We facepalmed a lot while researching the password policies of 120 websites, but this took the cake. Facebook tells users 20-char random pw's are weak, but "Passw0rd" is strong, because hackers could never guess that pw's might have uppercase or digits. passwordpolicies.cs.princeton.edu
Conversation
Replying to
Here's a thread with the rest of our findings. It's depressing stuff, but at least we're not in the bad old days of transmitting and storing passwords in plaintext!
Quote Tweet
Information security research has long established three best practices for websites to help users pick stronger passwords. In a new study, we reverse engineered 120 popular English language websites, and found that only 15 (!) of them follow these guidelines. 
Show this thread
2
7
53
My very first paper back in grad school in 2005 was on passwords. Coincidentally, that paper was probably the first to show strong evidence that forcing users to include digits and special characters in their passwords isn't very helpful for security! cs.utexas.edu/~shmat/shmat_c
2
7
58
I started transitioning out of infosec research a few years ago. The just-released paper will probably be my last in this area. It's a bittersweet feeling. I haven't researched passwords since my first paper, so it's fitting that for my last one I was able to return to the topic!
1
1
35
Amusingly, my recent paper shows that companies still haven't acted on the findings of my paper from 2005 (and many, many papers since then), a useful reminder that sitting in the ivory tower and telling people what to do has a fairly limited impact 🙂
3
6
54
The most intriguing and horrifying hypothesis for why 87% of websites have bad password policies was suggested by : they need to pass security audits, and auditing firms like Deloitte *mandate* bad policies. If your org has experience with this, we'd *love* to hear!
7
34
100
Yup! The security theater hypothesis. We mention it in our paper. And if we want to change the incentives that lead to theater and other bad practices, we need to call them out on it, loudly. Indeed, that was one of the motivations behind our study.
Quote Tweet
Replying to @random_walker and @rossjanderson
Totally unfunded but equally horrifying hypothesis:
Now users have been trained in believing that secure passwords must contain digits and special characters. So they won't trust a site that wouldn't enforce those rules. 
5
26
Interesting! I don't think we should do it with passwords, but data pollution as a form of protest has been theorized, advocated, and implemented by , , and others.
firstmonday.org/article/view/3
adnauseam.io
Quote Tweet
Replying to @random_walker
How awful
Its a longshot, but you could start a competing norm, where you ask everyone to end their passwords (both secure and insecure) with q1Q! so as to deliberately exacerbate the dictionary attack and skewer the purpose of the mandates
1
2
16
Replying to
I love the ones that just won’t let you use randomly generated ones from cryptographically secure keychains at all
1
