How long is enough? Minimal passwords on the most popular sites
Recently, I often share my thoughts about passwords. Here we have an absolute cornerstone of security - a paradigm that every person with an online account understands - and at the same time we see fundamentally different approaches to this issue from different services. Some have strict password complexity rules. Others have a small maximum length. Some do not allow copying from the clipboard. Others are forced to regularly change the password. Such nonsense everywhere.
Last year, I wrote a guide on authentication in the modern era and talked about many of the above requirements. In particular, I drew attention to how modern ideas contradict many traditional ideas about the correct work with passwords. In that article, manuals from the UK NCSC Cybersecurity Center and the American NIST are abundantly quoted — and many of the old myths are debunked. Get rid of the rules of complexity, resolve long passwords, do not prohibit copying from the clipboard and discard the mandatory change of passwords. However, there is nothing about the minimum length , and it made me think - which number would be the right one?
When I conducted “Hack yourself first” classes , I was one of the first to ask the question: “What is the correct value for the minimum password length?” I thought about it again this weekend, while working on the second version of the Pwned Passwords website, because I thought that You can use the minimum length limit to reduce the size of the data set. Instead of projecting my opinion on this issue, I decided to go and check how things are going on the largest sites. Here are the top 15 with resumes and some additional comments:
Google
')
Facebook
The description is a bit misleading. It says that the password must be longer than 6 characters. In fact, it must be 6 characters or longer.
Surprisingly, Wikipedia has a minimum criterion ... you just have to specify a character. It's enough.
But damn it, this is significant progress compared to what it was before:
"At the very least, Wikipedia has abandoned empty passwords for security reasons."
Reddit
Without explicitly declaring this, Yahoo requires a password of at least 8 characters to meet the minimum length criterion:
Twitter
Instagram
Netflix allows ultrashort passwords of just 4 characters. Perhaps one of the reasons is to simplify the password entry from the TV remote.
LinkedIn
Put all the results in one table:
Surprised? Many people will choose a password of 6 characters, because it seems short. 9 out of 15 sites allow passwords of 6 characters, 4 sites require at least 8 characters, and there are still Netflix with a minimum limit of 4 characters and Wikipedia, well, let's not mention their restriction ... And here are my thoughts on this:
In each case, the minimum password length is an even number! In your opinion, how scientifically justified is the process of determining the ideal minimum length, if all the big players just landed on 4, 6 or 8?
No one has 5 or 7, or 9, only beautiful, pleasant, symmetrical even numbers. So here is the first insightful conclusion from observation - there is definitely no science involved in this.
But there is something else, and I repeated it many times in an article with a guide on passwords in the modern era: authentication today is much, much more than just comparing two lines. So it was at first - you had a username and password, and if it coincided with what was stored in the system, then you were allowed into the system. But now we are far from such an approach.
For example, we have two-factor authentication. Yes, frighteningly few people use it , but now it is an affordable technology to control security in the mass market, and we have access to all types of services that did not exist even five years ago. We are also starting to better understand user behavior when selecting passwords; this is the whole point of the Pwned Passwords project - to recognize that people make crappy security decisions! Let's identify them at an early stage and help people make the right choice (that is, “you really shouldn't use that password ...”).
Then there are controls based around other users' heuristics, for example, a verification request through a registered email address if the user tries to log in from an unusual place (you could see how Facebook used to do this). The same is true when using a new browser - this can lead to a decrease in trust, which requires additional verification. In fact, the whole premise of “trust” becomes especially important when we move away from this binary state: allow or deny access. Try to walk around different sites through Tor - and you’ll have to prove that you are human, because, as it turned out, the bad guys especially love using anonymity tools.
The point of all this is that you can no longer just look at the minimum password length and say: “Ay, six characters - or even four - is too small”, because authentication schemes can be much more advanced than just comparing two lines . This does not mean that it is always correct to use these beautiful even numbers - there are many sites that do not use any advanced tools, but only string comparisons - but I hope this will provide food for thought.
Oh, and if you really find a site with an odd number as the minimum password length, then leave a comment below, because now I have become interested.
