Password Anti-Pattern


Password Anti-Pattern is an Anti-pattern and are concepts that have been shown to be detrimental to Best Practices Password and user Experience [1]

Password Expiration#

Both NIST.SP.800-63B, Microsoft and Bruce Schneier recommend that passwords SHOULD NOT be arbitrarily expired after some interval.

The Shared Secret#

The user is asked to give the site login names and passwords for another site in order for the first site to access address books, connection lists or other data kept on the second site.[1]

The Password Anti-Pattern, in which a shared secret (the password) directly represents the party in question (the user). By sharing this secret password with applications, the user enables applications to access protected APIs.

Pasting of Passwords#

Pasting of Passwords was thought to be a good idea to prevent brute-Force attacks on passwords. All password login forms should have server-Side Login throttling schemes and allow pasting of passwords.

National Institute of Standards and Technology (NIST) position with this statement:[1]

Verifiers SHOULD permit claimants to use "paste" functionality when entering a memorized secret. This facilitates the use of Password Managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secret.

Remember Me Checkbox#

Persistent Login Cookies ("Remember Me" functionality) are a danger zone

CAPTCHAs against humanity#

CAPTCHAs are meant to thwart one specific category of attack: automated dictionary/Brute-Force trial-and-error with no human operator.

Password Maximum Length#

Limiting Password Maximum Length

Password Character Composition#

Limiting Password Character Composition

Password Hints#

National Institute of Standards and Technology (NIST) thinks Password Hints are a bad idea:
Verifiers SHALL NOT permit the subscriber to store a "hint" that is accessible to an unauthenticated claimant.

Using Identity questions#

Do not implement 'secret questions'. The 'Identity questions' feature is a security Anti-pattern and Password Anti-Pattern.

More Information#

There might be more information for this subject on one of the following: