| Tuesday May 31st 2016

Why forced change password policies are ridiculous

Forced password-changing policies lead to two things:

  • More frustrated users locked out of their accounts, leading to more painful support requirements
  • A huge number of unenecrypted text files on local filesystems called “mystupidnewpassword.txt”

password question marksI study IT Security in the graduate program of UNC Charlotte. For the most part, UNCC is a great school and our IT programs are especially fantastic. UNCC generally doesn’t rank, but IT provides a rare exception, listing UNCC 10th after Carnegie Mellon, Georgia Tech, Harvard, etc.

Despite my security focus, I think this is a little over-the-top for our university accounts (“49er Express”), once combined with a forced password change policy:

Password Rules:

    * Minimum length: 8 characters
    * Maximum length: 16 characters
    * Required characters:
          o One lower case alphabetic character
          o One upper case alphabetic character
          o One numeric character
          o One special character from the set ! * + - / _
    * Do not use your last name, first name, e-mail address, or the words "pass" or "word" as part of your password.
    * Password history: 8 (cannot reuse last 8 passwords)
    * Passwords are case sensitive. When changing your password, switching the case (lower/upper) of an alphabetic character does not constitute a change.

Really? Every n months I have to come up with a new password, that I haven’t used for the past 8 cycles, at this minimum level of complexity:


What does that mean? Well, I don’t want to be locked out of my account – besides the inconvenience, it’s embarrassing. But it’s damn easy to get such a password mixed up:


So if you want to break into the account of this IT security major, all you have to do is wait for the week after password-change-time and grep in my /home/hunter for any text file that’s 8-16 characters long, has at least 1 capital and 1 lowercase letter, 1 number, and 1 character from the set ! * + – / _.

Why is it acceptable, ever, to have a maximum password length? If you’re going to go out of your way to force users to make their passwords more complex as a security measure, how on earth can it make sense to then restrict the password length to some arbitrary, small number of characters? If I want to use the password:


is that really going to cause problems for a competently designed system? I mean, it shouldn’t even be storing my password, so where’s the problem? Do people really think that the above password is less secure than:


I run into this all the time and it bugs the hell out of me. In fact, password requirements in general bug the hell out of me, because I have my own process for generating secure passwords than I can remember, and having to meet some asinine requirement for proportions of numbers, uppercase letters and so forth just makes me forget my password, which is a security risk.

This is getting a little ranty, so I’ll draw my remarks to a close, but one last point.

The following scenario is grounds for the immediate and creative execution of the technical team involved.

Max password length at registration is x characters. Password user “enters” is x+2 characters. Input box at registration is restricted to x characters, last two characters are silently dropped. Login box is not restricted to x characters. User enters full password multiple times, cannot work out why login won’t work.


Related Posts: On this day...

Leave a Reply

You must be logged in to post a comment.