Ammo For Sale

« « A fear of simple tools | Home | Gun Porn » »

Password policies are stupid

I have passwords for Google, Yahoo, Microsoft, WordPress, several applications, banks, and, hell, a ton more. And all of the policies for passwords are stupid. You can’t re-use one; some number of digits, alphabet both upper and lower case, and symbols; some sort of length; changing it some number of times per season; and on and on and on. I agree with these best practice changes for passwords.

I will note that Amazon seems to understand this. I have been using amazon since there was an Amazon. My password has never had to be changed and it isn’t overly burdened by dumb rules that make it look like this: c5(BnKw8TxqLnh8′

That’s from a random password generator I found online.

12 Responses to “Password policies are stupid”

  1. Mike Says:

    I use a password manager (iOS/mac OS default one works fine for me), or if I have to come up with one manually I use passwords generated on whenever possible. They have enough entropy but are relatively easy to remember. But also I use two factor authenication (using the Authy or Google Authenticator app, which are available on both iOS and Android). Authy even has an Apple Watch app so I never need to actually use the app on my phone.

  2. Nomen Nescio Says:

    i too use a password manager — KeePass, because it’s cross platform. its built-in password generator create garbage strings that couldn’t possibly be remembered, but i never even try, because i just copy and paste them in. most of my passwords i’ve never even seen.

    and the password database itself is safeguarded with a combination password (the only one i bother remembering) and random-data key file, the latter of which is stored on a couple of USB sticks and has never touched the network. i consider this secure enough that i keep the (encrypted) password database in my dropbox folder, so i can get at it from my smartphone too.

  3. Jonathan Says:

    I’ve had good luck with LastPass. It will store everything for you, it’s accessible from any internet-connected device (and offline, if you sync’d the database ahead of time), it handles two-factor authentication (for itself), and it will happily generate whatever kind of gibberish password your site requires.

    But, yes, 90% of password rules, including length, are stupid.

  4. Daniel Schwartz Says:

    I’ve had good luck with passphrases. For example, I might choose the phrase “Fly me to the moon, and let me play among the stars!”, which might result in a password like Fm2tm&lmpats!

    Easy for me to remember, difficult to reverse-engineer (unless someone deduces the phrase). It’s 13 characters long, and has capital letters, lower-case letters, a number, and two symbols.

    I agree that having a multiplicity of password rules is stupid. But I can’t think of a solution (e.g. standardization of passwords via a central authority) that isn’t worse.

  5. poobie Says:

    Statistically, pretty much any 16 character password is pretty safe, as long as you don’t use too many repeats. XKCD had a great comic about it.

    As an IT nerd, though, I have to enforce some password rules that are pretty asinine, because my users are even more asinine. We used to find passwords taped to monitors, even before we required scheduled changes. I had to set the “remember last six passwords” flag, because we had one guy that would change it, then change it back to his old one immediately. to get around that, he had a grad student change it 7 times when it would expire, so I had to turn on the minimum password age requirement as well.

    I’ve issued smart cards to anyone with admin privileges, though, which mitigates complaints from anyone with the power to fire me.

  6. Ravenwood Says:

    Yeah, eventually you have to start writing them down, at which point it becomes counterproductive.

  7. Other Steve Says:


    This is only something that people who donít use use LastPass complain about. I taught Infosec at my company and LastPass was the single best thing we ever did there.

    The others are fine too, KeePass, 1password, dashlane, etc, but having used all of them, LastPass is the winner, you literally canít mess it up and itís by default on all your devices.

    Stop being dumb. Just move to LastPass. It doesnít matter if Amazon allowed ď1234Ē or forced a 20 char one time use, there is just no way you are secure using your stupid brain which will default to deritivites and re-use.

    You should have a 16-20 char unique password for every site – and for the most part you shouldnít even know what they are.

  8. HL Says:

    Yep. Ravenwood said it. If you have to write it down, or store it in a password app, then you’ve created a compromising situation right off the dick.

  9. Nomen Nescio Says:

    writing a password down might not be the end of the world, as long as you keep the (only!) note it’s written on in your wallet. and as long as you don’t value the account that password protects any higher than any other one thing you’d lose if your wallet got stolen. after all, it’s not like you wouldn’t have to take some emergency recovery actions if you lost all that other stuff you keep in there.

    password managers tend to work on the “all your eggs in this really heavily armored basket” principle, and encrypt their database six ways to sunday. which is good enough for me.

  10. rick Says:

    One site’s take on this issue:

  11. Other Steve Says:

    HL: thatís WOEFULLY ignorant of how password managers work.

    It goes like this from most secure to least:

    1. Unique passwords on paper stored securely
    2. Unique password in a password manager
    3. Paper stored in securely
    4. Deiritive passwords stored anywhere even your brain
    5. Intentionally weak passwords because life is hard

    Unless you know of a way to carry secure paper and quickly access what you need to – a password manager is the only way to go. LastPass in particular has excellent security when used with a 2FA process like Duo.

  12. Pete Says:

    I use a few good passwords that don’t need to be changed on the regular…that is until the people whose job it is to protect our passwords like Yahoo screw the pooch, then they have to be changed.