving attackers a permanent "key" that cannot be changed.

What many people fail to realize is that biometrics are not about enhancing security - they are about making impersonation easier for those who manage to obtain your data, money or want to put you into slavery state. Consider this: facial recognition or fingerprint authentication offers no protection if you are coerced or physically restrained. In such a scenario, an attacker could effortlessly unlock every device and service tied to your biometric profile - face, fingerprint, etc. Moreover, stolen biometric data, unlike a password, cannot be reset, and can be traded or sold on illicit markets. So, almost any criminals can use it to impersonate you forever.

The underlying danger of imposing biometrics is that it enables criminals to act in your name, across multiple systems and organizations, without your consent and without your knowledge. Just as flawed password policies can push users into predictable, weak behaviors that aid attackers, biometric systems can provide a single, irrevocable point of failure - only this time, the "password" is something you cannot change.

[Halcyon]

Required password changing is like asbestos, it was known to be harmful for a very long time, yet stubbornly used regardless of increasing amount of unofficial and official statements that it should not be used.

I'm seeing it become less and less of a thing, which is good. I'd say almost all of my online services never require a routine password reset. There might be one or two that do, but I couldn't even tell you which ones they are.

[Siwastaja]

Required password changing is like asbestos, it was known to be harmful for a very long time, yet stubbornly used regardless of increasing amount of unofficial and official statements that it should not be used.

I'm seeing it become less and less of a thing, which is good. I'd say almost all of my online services never require a routine password reset. There might be one or two that do, but I couldn't even tell you which ones they are.

Yes. Just like the dangers of asbestos being known and discussed in 1930's and widespread epidemic among workers dealt with starting from 1960's, resulted in the ban in civilized world in 1990's (60 years being well-known, 30 years being obvious disaster), it seems in 2020's we are finally getting rid of scheduled password changes. How long did that take? Quite similar to asbestos - in case of password changes, 50(?) years being understood as a bad practice, at least 20 years everyone agreeing it's kinda-sorta disaster which should be stopped immediately.

[radiolistener]

At which point you just created a password manager. Just much worse and suffering from the standard effects of reinventing the wheel.

Sure, technically that’s a primitive password manager. But I’d prefer such one over relying on someone else’s code and not knowing if there are backdoors or “convenient” key tricks hidden inside. Actually I'm using my own password manager written in C# at 2007 and I’m still using it today.

Zerothly, this is “some serious misunderstanding on user’s end.” Thanks for making yourself an example.

No misunderstanding here — I just pointed out the practical side. A 100-character password is great for entropy, but it’s far from convenient in daily use.

It was just an experiment. A 100-character password is obviously strong against brute force, and with certain mnemonic rules it’s not too difficult to memorize. However, in practice it turned out to be very inconvenient to type. I eventually reduced it to around 30–40 characters, mixing upper/lower-case letters, digits, and symbols.

Since a 8-character password can be brute-forced within hours (test results with open-source optimized code on GPU), I assume 20 characters can be considered strong, so 30–40 characters provides a reasonable safety margin against potential algorithmic weaknesses that could reduce brute-force costs.

However, this also depends on the resource — if it’s a non-critical service, a shorter password may be acceptable. The key point is to avoid reusing the same password across different services.