Why do so many sites make you enter a stupid password

[Chris Ashdown]

Why do so many sites make you enter a stupid password. after all its the password you feel happy with so why dictate things like must include Capital, Number, Symbols and so on..

I am sure that most people then have to write the new password down so they can remember it or get windows to save it all that tends to defeat the whole point , and the clever crooks will have a selection of password find software anyway.

The strange point is they only get access to a boring account that has a bit of history on what you have brought and entry to a order form, card details are located elsewhere

End of todays grumpy old crinkly post

 

[ctrlbrk]

Why do so many sites make you enter a stupid password. after all its the password you feel happy with so why dictate things like must include Capital, Number, Symbols and so on.

One of the reasons I think is to discourage people from using an easy to guess password.

Check this article for the most common passwords. It suggests that the most commonly used are things like 1234567890, so websites encourage (force) users to have at least one letter, one number, etc.

 

[fisicx]

I let the browser generate and save the password. Much simpler way of doing things.

 

[wayzgoose]

I let the browser generate and save the password. Much simpler way of doing things.

Hope you've got a strong password for the browser

 

[fisicx]

Of course: 1234567890

 

[Lucan Unlordly]

I can't remember most of my passwords myself so good luck anyone else trying

Slight thread hijack but it's having to reject Cookies on every site that does my head in.......

 

[Daybooks]

Why do so many sites make you enter a stupid password. after all its the password you feel happy with so why dictate things like must include Capital, Number, Symbols and so on..

I am sure that most people then have to write the new password down so they can remember it or get windows to save it all that tends to defeat the whole point , and the clever crooks will have a selection of password find software anyway.

The strange point is they only get access to a boring account that has a bit of history on what you have brought and entry to a order form, card details are located elsewhere

End of todays grumpy old crinkly post

I think because programmers found a way to do it and thought it was a good idea. It then tends to become the ‘norm’ like “follow the leader” without realising their sight impairment.

 

[fisicx]

Slight thread hijack but it's having to reject Cookies on every site that does my head in.......

Install ghostery, does it all for you

 

[Ian J]

Many years ago I was a moderator on a forum using vbulletin and there was a hack that would show passwords although you couldn't actually read them as they were encrypted. There were three passwords that literally hundreds of members were using and although we couldn't see what they were I would guess that two of them were 12345678 and password.

The facility was quite useful for catching banned members from re-registering as whilst they used a different name they tended to use the same password

 

[Kerwin]

I use Bitwarden to generate and save passwords. For £10 a year it is well worth it.

 

[DontAsk]

Requiring certain characters actually makes the password weaker for brute force cracking. The enigma code was broken in part due to the repeated use of certain phrases. Such hints were known as nonces.

Many web developers are idiots when it comes to password policy.

Requiring frequent password changes leads to gaping holes due to user behaviour, such as intervention incrementing the final digit..

The only defense against brute force is a long password. Ergo, the only good password is a long, unique, password.

 

[Kerwin]

Assuming websites hash passwords using a secure hashing function with a unique salt it should dramatically reduce the risk of someone brute forcing the underlying password since the website just stores the resulting hash and not the password itself.

 

[tony84]

We are registered with maybe 40 mortgage lenders.
All have different rules regarding passwords.

I do wish there was one central log in where we could log in and click the lender we wanted to use.

 

[Kerwin]

We are registered with maybe 40 mortgage lenders.
All have different rules regarding passwords.

I do wish there was one central log in where we could log in and click the lender we wanted to use.

There are single sign on options but each provider has to explicitly support it.

 

[ctrlbrk]

I've just come across this. Usual disclaimers apply, but I've checked the website that has generated this and it seems a lot of research has gone into it.

https://imgur.com/a/MaF9bs8

 

[DontAsk]

I've just come across this. Usual disclaimers apply, but I've checked the website that has generated this and it seems a lot of research has gone into it.

https://imgur.com/a/MaF9bs8

Looks reasonable. Like I said, the only strong password is a long password.

All passwords should allow the users free choice from upper/lower case, numbers and specialcharacters.

Requiring or disallowing certain characters be included is a sure way to give a hint.

 

[fisicx]

Xkcd said this years ago:

Password Strength

xkcd.com

 

[DontAsk]

Just be careful what words you choose https://www.forbes.com/sites/daveyw...t-can-hack-77-of-three-random-word-passwords/

 

[Kerwin]

If you use a password manager (and you really should) you only need to remember one password.

 

[DontAsk]

If you use a password manager (and you really should) you only need to remember one password.

No I don't, nor will I ever.

LastPass, anyone?

Also cases of getting you hooked and then shafting you for increased fees.

 

[Kerwin]

No I don't, nor will I ever.

LastPass, anyone?

Also cases of getting you hooked and then shafting you for increased fees.

You should use Bitwarden. It is open source and has regular security audits and the premium plan is £10 a year. Or you could just host it yourself so you don't need to worry about anything happening with Bitwarden itself.

 

[DontAsk]

You should use Bitwarden. It is open source and has regular security audits and the premium plan is £10 a year. Or you could just host it yourself so you don't need to worry about anything happening with Bitwarden itself.

I wouldn't trust any open source password manager software.

Not without going through the code line by line and building it myself, which I don't have time for.

It's simply too easy to pollute a source repository these days.

 

[Gecko001]

Is a password manager secure enough that it cannot be hacked by would-be cyber criminals, thereby giving access to lots of nice data that they can use for phishing, and other types of cyber fraud?

 

[Kerwin]

Is a password manager secure enough that it cannot be hacked by would-be cyber criminals, thereby giving access to lots of nice data that they can use for phishing, and other types of cyber fraud?

