How computer scientists got password policies so wrong

(stuartschechter.org)

4 points | by throw0101b 3 hours ago

2 comments

  • snarbles 2 hours ago
    The conclusion of the article seems to be that passwords should be encrypted with asymmetric encryption instead of being hashed. I really couldn't disagree more. We see how competently companies manage their security. It's very easy to imagine a scenario like a company using the same key to encrypt every password. They accidentally push it to github or otherwise get it compromised and now a dumped database becomes a table of plaintext passwords, no rainbow tables needed.

    What we really got wrong about passwords is using them in the first place. I don't know know anything about how passkeys are implemented. I would hope they aren't tied into any OAuth nonsense (IMO OAuth is a cure worse than the disease), but even if the implementation were flawed, passkeys are the right kind of solution: cryptographic authentication that plays to the computer's strength instead of depending on something humans aren't good at.

  • bediger4000 1 hour ago
    So this is just another case of superstitions I mean Best Practices. Some belief gets spread around in the form of "an authority told me so", and then never goes away because there's no incentive to get rid of it.

    Passwords in the age of smartphones are just excruciating - all too often, there's no way to "show password" as you type it on a virtual keyboard with tiny keys, large fingertips, and an unsteady base (your non-dominant hand). You are required to use passwords that satisfy rules intended to enforce high entropy, but are equally Best Practices with no data behind them. To set those high entropy passwords, using difficult ergonomics, you have to fingertip type the same string of characters twice.

    The dots or asterisks for password input is another relic of a bygone day, when CRTs with a wide viewing angle stayed at a substantial distance from an obscuring bodypart, like a head or chest. Fingertip typing it twice is an artifact of the Best Practice that requires strings with Best Practice elaborate rules. The difficult ergonomics are not a Best Practice but instead enforced by euclidean geometry and how big something can be before it doesn't fit in a pocket.

    At this point, we can realize that password format policies and data entry are just a pile of unsupported superstitions. The bad ergonomics synergetically reinforces the unsupported superstitions.