Password validation hints

By | February 9, 2010

Just because something can be validated does not mean it should be validated. It’s very easy to validate form fields in django and most other web frameworks. That does not mean we should always take advantage of this feature.

Why did I just get this error when creating a user account on a website?:

Error. The password field can contain only letters and numbers

I had included a couple of punctuation characters in my password, because that makes it harder to guess, right?

From a technical standpoint, there is absolutely no reason for this website to tell me I can’t use punctuation characters. If they’re encrypting ascii, then any ascii character should be legit. If they’re encrypting bytestreams, then any unicode byte should be legit.

The only validation a password field should have is to test if the password is ‘too easy.’ Typically a minimum length test is enough, but ensuring the user didn’t enter five 1s or their username as a password can be good validation too (although it’ll annoy the user, not often a good thing). You may also need a maximum length if your database is poorly designed, but make it a very high maximum in case anal-retentive people with 64 character passwords want to buy something from you. After all, why shouldn’t you let them?

Further, don’t force your users to have passwords that conform to arbitrary rules like ” must contain at least one number, one lower case letter, and one capital.” This actually cuts down the total number of options a brute force attacker needs to check if they want to break the password; they now know that eerieairplane is not an option they have to test. After all, eerieairplane and EerieAirPlane are totally different passwords, neither is more “guessable” than the other (unless you are a pilot for Lake Eerie Air, in which case you’re probably better off using pokertoMatotoOthpaste).

Users have different systems for creating their passwords; some of these systems aren’t very intelligent (same password everywhere, or prepend the name of the site to a common word), but forcing a single system of our own on them is even less intelligent.

While we’re on the subject, what’s up with all the corporate sites who believe that having security questions in case you forgot your password helps make things more secure? Honestly, do you think that my random password with extra punctuation is easier to guess than my first dog’s breed, my mother’s maiden name, or my favourite author? What’s the point of having a password at all if both I and any given attacker can just look up these values instead?

Leave a Reply

Your email address will not be published. Required fields are marked *