Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What is a dumb password rule? #367

Closed
DimitriPapadopoulos opened this issue Jan 13, 2021 · 6 comments
Closed

What is a dumb password rule? #367

DimitriPapadopoulos opened this issue Jan 13, 2021 · 6 comments

Comments

@DimitriPapadopoulos
Copy link

  • How do you define a dumb password rule?
  • Some countries may have recommendations or regulatory rules. Companies need or tend to follow them. Instead of shaming the company, shame the recommendations and regulatory rules.
@JoshuaBehrens
Copy link
Contributor

There are countries with password rules :O ? I don't think we have some in Germany. There is a pretty good understand what a bad password is and insurances wont pay in these cases but I don't think they rely on a written law.

Can you name a country that has such regulatory rules?

@DimitriPapadopoulos
Copy link
Author

DimitriPapadopoulos commented Jan 13, 2021
edited
Loading

France for example, but these are general "recommendations" from the data protection authority (CNIL) more than regulatory rules:
L’authentification par mot de passe : longueur, complexité, mesures complémentaires

Companies will follow the above recommendations, because in case of personal data loss they might be held responsible.

But then is a mere minimal length for passwords considered to be a "dumb password rule"?

@DimitriPapadopoulos
Copy link
Author

In Germany:

@depperm
Copy link
Contributor

depperm commented Nov 23, 2021
edited
Loading

I would define a dumb password rule as one that:

  • restricts max length
  • restricts characters allowed/disallowed
  • enforces rigid complexity (kind of ambiguous, but stuff like need 1 uppercase, 1 lowercase, etc) xkcd

Password guidelines (aren't to my knowledge enforced, but are there as reference on what people should do)

  • NIST: National Institute of Standards and Technology (US)
    • password minimum length 8+
    • block/reject compromised/common/sequential passwords
    • ALL characters allowed
  • NSC: National Cyber Security Centre (UK)
    • encourage password manager use (generated passwords can be super complex)
    • encourage memorable password (3 word (diceware) or CVC-CVC-CVC format)
    • don't enforce complexity
    • block/reject compromised/common passwords

@depperm
Copy link
Contributor

depperm commented Nov 24, 2021

Is this a duplicate of #80 ?

@duffn
Copy link
Owner

duffn commented Feb 15, 2023

I've added a note on the new site about page on the definition of a dumb rule. Which is, in fact, that there's no real definition here except that you'll probably know one when you see one. https://dumbpasswordrules.com/about/

@duffn duffn closed this as completed Feb 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@JoshuaBehrens @DimitriPapadopoulos @duffn @depperm