Passwords are really bad from security standpoint. They positively, absolutely suck. You know how I know that? Because I can actually remember a lot of peoples passwords, that I never asked for. People just tell them to me while I help them with their computers. Or they write them on a sticky note and put it on the keyboard so I can log into their shit to fix it.
I don’t remember anyone’s birth dates, I can’t memorize my own phone number but I can recall bunch of stupid passwords (that I don’t care about) from the top of my head. Why do they get stuck in my memory? Because they are way to simple. The super-secret password of some random guy on the street is usually the name of their wife, girlfriend, mistress, son or pet hamster followed by the year and/or purchase of birth of said creature. Or their favorite sports team – you know, the one they always talk about.
The most common passwords out there are not love, sex, secret and god or whatever else The Plague (that poseur) came up with in that one movie. No, the most common passwords are jenny57, john81, riders66, hunter2 and of course password123. Short, sweet, easy to guess, easy to remember, vulnerable to a dictionary attack, helpless against rainbow tables.
That’s just how it is.
Why? Because people don’t give a fuck. Identity theft is some shit that happens to “other people” and not you, so why would you even bother? No one outside our industry cares about passwords or security of their online accounts. No one!
Sometimes I wonder if “normal” people think me a creep, seeing how I am super secretive about my passwords and accounts. I have passwords on everything, I always lock my machine when I leave my desk. My behavior is probably setting off red flags everywhere. Being security conscious is just not a “normal” thing.
A “normal” thing is this:
“My password is hunter2 – I use that for everything including my bank, har, har, har. Don’t tell anyone!”
I always balk when they do that. Why would you tell that shit to anyone? Why would you jeopardize every online account you own? Why would you risk some dude getting their hands on all your hard earned money. You can tell that stuff to your wife, but not to some guy you work with, or are distantly related to. I know I’m a handsome, trustworthy and honest looking guy. Ladies tell me this all the time (usually right before they announce they prefer to be “just friends” cause I’m cool like that). But that is no reason to trust me with that vital information.
I also like this gem:
“But what could anyone do with my Gmail password? Read my spam? Hardy, hur, har, ha! Am I right?”
Yep, totally right. They wouldn’t be able to do nothing. They surely wouldn’t abuse the “I’m dumb and I forgot my password again” feature of every website in existence to issue password reset requests, that would collect in your inbox and give them access to everything you have ever signed up for. Nope, that would never happen.
And it’s not like you use that very same username and password to log into your bank, isn’t it? It’s not like your bank sends you emails with your bank account number and other useful info to that Gmail address, so that the bad guy would instantly know where to go to steal your money. No, that would be silly.
After all, you are not rich, important or interesting enough to warrant such attention. Identity theft only happens to those other people, but not you.
Ignorance, denial and stupidity do not change the fact that passwords are, and have always been a really stupid idea. No one in their right mind will actually come up with a long secure password that would not be vulnerable to a rainbow table attack because they are not going to remember them. It’s just not possible or practical. If you will force them to create such a password, they will write it on a sticky note and glue it to their monitor so they don’t have to look for it 17 times a day. If they don’t care about the security of their own personal email account that everything else they have ties into, they surely won’t care about the account on your service.
Of course there are things that are more secure than pass-WORDS. Pass-PHRASES for example are infinitely better, easier to remember, more robust and less vulnerable to all known attacks. But that boat has sailed a long time ago when everyone on the internet collectively decided that pass phrases can go fuck themselves in a corner while wearing a bowler hat.
No one uses pass phrases. Let me rephrase that, there is no service out there, that I know of, that encourages it’s users to use a pass-PHRASE instead of pass-WORD. Those services that even bother to force their users to employ more secure passwords, usually do it by telling people how many upper and lower case letters they should have, how many numbers, and etc. So what do people do?
They use JeNnY57, JoHn85, HunTer2 or if you are really strict passWord1@#. Still easy to guess, still vulnerable to a dictionary attack capable of capitalizing letters, and still included in every single rainbow table ever made. And of course users get pissed, because they can’t remember the exact capitalization they used so they end up gluing this one to their monitor as well. Wouldn’t it be more secure if they could use something like this instead:
My friend HamsterFace doesn’t wear his parachute pants on Tuesdays.
How much better is that than HunTer2? It’s way much better, that’s how. Let me count the ways:
- It’s goddamn long
- It has capitalization
- It has non-alphanumerics
- It doesn’t have any numbers, but look how fucking long and complex that is anyway
- It ought to be easy to remember unless HamsterFace will start wearing his stupid pants on Tuesdays
Now, tell me who will let you use an awesome pass phrase like that in their service?
No fucking one. That’s who. Be honest, that pass phrase wouldn’t work in your own service wouldn’t it? Cause you probably used VARCHAR(32) for the password field didn’t you? Cause, you know – we might run out of fucking bytes or something when we get seven billion users and become the new Facebook or something, right? No? You VARCHAR(64) then? Tough, it still won’t fit, cause that baby is 67 characters long.
Wait, stop. Rewind. Why are you not hashing and salting that entire thing? Why does it even matter how long the password is? It still will hash to a fixed byte value no? So why would you even care what the user types in?
