Of password restrictions and an annoyed James

by tibuant

I’ve been meaning to blog every weekday… Here it is, Wednesday, and my last post was Friday. I’ve been struggling to think of something to write, and I’ve come up with very little. I also promised pictures (which is what has delayed my posts… “I could blog about… Oh, what picture would go with that?”) So rather than keep my promise for pictures or stay strictly gaming, I’m going to just rant about something recently bothering me: it seems the easiest way to keep content flowing…

So, with the preface/warning for this post out of the way, let me introduce myself again. Hello, I’m James. I’m a Computer Science major. Oh… Did I mention I’m a Computer Science major? See, this point is important: I play with computers a lot. I’m almost always on a computer. My entire life pretty much revolves around these evil, wonderful inventions… So why is everybody else always making them work against me?

Windows, for example, is a necessity if you want to run programs on your computer instead of having an expensive blinking set of lights. Sure, Linux and OS X are Operating Systems as well (and I use OS X very often) but I like to game. Wine is awesome and both Linux and OS X have come a long ways in regards to native games, but booting up Windows is still the best choice.

Default behavior seems to include randomly shutting down for updates, as well as being unable to tell the computer “Just shut down, don’t update,” so any time you may be in a hurry to shut down your laptop you have to wait up to an hour for god-knows-how-many updates to download and install.

But this post isn’t about that. It may be on my mind because I freshly installed Windows on a laptop and had to let it install a ton of updates, but its a rare enough occurrence I’ll let it slide under the radar while I complain about something much more annoying. Password restrictions.

Now, I’m not some super programmer, and my programming experience is limited to the sub-par education I feel I’m getting at my university plus my own fiddling, but… Aren’t most passwords stored as a salted hash? What benefit does a service get from putting restrictions on passwords? Let me tell you what benefits a user gets out of it: none.

When younger, sure, I feel that the password restrictions may have helped me to form more secure passwords, what with the “at least one number” rules and such, but now they’re just a waste. If I wanted to hack your service, do you think the password restrictions would be any more useful? No. I’d brute force passwords within the parameters of your restrictions… Or I’d generate a rainbow table within the parameters of your restrictions and use SQL injection or some other method to get a dump of your hashes.

The only bright side I can think of is the varying password restrictions force users to use different passwords for different services. It is also, however, just as likely to cause a user to write down their passwords, keep a plain text file, or use a cloud-based password storing service. I consider none of these safe, overall. Click here for the relevant XKCD you’ve already seen. This is the problem with passwords nowadays. Restrictions hinder the users while aiding the hackers.

I’m stubborn. I like to have creative freedom with my passwords so I can think of something creative and easily remembered. I also don’t like to write down my passwords, and I’m not fond of services like 1Password. I’m not overly big on the “change your password every so often” requirement, either, as my limited statistics knowledge suggests no real benefit to it so long as neither the password nor hash aren’t compromised through more direct methods. (such as downloading a service’s database, or finding your sticky note with your password written on it)

In my experience, all these password restrictions do is force me to reset my password–since I’ve forgotten it and am too lazy to write it down or use any services/programs to keep track of them–once or twice a month. You could argue this is a problem with the way I tackle passwords since I try to keep a different one for each service I use and I don’t write them down: I instead consider it a problem with the computer industry today. Stop limiting my passwords to “6 to 12 characters long, no spaces, no special characters, at least 1 letter and at least 1 number” and other meaningless crap.