There’s a fundamental issue with password validation
Take a look at these two passwords:
for a computer to crack? And which password do you think is the easiest to remember? The answer to both of these questions is password number 2. Yet people are encouraged to create passwords that look like number 1. People have been taught to write passwords that are difficult for humans to remember, for no real reason.
Let’s talk about that.
There are many bizarre things in internet standards. Validation is one of them. As a front-end developer, I am expected to validate the input that users enter into so-called input fields. These are the fields that you use when you enter your username, your email, your home address, your postal number, and so on. It is the duty of a front-end developer to ensure that the user doesn’t enter anything malicious or anything improperly formatted into these fields.
For example, a field that requests a postal number generally only allows for spaces and numbers, and if we know what country the user lives in, we can also limit it to a certain number of characters. Phone numbers can often include numbers, a plus sign (only at the beginning) and a dash, maybe some parenthesis too if we’re feeling liberal. E-mail addresses are difficult to validate, however a common practice is that they must include an at-sign (@) followed by a period, even though a perfectly valid e-mail address could actually have none of those attributes. Some websites try to validate names by forcing people to keep their names within a certain length or by forcing people to only use certain characters, though such validations never really work as people’s names can be just about anything.
Validation is implemented for several reasons. One is security concerns. Validation prevents users from entering scary code into the fields that could alter the database or perform other malicious actions. Another is to force a certain data type. If a field is only supposed to consist of numbers, the database engineer might have set up a database column that only allows for numbers, which means that a symbol that isn’t a number would cause an error to occur.
But the primary reason, really, is to help the user avoid making mistakes.
Forcing your passwords
For some reason, front-end developers are expected to babysit users into entering what is traditionally conceived to be a good password. It should be at least eight characters long, include uppercase and lowercase characters, a number, and if we’re feeling really obnoxious, it should even include a special character, like an exclamation mark.
Here is an example of what is generally considered to be a solid password: jK8v!ge4D. Considering the fact that you are often asked to enter a password like this, it’d be fair of you to assume that we’d consider this a good password.
It’s not. It’s stupid. It’s a bad password.
First of all, how is anyone supposed to remember that? What ends up happening is that users can’t remember it so they write the passwords down somewhere. Like on a post-it note. And then they end up getting “hacked”.
Secondly, users end up using the same password for different services, because it’s obnoxious to keep track of a whole bunch of these complex passwords. When you create an account for a decent website, some magical code behind-the-scenes transforms your password into a hash (commonly and incorrectly referred to as encryption). Your password ends up looking something like this in the database: k5ka2p8bFuSmoVT1tzOyyuaREkkKBcCNqoDKzYiJL9RaE8yMnPgh2XzzF0NDrUhgrcLwg78xs1w5pJiypEdFX. Even if the database is hacked, the hacker cannot really do anything with this information. It is possible to figure out the original password if the password is common enough and the algorithm is simple enough, though with a somewhat decent password that’s been properly hashed, it’s generally quite safe.
The issue is that not all services hash their users’ passwords. If you use the same password for many services, you might end up using a poorly programmed service that actually does save your password in plain text in their database. If they end up getting compromised, the hacker suddenly has your password to all of your accounts where you use the same password. This is scary, and it happens a lot more often than one might think.
This is why you MUST use different passwords for different websites. However today’s users have accounts on tons and tons of websites. How are they supposed to remember all of their passwords? Power users may use a password tool, but you can’t expect the average user to do that.
Well, there’s a better way.
How long does it take to crack?
Take a look at this string of characters: gtypohgt. It’s eight random characters, all lowercase. It takes no more than a mere couple of minutes for a modern computer to brute force its way through it. Replace some characters with a few numbers, and you’re looking at a password which will take up to an hour to crack (g9ypo3gt). Make a few characters uppercase, and the password will take days to crack (g9YPo3gT). Throw a special sign in there, and it could take up to a month (g9Y!o3gT).
g9Y!o3gT is technically a decent password. No person will be able to guess it, it’s not on any short-list of common passwords, and computers will take a reasonable amount of time to crack it. The issue is that this password is hard for a human to remember — for no real reason.
Now take a look at this beauty: greenelephantswithtophats (green elephants with top hats). That’s 24 characters, all lowercase. No numbers, no random characters, no shenanigans. Yet this password will take a computer thousands upon thousands of years to crack. See, for every character you add, the time it takes for a computer to crack greatly increases. greenelephantswithtophats is not on any short-list of common passwords, and no human will be able to guess it either.
Now that’s a good password
Make a password that tells a story. Need a Facebook password? How about afaceforabookbutapizzaforahorse (a face for a book but a pizza for a horse)? Visualize it. Our spacial memory is our strongest memory. Suddenly, you have an immensely powerful password that’s easy to remember and unique to one particular website. The password must be something that even people who know you very well cannot guess. You don’t talk about turtles often, do you? Have you ever seen a purple turtle? No? Visualize it. You have, now. It’s okay to lie in your passwords: ioncesawapurpleturtleiswear (I once saw a purple turtle I swear). That one will take millions of years for a modern computer to crack, and not even your sister will be able to guess it.
These passwords are easy to imagine. flyingcarsthatcannotflyarenotflying. applesmaybegreatbutpearsarelikeheaven. goatswithshoesenjoytrainsonrainydays. No one will guess these.
Yet some websites also will not allow these passwords. They will complain that you didn’t add a number or an uppercase character or that it’s too long, or some other nonsensical non-technical reason.
So you could cheat the system just a little bit. Add A1! to the end of any of the above passwords, and they’ll be accepted by any system that doesn’t call them too long. You now have an uppercase character, a number, and a special sign. Even if those three are the same on all of your passwords, the rest of the password will make up for it. ioncesawapurpleturtleiswear and ioncesawapurpleturtleiswearA1! are both impossible for a computer to crack, meaning it’s nothing but an inconvenience that you are required to enter those characters at the end.
The intention of developers is benign. People enter bad passwords. Website managers don’t want any scandals, so they try to force users to enter decent passwords, however cumbersome that ends up being.
Remember this technique next time you need to create a password. Make one that’s hard for computers to crack and easy for you to remember — not the other way around.
Oh, but even if you don’t, just promise to stay away from any variation of 123456, password123, and qwerty. Those are actually bad passwords.
Well, I guess that’s why we force you to write something like this jK8v!ge4D.
Discussion about this post