duffn / dumb-password-rules

A compilation of sites with dumb password rules.
https://dumbpasswordrules.com
MIT License
2.99k stars 296 forks source link

We did pcpartpicker.com dirty #518

Open rpdelaney opened 1 year ago

rpdelaney commented 1 year ago

There are no rules for passwords. Passwords can be any length (including one character) of any complexity.

We complain that pcpartpicker doesn't have any dumb rules?

No password change confirmation emails are sent.

Okay I guess that's dumb, but it's not a password rule.

depperm commented 10 months ago

Passwords can be any length (including one character) of any complexity. I think length requirements are generally one of the more acceptable requirements. I'd argue any complexity also is bad in that known bad passwords (such as password) should be rejected.

rpdelaney commented 10 months ago

Thank you for the thoughtful comment!

I think length requirements are generally one of the more acceptable requirements.

That's my understanding as well, but to be sure I checked on the latest NIST guidelines:

5.1.1.1 Memorized Secret Authenticators

Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist of compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorized secrets SHOULD be imposed. A rationale for this is presented in Appendix A Strength of Memorized Secrets.

You also wrote:

I'd argue any complexity also is bad in that known bad passwords (such as password) should be rejected.

I agree with this also, and so it seems we both concur with NIST's guidelines.

However, I feel the linked Appendix A is as close to a perfect statement of what's wrong with the world that dumbpasswordrules.com is aiming to call out. That is, in a misguided attempt to help users choose better passwords, many websites add onerous "complexity" requirements that bother users and don't improve security for anybody.

Worse, these complexity rules inhibit users from following best practices as recommended by NIST -- in particular, using a cryptographically secure password generator, which can create high-entropy passwords that nonetheless don't meet the complexity requirements of a specific site.

With that in mind, a low-risk site like pcpartpicker having somewhat inadequate requirements isn't ideal, but in my opinion it is easily preferable, and so it feels out of place on the site.

That's just my $.02. :)