Last year, I wrote a guide on authentication in the modern era and talked about many of the above requirements. In particular, I drew attention to how modern ideas contradict many traditional ideas about the correct work with passwords. In that article, manuals from the UK NCSC Cybersecurity Center and the American NIST are abundantly quoted — and many of the old myths are debunked. Get rid of the rules of complexity, resolve long passwords, do not prohibit copying from the clipboard and discard the mandatory change of passwords. However, there is nothing about the minimum length , and it made me think - which number would be the right one?
When I conducted “Hack yourself first” classes , I was one of the first to ask the question: “What is the correct value for the minimum password length?” I thought about it again this weekend, while working on the second version of the Pwned Passwords website, because I thought that You can use the minimum length limit to reduce the size of the data set. Instead of projecting my opinion on this issue, I decided to go and check how things are going on the largest sites. Here are the top 15 with resumes and some additional comments:
')
The description is a bit misleading. It says that the password must be longer than 6 characters. In fact, it must be 6 characters or longer.
Wikipedia
Surprisingly, Wikipedia has a minimum criterion ... you just have to specify a character. It's enough.
But damn it, this is significant progress compared to what it was before:
"At the very least, Wikipedia has abandoned empty passwords for security reasons."
Yahoo
Without explicitly declaring this, Yahoo requires a password of at least 8 characters to meet the minimum length criterion:
Amazon
Microsoft
Netflix
Netflix allows ultrashort passwords of just 4 characters. Perhaps one of the reasons is to simplify the password entry from the TV remote.
Twitch
Pornhub
Ebay
imgur
Summary
Put all the results in one table:
| eight | |
| 6 | |
| Wikipedia | one |
| 6 | |
| Yahoo | eight |
| Amazon | 6 |
| 6 | |
| Microsoft | eight |
| 6 | |
| Netflix | four |
| 6 | |
| Twitch | eight |
| Pornhub | 6 |
| Ebay | 6 |
| imgur | 6 |
Surprised? Many people will choose a password of 6 characters, because it seems short. 9 out of 15 sites allow passwords of 6 characters, 4 sites require at least 8 characters, and there are still Netflix with a minimum limit of 4 characters and Wikipedia, well, let's not mention their restriction ... And here are my thoughts on this:
In each case, the minimum password length is an even number! In your opinion, how scientifically justified is the process of determining the ideal minimum length, if all the big players just landed on 4, 6 or 8?
No one has 5 or 7, or 9, only beautiful, pleasant, symmetrical even numbers. So here is the first insightful conclusion from observation - there is definitely no science involved in this.
But there is something else, and I repeated it many times in an article with a guide on passwords in the modern era: authentication today is much, much more than just comparing two lines. So it was at first - you had a username and password, and if it coincided with what was stored in the system, then you were allowed into the system. But now we are far from such an approach.
For example, we have two-factor authentication. Yes, frighteningly few people use it , but now it is an affordable technology to control security in the mass market, and we have access to all types of services that did not exist even five years ago. We are also starting to better understand user behavior when selecting passwords; this is the whole point of the Pwned Passwords project - to recognize that people make crappy security decisions! Let's identify them at an early stage and help people make the right choice (that is, “you really shouldn't use that password ...”).
Then there are controls based around other users' heuristics, for example, a verification request through a registered email address if the user tries to log in from an unusual place (you could see how Facebook used to do this). The same is true when using a new browser - this can lead to a decrease in trust, which requires additional verification. In fact, the whole premise of “trust” becomes especially important when we move away from this binary state: allow or deny access. Try to walk around different sites through Tor - and you’ll have to prove that you are human, because, as it turned out, the bad guys especially love using anonymity tools.
The point of all this is that you can no longer just look at the minimum password length and say: “Ay, six characters - or even four - is too small”, because authentication schemes can be much more advanced than just comparing two lines . This does not mean that it is always correct to use these beautiful even numbers - there are many sites that do not use any advanced tools, but only string comparisons - but I hope this will provide food for thought.
Oh, and if you really find a site with an odd number as the minimum password length, then leave a comment below, because now I have become interested.
Source: https://habr.com/ru/post/348526/
All Articles