Bad password practices

I’m not talking about users picking bad passwords. Yes, we know. Use unique passwords and a password manager! I’m talking about sites that have terrible rules on new passwords. Passwords that really are great get rejected for stupid reasons. Things like this

hnhD9^mEG^%NU2u9UxSBRio^m2CSZ6%eTsa&Cg83Nxo7#C&[email protected]!A6HVfnjt^gYzjmqwX#2En!8bNQ*LBTNdasFQw!A!#acPQAwrV7^u&B4h%2 is a “bad” password because the number 2 repeats 4 times?

Again, so I can’t make a nice long password because you limit to 40 characters. I don’t care about the length of the password when I use a password manager. Also, this is the wrong way to do passwords.

One argument, is that if you allow a 1000 characters for your password, then that takes up a lot more space in the database than a 40 character password. Which if you were storing the password would be true (although given space being as cheap as it is really shouldn’t matter). But that isn’t how passwords are stored. So that argument is irrelevant.

So lets explain how passwords are stored using a really bad example. Passwords are hashed in a way that means you can’t decrypt them. So, for example when you were a kid and were learning division, you didn’t learn about fractions (yet). You just used ‘remainder’. 8 divided by 5 is 1 remainder 3. The official term for this is modulo or usually just mod. So 8 mod 5 is 3. However 13 mod 5 is also 3. As is 18, 23 etc.

If I told you that the result was 3, even if you knew we did mod 5, you have no idea what the original number was. However if I gave you 23, which you mod 5 to get 3, you know that the answers match. Now this is a horrible example, as there are only 5 possible answers (0, 1, 2, 3, and 4) but you get the idea. When you enter your password, it should be hashed to give some random (but repeatable) result. This means they can check your password, but don’t store your password.

Now obviously the real way passwords are hashed are entirely different. Lets use another bad example. Take a password (we’ll use numbers here for simplicity, to save converting one to the other) of 123
Then we need three prime numbers, which the first two when multiplied are larger than the third. So lets pick 2, 3, and 5 because the maths is easier. Why prime numbers? Because you can’t simplify the maths. If I asked you to divide 100 billion by 10 billion, or
100,000,000,000
10,000,000,000
You should quickly realise that almost all the zeros cancel, making the maths easier. Same thing for encryption. If you don’t use prime numbers you may be able to simplify it

OK so we have
Password: 123
Primes: 2, 3, 5

This next bit gets a little complicated. Lets split the password into single characters, and we want to add to the first prime, multiply the result to the second, then mod that result to the third. That is the first number of the output. Then add that output, to the second number of the password, and repeat (add, multiple, mod)

1 + 2 = 3. 3 * 3 = 9. 9 MOD 5 = 4
4 + 2 + 2 = 8. 8 * 3 = 24. 24 MOD 5 = 4
4 + 3 + 2 = 9. 9 * 3 = 27. 27 MOD 5 = 2

The password 123 encrypts to 442. Note that the order of the password matters. 321 would encrypt to 311
4 + 2 = 6. 6 * 3 = 18. 18 MOD 5 = 3
3 + 2 + 2 = 7. 7 * 3 = 21. 21 MOD 5 = 1
1 + 1 + 2 = 4. 4 * 3 = 12. 12 MOD 5 = 1

This is why you add the output back in, so you can’t crack each number on its own. You should also add some salt in too, but I won’t cover that here (basically think cooking – adding more or less salt changes the taste of the meal even if you follow the recipe. The same password with a different salt gives a difference result).

It should go without saying but please DO NOT use that method for storing passwords. There are many standard libraries for doing this in various languages. For example Argon2 won the Password Hashing Competition in 2015. Do not try to roll your own encryption it will never work

In short, if you are encrypting a password, you really don’t care how long it will be as you will get a long string out anyway so limiting the input field means you are doing it wrong. And if you have this wrong, what else is wrong? I’m always wary of sites that get this wrong.

Finally, Microsoft, really?

That seems fine until you realise how it calculates the ‘weak’. Spring21 is strong?

However creation thursday thievish fraying android slander empathy capsize composed aspect symphonic domestic (which is 12 random words) is weak because it doesn’t have capitals or symbols

In conclusion: Lets not blame the users for making bad passwords. We’re teaching them to use crappy ones, so why are we shocked they are listening to us?