I have previously written about the folly of unreasonable demands placed upon customers concerning password assignment by well-meaning but misguided hosting service providers. Typically these password requirements include:
- password must be at least eight characters long
- password must contain numbers
- password must contain lowercase letters
- password must contain uppercase letters
- (sometimes) password must contain a non-alphanumeric character
- (sometimes) password must NOT contain a non-alphanumeric character
As I have stated before, of these six common rules the only technically valid requirement is that the password must be at least eight characters long. The reason for this is that the most common method of cracking passwords after harvesting password data from an insecure server is the rainbow table attack: the criminal generates a table of all possible passwords in one column, encrypts those passwords in a second column, then matches the encrypted column of the “rainbow table” to the harvested passwords and reads the original password. If we were talking about Private Investigators we would be discussing something like the “upside down” phone book where things are sorted by phone number instead of customer name.
This kind of attack is only practical for passwords less than eight characters long so passwords more than eight characters long make it more difficult to use a rainbow table to crack passwords. In a rainbow table the computer does not care if the characters are upper case, lower case, numbers, “special”, or even non-printing characters — they are all the same to the computer. The only ones affected by this complicated set of rules are people who have trouble remembering what exactly they used for a password.
The most common mistakes that lead to an account being cracked are: 1. using the same password on more than one web site, 2. negligence in script design or coding that does not limit or validate data before passing it to the database, and 3. failure to escape all special characters in user input before passing it to the database. Typically the crooks will harvest passwords from some insecure web site then identify interesting logins — names of high profile people — and try the passwords on Yahoo, or Google, or some other site.
The problem with the hosting password demands listed above is that other than the first rule they do absolutely nothing to improve security: the opposite is actually true; they greatly reduce the customer’s ability to recall the password.
Today I attempted to check my email accounts on my main email hosting account using a new smart phone. I was certain my password contained a zero, 0, in the second character position, but I couldn’t remember the sixth and eighth characters with certainly. As it turned out, the second character was a capital O (“Oh”) not a zero, the attempts to login exceeded some limit and the account was locked. I could not check for customer email until I got back to my hotel room 10 hours later. There was email from a customer urgently awaiting my attention, on a Friday, and I could not help that customer before he went home for the week.
Hosting companies earn money by selling hosting to businesses. Those businesses earn money by providing web services to their customers. When customer service is stopped because those businesses cannot respond to their customers in a timely manner because the owner could not remember the password to their hosting account and got locked out they start to loose money.
I realize that my motivation for pontificating on this topic was stimulated by my own experience, but this is not the first time I have called for change in this area: my purpose is to call for rethinking of general password policies — that password policy should be making things more secure for everyone, not just making it hard for the business customer to remember his or her password.
I’m not writing in anger: I’m not calling out my hosting provider: I did not even name some web sites who have a reputation for being notoriously sloppy with their customers private information and provide a prime source for hackers to harvest passwords.
The cost of unreasonable password requirements not defensible by technical facts is greater than simply inconveniencing one or two non-technical individuals who can’t remember how to log in to their web sites: unreasonable password demands cause technically adept people to have trouble remembering passwords too, and that can become expensive.