32

I don't share any personal information with StackExchange, I'm not really worried about anyone trying to hack my account and I can't see any incentive for them to do so, and yet the password strength requirements are about the strongest I've ever seen.

Why does this site, and others, insist on strong passwords? What's the reasoning behind it? I can understand why my bank might insist on high security, but isn't it up to me how secure I want to be on here?

SPM
  • 409
  • 4
  • 4
  • 14
    Your question presumes everyone understands potential risks and can properly assess them, and then modify their behavior accordingly. Most non-technical people I know have no real clue about the true potential risks or how to suss them out. Who has the most to lose from an embarrassing breach of user data, some random person or the company who runs the sites and has a reputation to maintain? – 0xSheepdog Dec 02 '14 at 16:55
  • 3
    if you're asking because you personally don't want to remember a long pass for stack sites, i recommend using a password manager (lastpass or 1password). then you will never even think about things like this. i view password restrictions as an absolute positive—the more the better (as long as they make sense). – user428517 Dec 02 '14 at 20:48
  • The award for "most password restrictions for an online service" does of course go to Apple. Makes sense though as you have credit card info on there and phones get lost often. – user60684 Dec 02 '14 at 20:49
  • 3
    I dislike complex password requirements on most sites too. What strikes me most is that it only encourages password reuse, and password reuse (1) defeats strength of a password and (2) is impossible for website to check. – el.pescado - нет войне Dec 02 '14 at 22:03
  • The real question ought to be Why is SE enforcing an idea of strong passwords that is WRONG WRONG WRONG. – Joshua Dec 03 '14 at 02:15
  • 4
    Funnily enough, most banks insist on you choosing _weak_ passwords. PNC allows 20 characters max, which is quite laughable. – Cubic Dec 03 '14 at 04:11
  • 1
    @Cubic I've had banks with a max of 8 chars. But I do have to say my favorites are ones that find fn0@k9j to be a "weak" password, but "Password11" is "strong". :facepalm: – Wayne Werner Dec 03 '14 at 05:08
  • @Cubic My bank has the restriction: a password has to match exact 5 chars. where nothing else as numbers and lower letters are allowed >. – Zaibis Dec 03 '14 at 08:01
  • I remember reading somewhere that StackOverflow uses it as an incentive to people to use OpenId instead. My google-fu failed me here. – Jesvin Jose Dec 03 '14 at 13:45
  • 1
    @aitchnyu I think that OpenId has been deprecated; I remember getting an email from SO to switch to a different authentication method – Thanos Tintinidis Dec 03 '14 at 16:00
  • 1
    "MyOpenID" is deprecated, but there are dozens of other OpenID providers Stack Exchange supports. Don't confuse the OpenID protocol/standard with the Janrain's "MyOpenID" implementation of that protocol. – corsiKa Dec 03 '14 at 16:20
  • 3
    Please do more research before asking. This has already been asked and answered and analyzed in great detail previously. If you are asking about technical analysis of the password requirements for a login provider or sites in general, see http://security.stackexchange.com/q/3913/971 (asked by StackExchange folks to help them choose their policy). If you are asking about StackExchange sites specifically, this question belongs on Meta.StackExchange, not Security.SE; in that case, see http://meta.stackexchange.com/q/187759/160917 and http://meta.stackexchange.com/q/110678/160917. – D.W. Dec 03 '14 at 23:40
  • If your question is specifically about Stackexchange, would you be amenable to migrating it to Meta.stackexchange? If it's only about SE I don't think this is the best place for it. If your question is not specifically about Stackexchange, do you have any objections to editing it so it's not specifically about Stackexchange but applies more generally? – D.W. Dec 03 '14 at 23:43

8 Answers8

57

Do you remember earlier this year when Apple's cloud was hacked?

Well, Apple's cloud wasn't hacked. Some celebrities with really weak passwords had their passwords guessed.

But the headlines will still read that Apple's cloud got hacked. And that is why you don't allow users to use really weak passwords.

