The Most Unusual Password Rules

[Man]

Due to the growth of CPU and GPU computing power, password generation rules are periodically revised. Experts usually focus on the information entropy indicator (in bits). But in relation to passwords, this is not a universal measure, because the space of possible options is not uniform, that is, different elements of this space occur with different probabilities. Therefore, there are more effective techniques for cracking password hashes, including dictionary attacks, rainbow tables, and, more recently, using genetic algorithms and neural networks.

Since there are no uniform password rules, many companies publish their own recommendations, which differ greatly from each other. Sometimes these rules are quite extravagant.

The Dumb Password Rules collection contains several hundred sites with non-standard password rules.

For example, some sites strictly limit not only the minimum but also the maximum password length. For example, 14, 16 or 32 characters:

Others prohibit the use of a sequence of three or more identical characters:

Some require entering the password only with the mouse, choosing six of ten digits:

One of the banks also requires entering the password with the mouse, choosing symbols on a very unusual on-screen keypad (on the KDPV).

Note: If your company accidentally ended up on this list, you can submit a pull request to remove it.

By contrast, below are some basic guidelines for generating strong passwords from several reputable organizations and companies.

Recommendations for generating strong passwords​

In 2017, the National Institute of Standards and Technology (NIST) updated the password specifications that are recommended as NIST standards. The new requirements are outlined in NIST Special Publication 800-63B, Section 5.1.1.2, “Memorized Secret Verifiers” (NIST, 2017).

The key requirements of NIST 800-63B for verifiers (companies and organizations) that establish their own password policies are:

1. Verifiers should not impose rules on password composition, such as requiring combinations of different character types or prohibiting consecutive repetition of characters.
2. Verifiers should not require arbitrary or regular password changes, such as the previous 90-day rule. On the other hand, password changes should be mandatory in the event of a compromise.
3. Passwords must be at least 8 characters long.
4. Password systems must allow subscribers to select passwords that are at least 64 characters long.
5. Passwords must allow all printable ASCII characters, the space character, and Unicode characters.
6. When setting or changing passwords, the verifier must inform the subscriber that he must choose a different password if he has chosen a weak or compromised password.
7. Verifiers should offer recommendations, such as a password strength meter, to help the user choose a strong password.
8. Verifiers must store passwords in a form that is resistant to offline attacks. Passwords should be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a computational cost factor as input and generate a password hash. Their goal is to make each attempt to guess the password by an attacker who has obtained the password hash file costly and, therefore, the cost of a guessing attack high or prohibitive.

Additionally, in questions B05 and B06 in the FAQ section of the NIST documentation for updated special publications (NIST, 2020), the organization officially explained that mandatory password changes “reduce the overall security of the password system” and should not be used. According to NIST’s explanation, periodic password changes reduce their entropy. Although this is a rather controversial issue, on which there is no consensus.

In addition, there is no consensus on all other password generation rules, including minimum length, minimum entropy, presence/absence of special characters.

As an example, we can cite the recommendations for creating strong passwords from leading computer corporations: Microsoft, Google and Apple.

Microsoft​

Tips for creating secure passwords:

• Minimum 12 characters, better from 14
• Upper and lower case letters, numbers and symbols
• It is forbidden to use words from the dictionary, as well as names of people, symbols, products and companies
• The password must be significantly different from the user's previous passwords.
• An easy-to-remember, but hard-to-pick phrase. Microsoft cites as an example6MonkeysRLooking

Google​

Recommendations for passwords:

• Minimum 12 characters
• Upper and lower case letters, numbers and ASCII symbols

Google recommends maximizing password entropy by creating very long passwords. To make them easier to remember, you can use familiar text fragments:

• Lyrics from a song or poem
• A meaningful quote from a movie or speech
• Excerpt from the book
• A series of words that mean something to you
• Abbreviation: You can create a password from the first letter of each word in a sentence

Apple​

Apple ID password requirements:

• Minimum 8 characters
• Upper and lower case letters
• At least one digit

Well, a useful recommendation for any passwords is to use a good password manager, encryption and backup rules for private data, and two-factor authentication.

If you come across a site or other computer system with extravagant password rules, you can add it to the Dumb Password Rules collection and mention it in the comments to this article.

Source