Why Website Password Restrictions Do Not Keep You Safe

If you’ve made an account or two in recent years, you’ve likely noticed that a lot of these sites scold you for using an “insecure” password under certain conditions. Sometimes you don’t even have to press the “Register” button before you’re met with a little message next to the password field saying that you’re using a weak password.

Although some sites may stop you from registering with what they consider a weak password entirely, others just warn you and leave you to do what you want of your own volition anyway. Regardless, these sites (mostly) have one thing in common: their criteria for “safe passwords” is not going to keep you safe.

websitepassword-badpass

One of the first things you’ll notice on most websites is that they all seem to have similar criteria for what would be considered a “strong” password. On most sites, the criteria is the following:

  • A minimum of 6 or 8 characters
  • A minimum of one number and one letter
  • Sometimes at least one capital letter.

In this case, a password like “Ironclad1” is just peachy and passes the requirements of that particular website. Since most sites have only these requirements, people may get used to the fact that “Ironclad1,” “Sallyepstein4,” “Michael1985,” etc. are good passwords. Anyone who ever read the first three pages of a book on cybersecurity knows that this is incredibly insecure, yet it’s tacitly being established as the norm by millions of sites around the web where security is an afterthought worth five lines of code.

A hacker could simply use a dictionary attack to crack your password and that’s the end of it.

Some web services (like Google) also require that a symbol (like “!” Or “$”) be used to create a password. This just makes things like “$allyepstein4” valid passwords, and dictionary attacks have grown more sophisticated over the years.

websitepassword-lock

There’s a ton of debate on what makes a good password, but rather than geek out and explain all of the nuances, we’ll just look at some of the things that everyone generally agrees with. A good password

  • Includes a wide range of alphanumeric variation like capital letters, numbers, and lowercase letters
  • Has symbols in unpredictable places (“@shley” is less safe than “@$_hley” because there’s an underscore in the middle of the word, where a dictionary attack would normally scan for “@” replacing “a” and “$” replacing “s”)
  • Contains spaces (like “I @te a S4nDw1ch”)
  • Hits the upper limit of reasonable character limits (“I l0v3 LuC#Y” is less safe than “Th1S p4ssword sH_oulD b3 h@rd to cr@ck“)
  • Contains an unconventional misspelling of words (e.g., “schuld” instead of “should,” “beffe” instead of “beef,” “inszteda” instead of “instead,” “mektekezier” instead of “maketecheasier,” etc.)

Of course, one of the best passwords you could have isn’t very easy to commit to memory (for example: “ifjecBucE083$&&8c ociefjC*#&$6c iof0e0($*#“). Note how the example provided is just complete gibberish making use of all the above rules, including the introduction of spaces. This is highly unconventional for even the most sophisticated of dictionary attacks. Provided that the database storing the hash for your password is secure and encryption keys are managed correctly, it would make your account less worthwhile for a hacker to crack.

Naturally, not all servers are secure, and one service you use may suffer a breach revealing your password. This is why it’s important to have a different password for each service.

But you can’t really memorize 15 passwords, let alone the one I provided as an example of “one of the best passwords you could have.” To counteract this, you could use a highly-secure single sign-on (also known as “identity management”) service that keeps tabs on your passwords for you so you don’t have to memorize them. Although they’ve been in existence for a number of years, the concept is still an uncharted territory (at least in my professional opinion), so tread lightly. Do your own research and google a service’s name followed by the word “breach” to find out if it’s ever been hacked.

websitepassword-chainlock

The problem we’re trying to solve here is getting the massive number of people who create accounts on the Web to understand what the best practices are for password creation. This sounds like a monumental task, doesn’t it?

Actually, it’s about as easy as providing the information somewhere. Google does a good job of this with its guidelines, but it doesn’t quite go far enough.

Despite the kudos, I think that it would be best to include a link to these guidelines next to the password field, giving the user easy access during the account registration phase. If someone ignores this, it’s their own prerogative, but no one at that point could say that they never got the chance to read some educational material on the subject.

The only hard part about this is convincing the millions of websites that hold account databases to employ this practice. However, since most of these websites use big box software (like WordPress or Drupal), it’s probably a better idea to reach out to the developers of this software to provide this kind of thing in their future updates. As soon as websites update their software, they’ll automatically get these guidelines on their registration pages!

What else do you think we can do to spread awareness for good passwords? Let’s discuss this in the comments!

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.