Did you, per chance, decide to make the password character array variable with a fixed to save memory instead of using a string like a reasonable and non-stupdid person would? You know, in case your theoretical seven billion users all try to log in at the same time? Or is there some other contrived reason why you wouldn’t handle longer passwords? Was your hash function taking too long perhaps, so you decided to optimize it instead of not giving a fuck? I mean, users only log in every once in a while – if it takes a few seconds longer than usual page reload, that’s perfectly fine. No one cares, as long as everything else is fast. But you optimized it anyway, didn’t you?
You know what? I won’t deny it – I did it too. Not recently, not all of this, but I have created really, really, really stupid log-in schemes in the past. I’m just as guilty as the rest of the internet. We are all stupid like that. Premature optimization is like premature ejaculation – you don’t think it will happen to you, but then it feels good in the moment, and it just does. Afterwards you get terribly embarrassed, and you don’t want to talk about it when someone calls you out on it.
It happens to everyone – especially when you are young and inexperienced. I’m of course talking about premature optimization, not that other thing – that never happened to me… And never will cause I’m awesome at “the sex”. Like level 85 in it so fuck you. The point is we shouldn’t optimize to early.
Ideally password fields ought to be unbound, and allow as much crap as the user is willing to type in. If they want to paste the entire text of The Great Gatsby in there, let them. Why not? Giving your password a reasonable character minimum on the password field responsible and praiseworthy. Putting an upper character limit on it is… Beyond stupid. Let me use an analogy to explain to you just how stupid it is. Otherwise you might not get it, and I will have to explain again and we don’t want that.
If you are an American, and you went to high school sometime this century you probably had a locker with a cheap combination padlock. You also probably had that friend who would “prime” his padlock with the correct combination, so that he wouldn’t have to enter it upon returning. He would go to class, smoke a cigarette in the bathroom, then prance over to his locker, pull on the lock and it would just open. He could have not bothered with the whole padlock thing at all, and just leave the damn thing unlocked – but you know, stupid is as stupid does.
And then that one time some asshole stole all the shit from his locker, and he was outraged and baffled how this could have happened. A genuine genius, that friend of yours. I bet you can’t wait to see him at the reunion.
If you are not an American, go watch any High School related movie and/or TV show that was made in the US and you will see what I mean. Those lockers in the hallways – you put your books and your jacket an your illegal drugs in there when you go to class and write BASIC programs on your Texas Instruments calculator while the teacher drones about some shit you actually know more about than him. That’s what everyone does in High School, right?
The friend is the guy who always walks up to the main character while he is putting shit into the locker, and talks about really stupid stuff. The one with the dumb face. You can’t miss him – he is in every movie.
Are we all on the same page now?
Good. Let’s continue.
When you put an upper character limit on your password field, you are actively encouraging your users to be that friend. And if you have other arbitrary restrictions then you are even worse than that.
Guess ho has the stupidest arbitrary character restriction on their passwords? Just make a wild guess?
Yep, the people who you trust with your money have the dumbest rules about what characters (and how many) you can use in a passwords that will protect your life savings from evil dudes from the internet. There was this great article out there aptly titled FUCK PASSWORDS where I found this here gem:
Go read the entire thing – it’s funny, insightful and also humorous. As you can see, the author makes a clear case here: banks are pretty much the worst offenders when it comes to mind bogglingly stupid, arbitrary password restrictions. They should be the guys that insist that you use the strongest and most annoying passwords, but instead they force you to use short, and dumb ones.
Why? I don’t know. Perhaps their programmers suffer from that premature
ejaculation optimization problem we talked about. Perhaps their back end is a legacy FORTRAN or COBOL system, and passwords longer than 10 characters just don’t fit on the punch cards. Perhaps their entire online thing was written by the 13 year old nephew of the CEO. Who the hell knows. There should not be any reason for these restrictions, and yet, here we are.
Compare this to Twitter which just cares that your password is longer than six characters. Any characters – mind you. Not just the nice ones. Not just plain ASCII with no spaces or symbols. Any fucking thing you want.
Compare it to Google or Blizzard who will let you use two factor authentication. You know what that means? That means that even if a bad guy guesses that your password is “hunter2” (you know, cause you told him at least twice) he still won’t be able to get in. He would also have to steal your phone / key fob, and guess your password at the same time. Which is way harder than breaking into your Chase account. They could break into your bank while sitting on their couch, eating Cheetos and calling people “fags” on Xbox live. To hack into your Gmail or WoW account they would actually have to:
- Get the fuck up
- Turn off Xbox
- Put pants on
- Wipe Cheetos stained paws on said pants
- Leave mom’s basement
- Locate your ass in this here physical realm
- Steal a physical thing from your fucking pocket without you knowing
- Then guess the password
Most of these guys don’t actually go through with any plan that requires them to do anything beyond step 5. I mean, if you actually have to go and interact with the dude you are trying to rob face to face, this thing becomes serious business. You might as well stay home and break into his bank instead.
I know this whole password bullshit seems like like something that was made up by Terry Pratchett or Douglass Adams for the sole purpose of being satirical and silly. Sadly it is not. It is real life. In fact, these two guys are not nearly as funny as you think they are – they are just good observers of how really, really stupid we behave as a species.
I swear, sometimes I feel like the few of us here, on the internet are the only fucking sane and coherent people left in this world. Everyone else is either to stupid to be a productive member of society, or just completely of their rocker. Then I remember it’s just the observer’s bias, and that we are just as bad as the rest of them. We just excel at being stupid in slightly different ways than they do.
And yet the world keeps on turning.