Some password stupidity

May 23rd, 2017

Comments: 0
Category: Uncategorized

Some password stupidity

The stupidity of the password complexity controls on many websites never ceases to amaze me – but I am particularly not amused when I notice today the idiocy of the official Scottish Government policy. They have a “password strength” meter which actively prevents many strong passwords, and promotes defective ones which are likely to be easily guessable. So this is the policy.

The password I had had in mind for this site (bearing in mind that this is a government site which may hold important information about me) was a non-dictionary word with 12 alpha (2 capitals) and 4 numeric characters.  It has significance to me so I can remember it, but is unguessable and too complex for brute forcing.  But this is not acceptable to this site, and actually scores badly on their password strength meter (client side JavaScript).

So I tried for a minimum password the site would accept (note that I did not actually use this!).  According to the Scottish Government – P@ssword1 is a strong and acceptable password for their site, regardless of the fact that it is eminently guessable and is on every password dump out there.

Actually, I did test a site the other day where they took a different and better approach.  Instead of trying to apply one of these forced complexity policies – they set a minimum length of 10 characters, and a block list of the top 10,000 bad passwords.  Obviously this had to be enforced server side (trying to enforce it client side would be a whole different sort of nightmare), but it was ultimately much more successful in protecting people from the consequences of their own bad practice than the standard methodologies.

Add a comment

Your email address will not be shared or published. Required fields are marked *