Skip navigation

Password strength

warning: Creating default object from empty value in /var/www/vhosts/ on line 33.
Original author: 
Casey Johnston

Why are there so many password restrictions to navigate? Characters want to be free.


The password creation process on different websites can be a bit like visiting foreign countries with unfamiliar social customs. This one requires eight characters; that one lets you have up to 64. This one allows letters and numbers only; that one allows hyphens. This one allows underscores; that one allows @#$&%, but not ^*()[]!—and heaven forbid you try to put a period in there. Sometimes passwords must have a number and at least one capital letter, but no, don’t start the password with the number—what do you think this is, Lord of the Flies?

You can’t get very far on any site today without making a password-protected account for it. Using the same password for everything is bad practice, so new emphasis has emerged on passwords that are easy to remember. Sentences or phrases of even very simple words have surfaced as a practical approach to this problem. As Thomas Baekdal wrote back in 2007, a password that’s just a series of words can be “both highly secure and user-friendly.” But this scheme, as well as other password design tropes like using symbols for complexity, does not pass muster at many sites that specify an upper limit for password length.

Most sites seem to have their own particular password bugaboos, but it’s rarely, if ever, clear why we can’t create passwords as long or short or as varied or simple as we want. (Well, the argument against short and simple is concrete, but the others are not immediately clear). Regardless of the password generation scheme, there can be a problem with it: a multi-word passphrase is too long and has no symbols; a gibberish password is too short, and what’s the % doing in there?

Read 12 remaining paragraphs | Comments

Your rating: None
Original author: 
Peter Bright

Microsoft Accounts—the credentials used for Hotmail,, the Windows Store, and other Microsoft services—will soon offer two-factor authentication to ensure that accounts can't be compromised through disclosure of the password alone.

Revealed by LiveSide, the two factor authentication will use a phone app—which is already available for Windows Phone, even though the two-factor authentication isn't switched on yet—to generate a random code. This code must be entered alongside the password.

For systems that are used regularly, it's possible to disable the code requirement and allow logging in with the password alone. For systems that only accept passwords, such as e-mail clients, it appears that Microsoft will allow the creation of one-off application-specific passwords.

Read 2 remaining paragraphs | Comments

Your rating: None

Broadwell's entry in one of the leaked Stratfor documents.

Paula Broadwell, the biographer and reported mistress of CIA director David Petraeus, appears to have been a subscriber to the "private intelligence" firm Stratfor—and that means that her Stratfor login account and its hashed password were hacked and released last year by Anonymous.

The Stratfor hacker, who the US government says was Chicago-based Jeremy Hammond, obtained a complete roster of all corporate client accounts. These were released online in a massive file called stratfor_users.csv. Inside that file appear the details for one, whose hashed password is listed as "deb2f7d6542130f7a1e90cf5ec607ad1."

It's not clear whether the leak was meaningful—Broadwell's Stratfor password and her actual Yahoo e-mail password might have differed—but the prevalence of password reuse raises the possibility that hackers could have accessed her Yahoo e-mail or perhaps even the Gmail account she allegedly used to correspond with Petraeus.

Read 5 remaining paragraphs | Comments

Your rating: None

New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"

Read more of this story at Slashdot.

Your rating: None

I really like this little module, and I'd like to help maintain it. Or at least, permit me to submit a patch which should solve several outstanding tickets at once (plus a few I found myself). Since the patch is so big and changes a LOT, I've also just included a drop-in replacement of genpass.module. Here's what it includes:

- I changed some of the coding style to make Coder happy.

- I added LOTS of documentation.

- I used defines for the genpass_mode options (easier to remember what modes mean throughout the code). These are GENPASS_DEFAULT, GENPASS_OPTIONAL, AND GENPASS_RESTRICTED.

- When the user cannot choose a password, I changed from a hidden password field (which can be manipulated), to restricting access via #access = FALSE.

- I consolidated the two user registration validation functions, to reduce duplicate code.

- I also removed the genpass_user_admin_settings_submit() function, since everything in it was unnecessary. All the settings included in the user settings form get saved automatically by system_settings_form().

- I added the following confirmation message if the password is optional (user is creating account) (reference #405774: 'Generated password' message needed?):

Since you did not provide a password, the following was generated for you: !password

- When an admin is creating the account, the message won't show the password (for security reasons), but instead will show the following message (reference #316027: tell the password to admin, #686192: Force notify user of new account):

Since you did not provide a password, it was generated automatically for this account.

- If password was restricted (meaning, users cannot choose password on registration), then they will see the following message:

The following password was generated for you: !password

- If "Require e-mail verification when a visitor creates an account" is checked, then no password fields will appear on the regular registration form (this is Drupal's default behavior), so the module is forced into restricted mode, no matter what mode is chosen. To reflect that, I updated the description on the settings form:

Choose a password handling mode for new users. Note that if "Require e-mail verification when a visitor creates an account" is selected above, then the third option always applies for the regular user registration form. Also note that for manual user creation by an administrator, the second option always applies.

- If the password is optional, the password description is appended to say the following:

Provide a password for the new account in both fields. If left blank, a password will be generated for you.

- Another UI improvement I added is bolding the password examples on the on the user settings page, since they sometimes contain a comma, and it was hard to distinguish where the password ended.

Obviously, this is a lot, and requires some testing. I've tried all the permutations of settings I could think of, and everything looks good to me. But I'd like somebody else to check it out, too.

Your rating: None