A good password manager (with a strong master password) is completely safe. They are end to end encrypted and are fine for storing sensitive data.

I would always go with an open source option if available though.

 

[DontAsk]

I would always go with an open source option if available though.

Do you audit the source code and build and install yourself? Otherwise, how do you know it's safe and that the executable you are running was actually built for the source it purports to be built from?

 

[DontAsk]

Is a password manager secure enough that it cannot be hacked by would-be cyber criminals, thereby giving access to lots of nice data that they can use for phishing, and other types of cyber fraud?

Nothing is 100% safe these days.

https://www.beyondidentity.com/resource/password-managers-hacked-a-comprehensive-overview

 

[Kerwin]

Do you audit the source code and build and install yourself? Otherwise, how do you know it's safe and that the executable you are running was actually built for the source it purports to be built from?

Open source is often considered safer as multiple people can analyse the code where as with proprietary code you have no idea of the quality of code or whether there are bugs in the software that can cause security issues.

It is one of the reasons Linux is so popular on websites that have high security requirements. Banks for instance use open source security software.

Technically you are right that anyone can submit code to open source software that can introduce security problems but the fact that other community members have to approve code being added to the software reduces the possibility of insecure code making it into the project.

 

[Simon Plummer]

Hi everyone,

I came across this thread and wanted to offer a perspective from the cybersecurity field, as the topic of passwords is fundamentally important to online safety.

While the frustration with complex password requirements is understandable (we've all been there!), there are crucial security reasons behind them. Many of the "stupid" rules – requiring length, uppercase, lowercase, numbers, and symbols – are designed to make passwords significantly harder for attackers to guess or 'crack' using automated tools (like brute-force attacks). A simple, easily guessable password can be compromised in seconds, potentially exposing sensitive personal or business data.

The real challenge isn't necessarily creating strong passwords, but managing them effectively. Trying to remember dozens of unique, complex passwords for every online account is practically impossible, and reusing passwords across multiple sites is a major security risk (if one site is breached, attackers can try that same password elsewhere – this is called credential stuffing).

So, how do you manage them simply and securely?

The best approach, and one we strongly advocate, is using a password manager.

• What they do: These tools securely store all your passwords in an encrypted vault. You only need to remember one strong 'master password' to unlock the vault.
• Benefits:
  • They can generate incredibly strong, unique passwords for each site automatically.
  • They autofill login details, saving you time and hassle.
  • You don't need to remember any password except your master password. Personally, I couldn't tell you what most of my individual site passwords are – my password manager handles it all!
  • Many reputable options are available (e.g., Bitwarden, 1Password, LastPass - though do your own research on recent security postures).

This approach balances high security with user convenience. You get the benefit of complex, unique passwords everywhere without the headache of remembering them.

For authoritative guidance on creating strong passwords and using password managers effectively, I highly recommend checking out the UK's National Cyber Security Centre (NCSC) guidelines. They have excellent, easy-to-understand advice for individuals and businesses: https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/use-a-strong-and-separate-password-for-email (This link specifically focuses on email passwords, but the principles apply broadly, and the site has more general password advice too).

Specific guidance on password managers can be found here too: https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers

Hope this helps clarify why those password rules exist and offers a practical solution to managing them!

Best regards,

Simon Plummer (Collective Security)

 

[Russ Michaels]

Why do so many sites make you enter a stupid password. after all its the password you feel happy with so why dictate things like must include Capital, Number, Symbols and so on..

I am sure that most people then have to write the new password down so they can remember it or get windows to save it all that tends to defeat the whole point , and the clever crooks will have a selection of password find software anyway.

The strange point is they only get access to a boring account that has a bit of history on what you have brought and entry to a order form, card details are located elsewhere

End of todays grumpy old crinkly post

because weak passwords and re-using those passwords is why most people's accounts get hacked and their identity stolen.
Getting access to a boring account is not the point, its getting access to your personal info, security questions/answers etc. Once a hacker gets into one of your accounts, chances are they will us that info to get into others.
Having weak passwords on your email account is the biggest risk of all, as hackers can then get into everything from there.

Password managers have been around for many years now,m so there is absolutely no need for anyone to write down or remember complex passwords.

I strongly suggest you read this

Why You Should Be Using a Password Manager - NOT LastPass

Why you should be using a password manager. Use lastpass to securely store your logins and passwords and other sensitive data. Protect yourself from hackers

michaels.me.uk

and this

Password managers are not just for passwords

Password managers such as #lastpass or #dashlane are not just for passwords. They have many other uses when it comes to storing personal data that you may need quick access to. This article hopefully will give you some ideas.

michaels.me.uk

 

[Gecko001]

Technically you are right that anyone can submit code to open source software that can introduce security problems but the fact that other community members have to approve code being added to the software reduces the possibility of insecure code making it into the project.

So would-be hackers and cyber fraudsters are banned from becoming members of this community?

 

[Kerwin]

So would-be hackers and cyber fraudsters are banned from becoming members of this community?

I meant other developers of the software. Each time a programmer changes a program they create a commit which is then sent to be merged into the product as a whole but commits will only be merged once they have been reviewed by one (or more) other developers which makes the possibility of adding backdoors and other security holes into the software much less likely.

If you have more eyes on the code then the possibility of bugs is reduced as more people can spot them.

 

[DontAsk]

Many of the "stupid" rules – requiring length,

Length is never a stupid requirement.

uppercase, lowercase, numbers, and symbols – are designed to make passwords significantly harder for attackers to guess or 'crack' using automated tools (like brute-force attacks).

Requiring these is a gift to brute force attacks.