« What's smelling fishy? Maybe your data | Main | Cybersecurity mystery 2 »


Feed You can follow this conversation by subscribing to the comment feed for this post.

Aleksander B

Short answer: In my opinion you are right. There is no need for such complex password requirements.

Longer one: human-readable passwords based on a few words can be really good as this xkcd comic explains well: https://xkcd.com/936/ Of course, password manager helps a lot. And everybody nowadays uses the password manager, right? :)


Simple: a, not all websites lock accounts (though most throttle login attempts). b) if you steal an encrypted password list you can break it using dictionary attacks.
Of course, as xkcd has taught us complex password rules are often fulfilled in very nonrandom ways.


So People don't crack passwords that way. What they do is:
Normally a password file is leaked. This file contains not passwords, but "hashed" passwords. The users password is sent through an algorithm that converts it to a string. This algorithm is deterministic, so you always get the same string when you send it through the function. Instead of trying on the site, you have something that can do the same hash, and you try on your own computer till you get a hash that matches. This means you've cracked the password.

Here's a great explanation of how cracking these passwords works, and it's done, not on the system where you'd enter the password, but on a "local" supercomputer.


Jon Plummer

Near as I can tell, the common password attack vector is not the "front door" where one types in their password to gain access to a website – it's leaked/breached tables of hashed passwords, thousands of them, representing all of the users of a site. There's nothing preventing someone from chewing on such a file to their heart's content, and it is valuable to do so because it represents a large number of users, many of whom use the same password on other sites. So the password rules are intended to make passwords harder to crack. But even in 2013 cracking tools were very good: https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html

Mirek Długosz

I am not an expert, but I am somewhat informed.

I think the rationale is "we thought longer passwords are going to save us, and we were wrong". Modern security recommendations go beyond "try to think of long, complicated password". I believe most of experts today would agree on following recommendation as suitable for common folks like you and me:

1. Use password manager. It will create and store long passwords for you. You will only have to remember one password - master password to password manager (that unlocks all the other passwords). There are many password managers out there - some are free, some are paid, some sync across multiple devices, some do not. Apple has password manager built-in, works on all of their devices. Google has password manager, but it works only in Chrome browser and on Android devices.

2. Enable multiple-factor authentication where possible. So when your password is eventually leaked (although password managers can help in making this a little less likely), it will be useless - as criminals don't have your other authentication factors. Usually MFA comes in the form of short message sent to your mobile number, but "authenticator" apps are becoming more popular. Some password managers have that built-in. Google and Microsoft both have "authenticator" apps for your phone.

Here is an article from actual security expert: https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/ . It advises AGAINST some of the things that you mention - like requiring people to change passwords regularly.

Finally, to reply to opening paragraphs. Password guessing game usually does not take place on actual system, in part because - as you pointed out - authentication system is likely to lock out attacker after couple of tries, in part because sending password over the wire is just way too slow. Most of the time, attacker will obtain authentication system database dump. It will contain password field, and passwords are usually stored in encrypted (hashed) form, so they can't be read directly. So attacker has two unknowns to figure out - function input (password) and actual hashing function. On any sufficiently large system database you can count on someone setting password to "123456", "password" and common words from dictionary. There are few popular hashing functions you can blindly try (MD5, SHA256, bcrypt, Argon2), and sometimes you actually know how hashes are derived, because you obtained source code of system itself.

Michael Droy

It's the same power kick that gets the CDC making people wear masks and upping regulations on Omicron. Made stronger by identifying those that resist as the deplorables.
For me, far worse than long passwords (or not being able to re-use old ones) is rushed covid era websites that don't allow the browser to save the password.
There is also a push to double up on or replace passwords with alternative authentication like the Windows phone authentication app. Hugely age discriminating.

boB Rudis

As an actual export, the state of the art recommendations are to use a multi-phrase password with multi-factor authentication. So something like "fling standard batton" (or longer) and then use an app-based MFA code. If you can't use that code, perhaps use a 4-5 word phrase. The complexity requirements don't work well unless you use a password manager, but you're still better off using generated phrases with a password manager than trying to remember them all yourself.

Abby Martin

re: Your student's question #1, I think the question of whether more legitimate users vs. hackers have been stopped this way is the wrong way of framing it, depending on the sensitivity of the data behind the password. For example, if the page you're trying to access is your bank account, how many times would you be OK with being prevented from logging in, assuming that the single time that someone else logs in they could steal all of your money? The risk of a single successful login is far greater than the risk of a single legitimate user being blocked from logging in.

The comments to this entry are closed.

Get new posts by email:
Kaiser Fung. Business analytics and data visualization expert. Author and Speaker.
Visit my website. Follow my Twitter. See my articles at Daily Beast, 538, HBR, Wired.

See my Youtube and Flickr.


  • only in Big Data
Numbers Rule Your World:
Amazon - Barnes&Noble

Amazon - Barnes&Noble

Junk Charts Blog

Link to junkcharts

Graphics design by Amanda Lee

Next Events

Jan: 10 NYPL Data Science Careers Talk, New York, NY

Past Events

Aug: 15 NYPL Analytics Resume Review Workshop, New York, NY

Apr: 2 Data Visualization Seminar, Pasadena, CA

Mar: 30 ASA DataFest, New York, NY

See more here

Principal Analytics Prep

Link to Principal Analytics Prep