What is a dumb password rule?

duffn / dumb-password-rules

A compilation of sites with dumb password rules.

https://dumbpasswordrules.com

MIT License

2.99k stars 297 forks source link

What is a dumb password rule? #367

Closed DimitriPapadopoulos closed 1 year ago

DimitriPapadopoulos commented 3 years ago

How do you define a dumb password rule?
Some countries may have recommendations or regulatory rules. Companies need or tend to follow them. Instead of shaming the company, shame the recommendations and regulatory rules.

JoshuaBehrens commented 3 years ago

There are countries with password rules :O ? I don't think we have some in Germany. There is a pretty good understand what a bad password is and insurances wont pay in these cases but I don't think they rely on a written law.

Can you name a country that has such regulatory rules?

DimitriPapadopoulos commented 3 years ago

France for example, but these are general "recommendations" from the data protection authority (CNIL) more than regulatory rules: L’authentification par mot de passe : longueur, complexité, mesures complémentaires

Companies will follow the above recommendations, because in case of personal data loss they might be held responsible.

But then is a mere minimal length for passwords considered to be a "dumb password rule"?

DimitriPapadopoulos commented 3 years ago

In Germany:

BSI TR-03148 Sichere Breitband Router / CCC und OpenWrt: Technische Richtlinie des BSI zu sicheren Routern unzureichend
Hinweise zum Umgang mit Passwörtern but then this document does not suggest "dumb password rules" as far as I can see.

depperm commented 2 years ago

I would define a dumb password rule as one that:

restricts max length
restricts characters allowed/disallowed
enforces rigid complexity (kind of ambiguous, but stuff like need 1 uppercase, 1 lowercase, etc) xkcd

Password guidelines (aren't to my knowledge enforced, but are there as reference on what people should do)

NIST: National Institute of Standards and Technology (US)
- password minimum length 8+
- block/reject compromised/common/sequential passwords
- ALL characters allowed
NSC: National Cyber Security Centre (UK)
- encourage password manager use (generated passwords can be super complex)
- encourage memorable password (3 word (diceware) or CVC-CVC-CVC format)
- don't enforce complexity
- block/reject compromised/common passwords

depperm commented 2 years ago

Is this a duplicate of #80 ?

duffn commented 1 year ago

I've added a note on the new site about page on the definition of a dumb rule. Which is, in fact, that there's no real definition here except that you'll probably know one when you see one. https://dumbpasswordrules.com/about/