Jeff Atwood, founder of the popular coding site Stack Overflow, has published an extended and entertaining rant about the lamentable state of password policy among developers.
The post, subtly titled "Password rules are bullshit," points out that the current format for password rules, such as including a certain mix of characters, isn't particularly secure. In fact, such rules are usually counterproductive, he argues, and penalize those people using secure random password generators, because the rules could block them.
"Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation," Atwood said. "It's right there: 'no composition rules.' However, I do see one error, it should have said 'no bullshit composition rules'."
Another key issue is password length. As an absolute minimum people should be aiming for 10-character passwords, he said. Only five of the top 25 most-used passwords are over 10 characters, so going into double figures is a smart move and should be enforced by developers.
"These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all," he said.
Unicode could be very useful in this. He points out that building password controls that measure the Unicode of the password will increase its length significantly and make it much harder to crack.
Developers also need to get better at protecting against password dictionary attacks. He pointed out that according to data he has been collecting, about 30 per cent of users would have a password on a top 10,000 password list that there is "no question" an attacker will certainly be using.
The entire rant is worth reading if you're writing code for passwords, or if you use them. Wise though Atwood's words are, there's also another alternative suggested by Heather Adkins, Google's director of information security and privacy this morning.
It's 2017. Passwords are irrelevant. Anything you care about should be protected by a strong 2nd factor. #Make2FAGreatAgain— Heather Adkins (@argvee) March 10, 2017
Make sure you're using two-factor authentication. Just turn it on. ®