Andrew Hoffman
  • 1,987
  • 14
  • 17
  • 3
    This answer would benefit from some citations or external confirmation that password-guessing was the method of exploit. – Digital Chris Dec 02 '14 at 20:59
  • 1
    Thanks @DigitalChris, sorry I assumed this was widely known already. They are very PR savvy and aren't as brash as I am to blame weak passwords, but the last paragraph nudges users to use strong passwords in order to prevent this kind of attack. – Andrew Hoffman Dec 02 '14 at 21:08
  • 1
    I am not persuaded that it was weak passwords. The release also talked about "security questions." Security questions are defacto secondary passwords and for most celebrities the answers can easily be found. – emory Dec 02 '14 at 23:39
  • 2
    You seem to imply that Apple's security is good. Please read this: http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/ – Martin Argerami Dec 03 '14 at 04:09
  • @MartinArgerami I don't mean to imply that, I am not familiar with their environment. – Andrew Hoffman Dec 03 '14 at 14:19
  • @Andrew Hoffman Your Image - Hat combination is awesome xD –  Dec 17 '14 at 11:16
21

Some users will not provide any personal information and not care if their account gets hacked. Others will. It's easy to require strong passwords from everyone, and difficult to work out which users fall into which category and require strong passwords only from the latter group. So why would they bother to do it the difficult way?

Edited to add: What experience shows us is that you definitely can't rely on users to assess their own security requirements and pick strong passwords if they need security. Plenty of users who want and expect high levels of security will nevertheless pick weak passwords if they are allowed to do so.

Mike Scott
  • 10,118
  • 1
  • 27
  • 35
  • 6
    Well said, Mike. Just because YOU can properly assess the risk of using a website and take precautions does not mean everyone can or will. But when the beach occurs, it is not the users who are examined and criticized but the site managers. – 0xSheepdog Dec 02 '14 at 16:51
  • 1
    What if users use the same strong password on many sites? – el.pescado - нет войне Dec 02 '14 at 22:04
  • Then it isn't a strong password. Of course, it's hard to _check_ for this, but it's weak nonetheless – Nanne Dec 03 '14 at 14:21
11

Just because it doesn't matter to you doesn't mean it doesn't matter to anyone. I got a kick ass job from StackExchange's employment site, based largely on my reputation on the StackExchange sites. If my account were compromised there could be very real consequences for people like me.

Regardless of whether you care about your account being compromised or not, if a site requires a password, why wouldn't they require that it be secure? Not requiring that would be an exercise in security theater.

Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
  • Was about to say the same; for people that use their real name (whether it's on SE or anywhere else) a compromise of their account can harm their real-life reputation pretty bad. –  Dec 02 '14 at 21:28
  • 1
    Unless your name is Bob Brown. There's a helluvalotof Bob Browns. (The picture's real, too; it's there to be a disambiguator.) – Bob Brown Dec 02 '14 at 22:01
  • 5
    This does not really answer the question. You are free to protect your Stack Exchange reputation by using a password that exceeds the Stack Exchange minimum requirements. – emory Dec 02 '14 at 23:44
  • 2
    @emory, is your point that users can choose to be more secure if they want? If so - I would argue that security should not be left in the hands of the user. If the site has something that is potentially valuable, it should be protected. – Abe Miessler Dec 03 '14 at 17:07
  • @AbeMiessler if StackOverflow requires a minimum of 8 characters but does not impose a maximum, then the user is free to be more secure if they want. Perhaps SPM values his SE account at $100, you value yours at $50,000, and me mine at $1,000,000. Then SPM might say that SEs password policies are too tight, you might say they are just right, and I might say they are too loose. But by your logic, SE should tighten up their password policies to protect my million dollar account and you should be forced to lengthen your password. – emory Dec 03 '14 at 17:54
  • @emory - I don't think that your `SE account -> $ value` is realistic, but yes - if the account is _actually_ worth $1,000,000 there should be password requirements. I guess my point is that if the site could potentially have something of value then the passwords requirements should reflect that and more importantly, **security should not be left in the hands of the end user**. I think it's quite possible that someone out there thinks `password` is a secure password. Just out of curiosity - what kind of password policy should Bank of America's website have if your account has $1 in it? – Abe Miessler Dec 03 '14 at 18:22
  • @AbeMiessler I am not disagreeing with SE's password policies, just with your answer. If your SE account is worth $50,000 to you and $1.00 to SE, then ultimately security will be left in your hands. – emory Dec 03 '14 at 22:22
  • @emory, you don't agree that security should not be the responsibility of the end users? – Abe Miessler Dec 04 '14 at 04:23
  • Security is ultimately a business decision. I dont value my SE account highly but use a password manager so the cost of a high entropy password is low. Without a password manager I would probably use a low entropy password. SEs policy must have costs (stricter requirements will deter some new users) and benefits (fewer hacked accounts). – emory Dec 04 '14 at 06:47
7

Your password not only protects your account, but also the whole community and the reputation of this site. - If many users who don't care about their accounts would just use "123" as their password some attacker could probably easily get access to a few hundred SE-Accounts easily. All kinds of SPAM-Protection could be bypassed by using verified user-accounts and the whole page could be flooded with Advertisments, Slander or for extremest politics.

