Are conventional password rules wrong?

No.

The problem is theoretical security vs practical security. Humans are poor at operational security.

The problem with password rules

Recently many media outlets have been posting great clickbait articles where the man who supposedly created our well-known password rules admits they are wrong.

• http://www.zdnet.com/article/hate-silly-password-rules-so-does-the-guy-who-created-them/
• http://www.telegraph.co.uk/technology/2017/08/08/man-wrote-password-bible-admits-advice-completely-wrong/
• http://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987

I think it is erroneously to think that the rules are wrong. We could potentially say that the rules don't adequately account for human ability; however, I think it would be fair to say that all rules, regardless of how you create them, will be mangled and badly abused by humans. The biggest problem is discipline.

How people think you should create better passwords: passphrases and dice passwords.
How people should actually create better passwords: password managers.

Password managers

The right way.

Across my home and work password safes I have more than 100 different accounts all with unique passwords. Trying to remember one password of even 12+ characters is difficult enough, I think I’d probably struggle with 10 – 20, nevermind 100 different passwords

With a password manager you can easily generate 30+ character passwords from 3 character sets if you so desire. Regeneration of a breached password is effortless too. As the passwords are saved then you don’t need to remember them either (huge win). In addition, you can generally copy and paste the password from the manager without any stress (they have in-built buttons for that: no need to highlight then ctrl+c ctrl+v).

The outcome: less hassle / better security.

Pass phrases / Dice passwords

The wrong way.

Pass phrases of a “few words” isn’t sufficient until you have 7 words as noted by The Intercept on their piece about “dice password” construction: The Intercept - Passphrases.

Dice passwords if the process is followed rigorously would be reasonable. What will happen in practise is that people get lazy and choose poor passwords (this is sound familiar…). People may try to add flourish and then forget what flourish they added. Folks will definitely get sick of typing 30 characters every time (e.g. 5 words of 6 characters, which ain’t great… unless you were aiming for short passwords). I wouldn’t recommend these unless you can be disciplined about the creation process and are somehow able to remember 10s of unique phrases (I certainly couldn’t).

Human discipline will ruin the rules intended for creating secure passphrases. The problem of remembering passwords doesn't scale well for humans at all.

Learning More

The following article I wrote and published to one of my blog's but cover the topics found here. I cover password creation, use, and general management. I also cover some common myths pushed by people who don't quite understand the fundamental principles of cryptography.

• Creating better passwords
• It may look long and complex but is it really?
• Password managers: local vs global
• Hashing, fast and slow

Source