2

Why are there organizations, websites that still, in 2015 advises that people should use complex, at least 8 character long passwords?

Why doesn't they advise to use password-managers, long passwords? People will not remember complex passwords in every 90 days.

Is there some kind of old standard for the password rules? Or people don't know the math?

  • Password managers are a single point of failure. If they have security issues all your credentials are at risk. If you are interested, here are some information what has happened in the past (https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/li_zhiwei) (https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/silver) (https://www.blackhat.com/docs/eu-15/materials/eu-15-Vigo-Even-The-Lastpass-Will-Be-Stolen-deal-with-it.pdf) – John Dec 20 '15 at 17:11
  • There are a lot of assumptions in this question. – schroeder Dec 21 '15 at 01:15
  • 1
    Possible duplicate of [Are efforts being made to bring about password standards?](http://security.stackexchange.com/questions/61931/are-efforts-being-made-to-bring-about-password-standards) – Steve Dodier-Lazaro Dec 21 '15 at 11:10
  • There have also been a few noteworthy changes since that question above in password standards, I think NIST updated their guidance documents but can't find any trace of that any more in my mailbox. I think it'd be better to close this question and update answers to the one above with latest news. – Steve Dodier-Lazaro Dec 21 '15 at 11:13

2 Answers2

3

The same reason that people are still pushing for input sanitation in 2015: the security world moves very slowly; they adopt things at a snail's pace, and the end-users are orders of magnitude slower at changing their ways.

Once people have become accustomed to a way of doing something, anything that is contrary to that is going to be rejected for a long time, until enough people are crying about it. Even then, you're going to have a few holdouts like Dave. That's one of the core reasons why people are still proclaiming outdated practices.

Getting older people to use a password manager may be next to impossible.

People will not remember complex passwords in every 90 days.

Most people write their passwords down and put them on their desk in the form of a sticky note, or they type it enough times to remember it, or they even store it in a text file on their desktop (groan), or they set it and forget it with a long-lasting cookie.

And if they forgot it, no problem! They'll just start the password reset process. This is normal behavior for most users.

Is there some kind of old standard for the password rules? Or people don't know the math?

The vast majority of people, including developers, don't understand better password practices at all. Even less people understand the math or reasoning behind why something should be the way it is.

If people aren't knowledgeable, and you appear to be in the know, then people will blindly accept what you tell them... but even if they agree that password managers and pass phrases are better, old habits die hard.

Mark Buffalo
  • 22,508
  • 8
  • 74
  • 91
  • What's wrong with keeping passwords in a text file? If you have FDE, it's almost the same as a password manager. – paj28 Dec 20 '15 at 17:06
  • 1
    @paj28 FDE isn't going to protect you from someone walking up to your workstation, opening "mysecretpasswordfile.txt" on your desktop, and then peacing out with it. It also isn't going to protect if you have the right malware installed. Then again, password managers wouldn't help much in that regard either. My intention is to point out that remembering complex passwords isn't difficult for most users. Writing it down/storing it in a text file / typing it enough times to remember it. – Mark Buffalo Dec 20 '15 at 17:09
  • I was going to let this lie. But as someone has since upvoted your comment, it seems I need to clarify that you need to lock your screen to stop someone stealing your passwords. Thought this was Infosec 101, but clearly not! – paj28 Dec 21 '15 at 11:58
  • @paj28 Yeah, clearly you should, I agree with you there, but we're talking about run-of-the-mill users. How many normal users do you know who lock their screen? They just don't do it. – Mark Buffalo Dec 21 '15 at 13:14
2

If a website advises you to use a password manager, and then the password manager suffers a data breach of some kind, the website might be legally liable, since you were following their advice. If they just advise you to remember a complex password then there's no risk to them, since if you write it down that's your fault.

Mike Scott
  • 10,134
  • 1
  • 28
  • 35