rc3.org

Strong opinions, weakly held

Your password should not be “password”

Today I got to look at the user table in an application with passwords stored as plain text. Out of around 7100 users, over 170 have the password “password.” Around 10 other users had heard that your passwords should contain letters and numbers, and thoughtfully chose the password “password1.” Needless to say, this application should probably store hashes of the passwords rather than storing them in plain text and also use some basic test of strength for the passwords that requires more than just lower case letters. What the experience left me with, though, was a burning desire to thwart users who specifically want to use the word “password” or any variation thereof as a password. I even want to create a special error message just for them, just to let them know that their combination of laziness and cleverness is not appreciated.

Here’s a regular expression that matches many, many variations on the word password:

/^p[a4@][s5][s5]w[o0]rd(\d*|\W*)$/i

You too can stamp out the blight of your users using “password” as their password.

Update: Accounted for people who substitute the letter “s” with the number “5.”

Update: Now “[email protected]” is not allowed, either.

7 Comments

  1. I shall defeat your fiendish regular expression by spelling my password as pa55word!

  2. [email protected]!

  3. the 1337 ‘W’ should be fun to escape properly in your regeex: \/\/

  4. Suggest:

    /^[0-9]p[a4@]+[s5]{2,}w[o0]+rd(\d|\W*)$/i

    Then punks who try to be cute with 33paas55sswoo0ord213

    Get caught, too.

  5. I just sett mine to wasspord. :-)~

  6. There’s only one excuse for using the word password in a password — it’s in a corporate environment where you’re still sensitive to lanman attacks.

    In that one instance, padding a strong password with something stupid like “password” to get it over 15 characters and avoid lanman cracks is fine.

  7. Obdisclosure: My password is not password, but this isn’t stupidity or excessive laziness on the part of users. Their risk analysis is actually pretty sound. The largest risk from a lot of people using ‘password’ as a password is not to the users themselves, but to the systems (that could be compromised for other nefarious purposes that have nothing to do with those individual users and may not even affect those users.)

    In other words, a burden is being placed on users disproportionate to their personal risk. One fix is to do as you’ve suggested – simply automatically (hmmm… don’t we have some sort of technology that would do this… some type of computer gizmo that manipulates and compares strings of characters.. waddyooo know?) disallow certain passwords rather than beat on users who have better things to worry about.

    (Oh, I could go on and on about how risk and security incentives are improperly allocated… my working thesis – articulated just now as I type this comment – is if you’re depending on ‘typical user’ cleverness as part of your security posture, you’ve already failed.)

Leave a Reply

Your email address will not be published.

*

© 2016 rc3.org

Theme by Anders NorenUp ↑