Passwords: A hot take

Well, here we are again. Yes, I WILL talk about passwords. No, you will not enjoy this, since in this blogpost, I will discuss my stance on passwords and what we should teach the younger generation to do. Furthermore, we will see why some people refuse to get longer passwords. Also, a side note on my current phone ponderings.

Password rant

We need stricter password requirements. Why is it the standard 8 character limit? Why do we require upper-lower-number-symbol, choose-three-outta-four? We have already gotten to the point where this kind of “p@s5wordS” is dead simple for a strong enough computer to crack. Sure, I don’t have such a machine, but I know people who do. Of course, this only takes into account that the password is actually stored encrypted. What if you’re like an unnamed linguistic company that actually SENT ME MY PASSWORD WHEN I CLICKED “FORGOT MY PASSWORD”?! (Note: that happened to me in class and I am currently responsible for destroying some children’s manners forever.) When I called them and demanded to know what the fuck they were thinking, I got two points from them:

  1. We are working on a fix, it’ll be ready next month
  2. You shouldn’t be using the same password for every website

Now, in retrospect, I understand their latter point, but still, not everyone will want to do this (we’ll talk about this later).

That was the time I set up my first password manager. It was keepass, because I don’t want anything online that’s related to my passwords. So I went the offline route. Now, if you told me to ditch password managers, I’d tell you to tear your head off and shove it where the light doesn’t shine. Seriously, it’s indispensable for me.

This brings up the second chapter of my rant: UPPER LIMITS. Fuck upper limits on passwords. My default setup is 50 characters, upper-lower-number-symbol. I’ve even been told it’s not enough, but that’s another point. It’s much more than regular users will use, but still. On two occasions, I have encountered an upper password limit. One was 16, the other was 30. Both were what companies describe as “in great need for security”. I spent a few minutes looking at generated passwords, thinking about which looked the most garbled. But when I contacted the companies about this limit, I got the answer of “It’s enough, man, just use a random password.”

Thank you, random helpdesk clerk, for you are the reason I am writing this post right now.

Users are far from perfect

Admins, please: Don’t delude yourselves and think that every single user of your service will be as savvy as you are. They won’t. They will do everything to have to do as little as possible. You set up 8-char lower limit? “password”. You set the 3/4 rule? “p@ssw0rd”. They will spit in your face, do the least they have to and use it until your system gets broken into, at which point “you weren’t protecting our stuff well enough, so they got into my e-mail.

What MAY solve this issue is a higher minimum. Get them out of the woods, provide a lower limit that is reasonable, yet not too restrictive. Yes, I mean diceware-friendly requirements. Instead of the 3/4 8-char minimum, give a 20 character minimum. People will still try to spit in your face, so they’ll think of some words from a song or something. Not really diceware, but it’s closer to what you’d do if someone took your password manager away, isn’t it?

I told one of my clients to use a “secure password, something like several random words or a long phrase, not a passWORD, but a passPHRASE.” I also explicitely told him not to tell me the passphrase.

He came back at me with “It’s the names of my grandchildren, is that good?”

No.

Why don’t users use longer passwords?

The question is simple to answer: They simply can’t or don’t want to.

I’m typing this text at the speed of 250-350 chars per minute (depending on how much I think. Hint: not much). For me personally, typing out 7 or 8 random words is a matter of 10-20 seconds. I type faster with time, so a password becomes easier to type out the more I practice.

What do you think your older colleagues do? My parents type, say, 100-170 CPM. What does that tell us? It’s around half of my typing speed. The password that takes me 20 seconds on a bad day would take them 20 seconds on their best day. Imagine spending 30 seconds on average staring at your login screen (or more likely the keyboard, trying to find that darn B key).

My point is: We need to take into account the fact that not all people type as quickly as we’d like, so they’re not going to make a 30-character password to blow your lower limits out of the water. They’ll choose the safest option there is, the fastest option, because as much as you hate to admit it, you are the enemy to them.

I see that in my pupils: The faster they type, the more positively they respond to my talking about diceware. Luckily, their parents form a positive image for many: “My mom types even faster than you, sir!” I always tell them “Yeah, and you could type faster than me in a couple of months. It’ll be more useful than you’d ever think possible.”

My nephew recently started asking about how I can type and listen to him at the same time (apparently, looking at someone counts as listening). After I explained, he immediately jumped into Klavaro (which I can recommend to everyone wanting to get faster at typing. Teach yer mum!). He’s now practicing every now and again, but I’m thinking that by age 13 (the time I started typing), he will have moved to levels I would have never thought possible.

Get around those pesky 90-day password change requirements

I worked in a company that employs the 90-day policy. However, modern problems require modern solutions. Here is my quick-and-dirty plan to employ multi-factor authentication at the Windows login screen without modifying the system in any way (or any login, for that matter). I’ve still got my Arduino Micro. It’s a cool little fella that, among other things, supports HID emulation. For those who are new here: It can type like a keyboard. You just program it, compile the code and it types everything you need. If you want a commercially available, beautiful solution, a Yubikey will work (I got my Yubikey 4 on the way).

Sure, I hear you scream now: “That code can be read by plugging it in! If someone steals it, you’re fucked!”

Please, put those pitchforks away, there is another part to this plan: In addition to this keychain system, I will also type my own password (either in front of or behind it). What does that mean? True multifactor authentication: I need to have something I know as well as something I have. This protects my key from being stolen, because apart, they are useless. Furthermore, it also makes me the admin’s wet dream: A fully random password on a system where a software password manager is unviable to use. And yes, I mean fully random, 50 characters of random crap, after which comes my (in comparison short) salt. Every 90 days, I just change the random bullshit, choose another, short passphrase, and bam, we’re rolling.

I strongly encourage you: If you don’t have a hardware password manager that types all this in for you (or you feel is too short), use my method. 20$ (I think) and you’re off to the races with an incredibly convenient password typer.