I read an article early this year about how "2013 is the year that < insert internet giant > is going to eliminate the password!" I read a number of follow-on articles about it, including one by my CabForward Coworker and was like, "Self, thank god. Awareness is raised and we can start being smart about passwords." I read another great article here. Sweet!
But then I saw this at Bed Bath & Beyond:
And little part of me died.
I have a handful of passwords of varying "security" levels that I use to try to "attack" account-creation password dialog boxes (for some reason setting a password always makes me anxious and feel a little dirty). I never know if any of them are going to be rejected for any reason (it has the wrong kinds of special characters, it's too long, it doesn't have any special characters, etc) and I hate the uncertainty there. I am still astonished when I run into "Password can't exceed 8 characters" errors.
What I'm Asking You To Do About It (Assuming You Have Some Influence Over A Password Dialog Box Somewhere)
- Make your password field allow anything. Maybe you're limited to 255 characters by the database column you're using. That's fine. Make the only rule that it has to be longer than, say, 4 characters.
- Don't e-mail user-set passwords. (duh)
- Don't store passwords in cleartext.
No-brainers. But why would you write me this whole post just to tell me that Justin?
Well, the thing that I've done on some of the projects I've done where the customer demands password assignment and mailing to the user (think prototype-level applications where the user is getting something like, "Here's your account all set up and ready to go!") is: Use word pairs for passwords.
Remember the old AOL discs? Yes, like that. There are libraries like this one that can do it, but I've typically rolled my own. Just make a little lib in your application that will grab an adjective and noun pair (so that it's even easier to rememeber) and use that.
People are great at remembering and transposing words from say their phone to their computer screen (or, between apps on their phone) and terrible at random character strings.
AND! This password does not even have to be too secure. I know that security is important, and security is supposed to be hard, but making sure that users can't escalate their account privileges through mass assignment is much much more important than making sure that a password can't be attacked in over a billion hits. I mean, are you kidding? Do you know what would happen to one of these prototype Rails apps that are so easy to throw together if a million hits to the auth engine were atttempted in a day? I know I'd be getting emails from NewRelic if that were the case - I think my little apps running on a single Heroku dyno would melt...