How can I, as an enduser, put pressure on corporations and discourage password strength theater?

Question

For work and other official matters, I am often forced to use websites and apps which clearly have some kind of cargo cult going on in their security department, given that they impose extremely foolish requirements on passwords:

• Character requirements like "at least one number, at least uppercase, at least one lowercase, at least one one symbol, at least one ancient egyptian hieroglyphic, at least one mathematical symbol unknown to people with less than 3 years of graduate-level math training..."
• Inane pattern requirements like "no repeating the same letter"
• Nonsense length restrictions, like "8-16 chars"
• Disabling copy/paste in the password form
• Forced password rotation at short intervals, eg. 30 days, for trivial accounts

Security is of course always important, but bear in mind that I'm not talking here about the nuclear launch codes or entry to the vault at Fort Knox. I am speaking of the vast majority of my accounts that have relatively trivial importance, such as my library card, toll card for my car, health insurance portal, airline rewards account and so on. Being that I am a knowledgeable and intelligent person who already follows sufficient password security best practices, I find this style of user-hostile "security" to be present several problems:

• It arbitrarily restricts the password universe, reduces password entropy and thereby makes my secure password less secure
• It sometimes makes it impossible to create a secure password (eg. very short max length)
• It makes it very difficult to use a password manager
• It makes it very difficult to follow a uniform password policy across my countless accounts

I think there is some kind of arms race going on in the security business because these have gotten progressively worse over the recent years as more and more B2B tech startups enter the marketplace and try to "disrupt" their respective industry.

Ordinarily, my response to such nonsense is to patronize a competing business with a saner approach to security. However sometimes I am forced into working with a certain company (ie. I can't get my employer to single handedly change their HR solution) or virtually all competitors also engage in the same practice. Besides this being extremely onerous, I am also becoming very concerned about the actual security of the accounts themselves. I feel like if my solution is to keep fiddling with my password generator some more and move on, the company never receives negative feedback on their misguided practice, and the problem becomes worse.

What can I realistically do, as a user, to counteract this most effectively? Is sending a strongly worded letter my best option here?

Answer 1

Typically password complexity for information systems should follow "best practices" which will vary depending on the industry the information system provides it services in. For example, there are multiple accepted standards that a company can chose to align its information security controls with (CIS, PCI-DSS, NIST, Hitrust, SOC, etc), each standard could dictate a slightly different requirement for password strength complexity.

Furthermore, to complicate everything even further, these standards are constantly updated, and not always at the same pace. And as a result, systems and applications that were developed before a new standard version is released might have security settings that no longer considered best practices.

The gold standard for password security is considered NIST 800-63(?). Historically the standard has evolved quite a bit, in fact a lot of the frustrating items you've listed above are no longer considered as best practice.

As an end-user you usually don't have much say in password complexity of the service you use, unless you need for the service to align with specific standard for regulatory compliance requirements (i.e. PCI-DSS for any credit card payment processing company).

The reality is that even with most stringent passwords complexity, passwords alone are enough to protect an account, this is where 2FA would come in to add that additional layer of security. Now this obviously doesn't make things easier for the end-user, but it does add layer of integrity.

For your personal accounts, I would advise for you to take a look at OAuth/SAML2.0 configuration for the various services you use, you might be able to use your existing personal email account to login to those services without the need to create a dedicated password for those systems. There is a lot of services out there that already support that.

As far as changing the password requirements within your work organization - that's tougher - as your organization would typically align to a standard that would explicitly outline the requirements.

Answer 2

It sounds like your real concern here is not that your accounts are insecure, but rather that someone is wrong on the internet. Technically, off course, you are right about password requirements and cargo cults. But does it follow that you have to be annoyed and waste mental energy on it?

There is a minor practical problem here. But most password requirements can be easily handled by just making some small modification to a randomly generated password. Copy-paste limitations can be overcome by keeping a small JS snippet around for disabling all paste events. There is no need for a uniform password policy if you use a password manager.

The only real security problem is if the rules actually forbid you to use a secure enough password, like e.g. a short max length would. In my experience, that is a very rare problem. In these situations, you may have to choose between knowingly taking the risk or just refuse to use the site (which may come at a steep price, if it is the HR-system).

So I propose a simple two step solution:

• Can I generate a safe password? If yes, do it, and move on.
• Can I avoid using the site? If yes, do it, and move on. If no, bite the bullet.