Furthermore such actions could reflect badly on the whole SE-Network, as they easily allowed their service to be hacked and the whole page to be used for extremist chocolate-propaganda! Furthermore many pages provide ways of sending E-Mails, uploading files or other ways which are a problem if abused through a high number of hacked accounts.

Accounts could probably be abused to host illegal content, or send SPAM to other pages.

Falco
  • 1,493
  • 10
  • 14
  • I suspect it would be about as easy to pay people to sign up for SE accounts and post enough material to be "user-verified." – emory Dec 03 '14 at 22:48
  • I don't know how restrictive the sign-up policies are. And it isn't trivial to get enough reputation for most features on the site. So you would need at least people which write acceptable English and understand enough to post good answers to gain reputation. For a thousand accounts and a wage of 1$ per hour you are probably talking about a few thousand bucks. Hacking trivial passwords seems cheaper. – Falco Dec 04 '14 at 08:51
2

You can login with Gmail or Facebook I believe. Then those rules apply. Why do they force us? Because they want to. It's not only that you worry about your account being hacked, but they might worry about your account being hacked. For you - 1 point SE starter - not really an issue. For SE - in your case - if you don't become an active user - not a problem.

So you start here, you find good answers and support, you enjoy it, you start to become an active and good user, with a weak password. Then you have credibility, and your account gets hacked, spam is posted. I don't know what happens then, but maybe your account is closed or deleted. It's a lot of hassle, SE needs to check your identity - wasted time and energy!

Aside from the fact that all your points are lost, good points you can use to ask attention for problems that got lost, SE loses a bit of credibility. Then they have two other incentives to force us to use good passwords. First it makes it less attractive to crackers to try to break into accounts, and the more difficult it is, the less people will try to do so. The second is one of marketing and education: they teach us, the tech people who should do this anyway, to use good passwords and to find solutions so we can remember them.

SPRBRN
  • 7,379
  • 6
  • 33
  • 37
2

My wife and I constantly talk to our kids about habits. "You will do what you practice". My habit is I use LastPass Premium for all online passwords and enable Google Authentication or other support for multi-factor authentication when possible.

Frankly, there are very few passwords I actually know or care to know. LastPass will generate a strong password and I don't have to remember it. For example "8G62USWh@C!PDP^F@".

Also I like to use Open ID such as Google ID, for example on Stack. That allows me to use a strong and multi-factored authentication.

But, in a cynical way you are right, this site doesn't really matter for security. But, what habit do you practice?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
JH Webb
  • 21
  • 2
  • As a practical matter, I do use a password manager, but I interpreted the question not as a rant but as intellectual curiosity. Why does Stack Exchange's minimum password requirements (evidently) exceed those of most banks? Shouldn't it be the other way around. Maybe SE knows most of its users use Password Managers and they can get away with tighter requirements. Maybe SE users who forget their password just sign up for a new account whereas bank customers who forget their password consume 2 hours of teller time getting it reset. There has to be a business explanation. – emory Dec 04 '14 at 02:21
  • emory - comparing with banks is just wrong. You can't make the assumption that all banks do it right. Also, the banks I have worked with are long password (multiple passwords) plus 2FA for higher risk activities. – Rory Alsop Dec 04 '14 at 08:39
0

First, you should put passwords on your bank accounts so that mundane personal information like your birthday cannot easily be used against you.

Second, you should've a password manager like KeePassX.org that makes storing reasonable but not super critical passwords relatively easy.

Third, you're absolutely correct that typical sites do not actually need strong password, even if they want them.

In Stack Exchange's case however, there is a careers.stackoverflow.com site on which you might share personal information. You should probably secure you password here about as tightly as you secure your Facebook password, but not as tightly as you secure say your Gmail password.

Jeff Burdges
  • 837
  • 5
  • 9
0

Some websites, including Stack Exchange, allow users to gain privileges that could be exceptionally damaging to the entire website and userbase if abused, such as if a malicious user gains control over the account. Assuming the site properly hashes passwords when stored, it's not easy to gauge password strength (without using a resource- and time-consuming brute force attack at the server side) once the password is submitted, (In theory, the password strength value could be stored at sign-up time for future reference, but this is a very unusual measure and I'll ignore it in this answer.)

Let's say a Stack Exchange user has a weak password. What if the user participates heavily over a period of time and ultimately gets elected or appointed as a ♦moderator on a particular SE site?

bwDraco
  • 473
  • 2
  • 10