Password Anti-Pattern


Password Anti-Pattern is an Anti-pattern and are concepts that have been shown to be detrimental to Best Practices Password and user Experience [1]

Complex passwords policies have proven to do more harm than good, resulting in users creating easy to remember passwords that are even easier to hack!

The 2019 Verizon Data Breach Investigations Report confirms that hackers are taking full advantage, revealing that hacking is the #1 cause of data breaches in 2019. The report identifies phishing and the use of stolen credentials (passwords) as the top 2 hacking techniques used is successful data breaches.

Microsoft, The National Institute of Standards and Technology (NIST) and the United States Department of Homeland Security have drastically changed their recommendations for strong passwords policies.

Password Expiration#

Both NIST.SP.800-63B, Microsoft and Bruce Schneier recommend that passwords SHOULD NOT be arbitrarily expired after some interval.

Password Maximum Length No LIMIT#

NIST recommends to make it 256 the length does not matter because it's going to hash down to the same number of characters anyway.

Password Periodic Changes#

Password Periodic Changes offers no increased security in most cases. NIST declared "ineffective for others" and "often a source of __frustration__ to users."

The Shared Secret#

The user is asked to give the site login names and passwords for another site in order for the first site to access address books, connection lists or other data kept on the second site.[1]

The Password Anti-Pattern, in which a shared secret (the password) directly represents the party in question (the user). By sharing this secret password with applications, the user enables applications to access protected APIs.

Pasting of Passwords#

Pasting of Passwords was thought to be a good idea to prevent brute-Force attacks on passwords. All password login forms should have server-Side Login throttling schemes and allow pasting of passwords.

National Institute of Standards and Technology (NIST) position with this statement:[1]

Verifiers SHOULD permit claimants to use "paste" functionality when entering a memorized secret. This facilitates the use of Password Managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secret.

Remember Me Checkbox#

Persistent Login Cookies ("Remember Me" functionality) are a danger zone

CAPTCHAs against humanity#

CAPTCHAs are meant to thwart one specific category of attack: automated dictionary/Brute-Force trial-and-error with no human operator.

Password Maximum Length#

Limiting Password Maximum Length

Password Character Composition#

Limiting Password Character Composition

Password Hints#

National Institute of Standards and Technology (NIST) thinks Password Hints are a bad idea:
Verifiers SHALL NOT permit the subscriber to store a "hint" that is accessible to an unauthenticated claimant.

Using Identity questions#

Do not implement 'secret questions'. The 'Identity questions' feature is a security Anti-pattern and Password Anti-Pattern.

More Information#

There might be more information for this subject on one of the following: