Poll of the Day > Why do companies force you to make long passwords?

(+) Yeah! (+)

Why should they care if you make a password thats easy to guess? They should just put on the screen that they dont recommend that password, but let you do what you want

Assuming a breach doesn't cost them money or other hassle to deal with...

Because of bad password creation guidance from someone who has said that overly complicated passwords are wrong. They're not actually any safer, and in a lot of instances, make it easier for people to steal, because people write them down.

Pass phrases are much safter, longer, and easier to remember.

ZangsBeard posted...

Assuming a breach doesn't cost them money or other hassle to deal with...

Because of bad password creation guidance from someone who has said that overly complicated passwords are wrong. They're not actually any safer, and in a lot of instances, make it easier for people to steal, because people write them down.

Pass phrases are much safter, longer, and easier to remember.

Yeah. I know that Ive written and typed out the complicated ones since I know I wont remember them, but will still need to use them. And before I started to write some of them down, I was changing them a bunch since I could never remember all of them. And since I made a bunch of account on different sites at different times, they all had different requirements. My earlier sites didnt need to be a certain length or have certain characters, so they are easier to use. But then, they all had to be a certain length. And then, they all had to have number and special characters It just got worse and worse

People are afraid of data breaches.

Why don't you use a password manager?

Biometric

2-factor authentication

Judgmenl posted...

People are afraid of data breaches.

Why don't you use a password manager?

I was using the one on Google chrome for a while Until I got locked out of it somehow Id rather just use passwords I can remember that I can choose without someone telling me to make it more complicated when that doesnt even help much

Dmess85 posted...

Biometric

2-factor authentication

Yeah. More stuff is coming out that uses biometrics. Which works for me At that point, I probably wont need to ever remember the overly complicated passwords anymore

That said, I usually dont use 2-factor authentication

Judgmenl posted...

People are afraid of data breaches.

this bro, come on TC surely you knew this lol

FatalAccident posted...

this bro, come on TC surely you knew this lol

Yeah. But Im also afraid of not being able to get into my own accounts. Besides, as started earlier, data breaches can become more frequent since people end up writing down passwords in many cases due to having to make a password they cant remember since they have to be long and overly complicated

LinkPizza posted...

Yeah. More stuff is coming out that uses biometrics. Which works for me At that point, I probably wont need to ever remember the overly complicated passwords anymore

That said, I usually dont use 2-factor authentication

There is also magic-link (or deeplink) sign in which I guess can be considered a form of 2-factor auth but it doesn't require users to have a password with their account, just a phone number or email.

I just hate when a sites have a password MAXIMUM... especially if it's like 8 characters. That's like a 2 second hack

Dmess85 posted...

There is also magic-link (or deeplink) sign in which I guess can be considered a form of 2-factor auth but it doesn't require users to have a password with their account, just a phone number or email.

I dont think Ive heard of this before

The dumbest "password" rule I've ever seen was creating a PIN for my American Express card. You are REQUIRED to use a date as the PIN (American style, month first). 0911, 0704, 1225 or the like. You CANNOT just use any number you want. You can't have 0666 or 1312.

That means instead of 10,000 possible numbers, there are only 366. And there's a 75% chance the first digit will be a 0 (and a 25% chance of a 1). And the third digit can only be a 0, 1, 2, or rarely a 3.

LinkPizza posted...

Why should they care if you make a password thats easy to guess? They should just put on the screen that they dont recommend that password, but let you do what you want

This is such a stupid take.

captpackrat posted...

The dumbest "password" rule I've ever seen was creating a PIN for my American Express card. You are REQUIRED to use a date as the PIN (American style, month first). 0911, 0704, 1225 or the like. You CANNOT just use any number you want. You can't have 0666 or 1312.

That means instead of 10,000 possible numbers, there are only 366. And there's a 75% chance the first digit will be a 0 (and a 25% chance of a 1). And the third digit can only be a 0, 1, 2, or rarely a 3.

Thats weird. Its really limits your options. Is there a reason for that? I feel that would also be easy to guess. There are probably only so many dates that would be easy to remember for many people Not to mention using less that 4% of what should be 10,000 different possibles PINs

LinkPizza posted...

Yeah. But Im also afraid of not being able to get into my own accounts. Besides, as started earlier, data breaches can become more frequent since people end up writing down passwords in many cases due to having to make a password they cant remember since they have to be long and overly complicated

Make a phrase instead, youll meet the length requirement, it will be super easy for you to remember, and it will be difficult for someone to brute force.

ChaoticKnuckles posted...

Make a phrase instead, youll meet the length requirement, it will be super easy for you to remember, and it will be difficult for someone to brute force.

I could do that. I remember actually making a phrase from numbers once for something that needed just numbers for a password. That said, it have to be a phrase I can remember. And for most sites, I would need to make sure to add numbers and special characters (and they have to be special characters the site can use) That said, the reason I made this topic was because I had to change my Hulu password (which I dont ever remember doing since I made it), so a phrase might also be hard to remember when I changed it from a password I made years and years ago Though, it would be good for a password for a new account site if I need one (as long as I can think of an appropriate phrase. Many sites have extra restrictions like no common passwords, certain words not being used, no 3 numbers in sequential order, certain special characters not being used, and other things

LinkPizza posted...

I could do that. I remember actually making a phrase from numbers once for something that needed just numbers for a password. That said, it have to be a phrase I can remember. And for most sites, I would need to make sure to add numbers and special characters (and they have to be special characters the site can use) That said, the reason I made this topic was because I had to change my Hulu password (which I dont ever remember doing since I made it), so a phrase might also be hard to remember when I changed it from a password I made years and years ago Though, it would be good for a password for a new account site if I need one (as long as I can think of an appropriate phrase. Many sites have extra restrictions like no common passwords, certain words not being used, no 3 numbers in sequential order, certain special characters not being used, and other things

Thats fair, phrases along with a password manager are what I use. I dont really remember the vast majority of my passwords but I use a password manager so if I need to check what it is I can.

ChaoticKnuckles posted...

Thats fair, phrases along with a password manager are what I use. I dont really remember the vast majority of my passwords but I use a password manager so if I need to check what it is I can.

I use to use the one made in Google Chrome a while ago (even before the millions of ads I see daily now). But it was connected to my computer passwords somehow. One day, it kept saying I didnt have the right password, even though I never changed it. But it might have been a problem with my computer, since after that, I couldnt log into my computer with my password anymore. Said it was wrong. I know it wasnt, but what could I do. Since then, I havent used one. Haha.

KeePass is great, since it's free and it's entirely local; you're not uploading your passwords to some website that's going to be a major target for hackers.

The only down side is you have to manually copy your password file to your phone, and you have to be careful about maintaining a backup of the file, since it's not stored in the cloud (unless you put it there).

because it directly affects the % of accounts that get 'hacked'. when you have way too many support calls about people having their accounts hacked... raise the password strength requirements and you will notice an immediate drop in account hacks. in many cases strong passwords are required in the first place by payment providers.

captpackrat posted...

KeePass is great, since it's free and it's entirely local; you're not uploading your passwords to some website that's going to be a major target for hackers.

The only down side is you have to manually copy your password file to your phone, and you have to be careful about maintaining a backup of the file, since it's not stored in the cloud (unless you put it there).

I see Ill look into it

Sahuagin posted...

because it directly affects the % of accounts that get 'hacked'. when you have way too many support calls about people having their accounts hacked... raise the password strength requirements and you will notice an immediate drop in account hacks. in many cases strong passwords are required in the first place by payment providers.

I think it should be on the person Like make it so they recommend you make a stronger password. But you can opt out

LinkPizza posted...

I think it should be on the person Like make it so they recommend you make a stronger password. But you can opt out

That's not going to stop people from calling the support line if their account gets compromised. The sort of person who thinks using "dog" as an account password is a good idea generally isn't the sort of person that realizes the role they have to play in maintaining their account's security.

adjl posted...

That's not going to stop people from calling the support line if their account gets compromised. The sort of person who thinks using "dog" as an account password is a good idea generally isn't the sort of person that realizes the role they have to play in maintaining their account's security.

dog12345 is my password.

i don't relate, because the 'complex' passwords that i create are adding a number and a symbol to my 'previous' password that I can easily remember. security is good? it's annoying that we give people all this tech and they refuse to even minutely understand it - I think it's fine and good that Google forces people to try and make a better password when the human brain could probably use a little kick in the arse after we all collectively forget every phone number we used to memorize.

As long as you have a password that is at least 11 characters and contains at least one uppercase, number, or symbol it is pretty much impossible to get hacked. And by "impossible" I mean it would take 200+ years for modern hacking tools to figure it out.

And hell, you can easily make one that length that is easy to remember. Like "I like Judas Priest". Just don't write it down somewhere or give people clues into what it could be.

To keep from getting hacked

adjl posted...

That's not going to stop people from calling the support line if their account gets compromised. The sort of person who thinks using "dog" as an account password is a good idea generally isn't the sort of person that realizes the role they have to play in maintaining their account's security.

Sure. But at that point, the call center just tells them over and over theres nothing they can do until that person hangs up

ReturnOfFa posted...

i don't relate, because the 'complex' passwords that i create are adding a number and a symbol to my 'previous' password that I can easily remember. security is good? it's annoying that we give people all this tech and they refuse to even minutely understand it - I think it's fine and good that Google forces people to try and make a better password when the human brain could probably use a little kick in the arse after we all collectively forget every phone number we used to memorize.

I think just let people do what they want. The reason most people dont remember every oh one number is because they cam gave us a way to store it on phones (though, people should try to remember important numbers) Forcing people to try and make better passwords doesnt really help, anyway. The little kick from trying to remember wont matter if they write it down, or use a password manager It just makes it so people forget their password more, or make it somewhat easier for someone else to get it because they wrote it down

Dikitain posted...

As long as you have a password that is at least 11 characters and contains at least one uppercase, number, or symbol it is pretty much impossible to get hacked. And by "impossible" I mean it would take 200+ years for modern hacking tools to figure it out.

And hell, you can easily make one that length that is easy to remember. Like "I like Judas Priest". Just don't write it down somewhere or give people clues into what it could be.

I hear it takes a long time But isnt that if its just a computer?

Lil_Bit83 posted...

To keep from getting hacked

Its just be better if I didnt have a chance of forgetting it because they pretend to care about me being hacked Especially the ones that make you change it every so often

LinkPizza posted...

Sure. But at that point, the call center just tells them over and over theres nothing they can do until that person hangs up

# of support calls was just an example of the visibility of account hacks (though it's also an unnecessary resource burden). there's more problems having a large percentage of hacked accounts than that, including possible financial liability depending on the site. even if money is not involved, you are (dependent on jurisdiction) not legally allowed to store user data without protecting it, and that includes minimum password strength.

Sahuagin posted...

# of support calls was just an example of the visibility of account hacks (though it's also an unnecessary resource burden). there's more problems having a large percentage of hacked accounts than that, including possible financial liability depending on the site. even if money is not involved, you are (dependent on jurisdiction) not legally allowed to store user data without protecting it, and that includes minimum password strength.

Thats why I think it should basically make you have to opt out of the minimum password requirement. Opting out should put the responsibility on the person more. As in they didnt their best to protect your account, and told you the best way to guard your password. And the account holder opted out, making their account more vulnerable

This topic is sponsored by Script Kiddies Inc.

LinkPizza posted...

Thats why I think it should basically make you have to opt out of the minimum password requirement. Opting out should put the responsibility on the person more. As in they didnt their best to protect your account, and told you the best way to guard your password. And the account holder opted out, making their account more vulnerable

So you don't mind being held legally and financially responsible for if your account is used to exploit vulnerabilities that could affect other users? If your account is impersonated and used for social engineering attacks?

Obviously for your security. If your account gets hacked, it's bad business for them.

To go into more depth, a hacker might only get 30 guesses in max before your account gets locked. If your password is one of the 30 most used passwords, you could get hacked.

Some of these companies maintain a policy that keeps your data encrypted on their end so that they (or an attacker in case of a breach) can't access it without you. A short password would not make that possible.

LinkPizza posted...

Thats why I think it should basically make you have to opt out of the minimum password requirement. Opting out should put the responsibility on the person more. As in they didnt their best to protect your account, and told you the best way to guard your password. And the account holder opted out, making their account more vulnerable

it sounds like you're picturing it at an individual (ie: your own) scale, not a global scale. imagine it as a slider in a strategy/sim game. at the bottom of the slider we couldn't even have this conversation since we'd both be locked out of our own accounts already, and having an account in the first place would not be possible. for the internet to function as it does requires a minimal level of security.

I'm not sure people know what the internet is really like. even with some security, you can setup a basic site and be instantly inundated with bot spam and hijack attempts. (actually it's kind of like the warp in WH40k. it's brimming with chaos, but as long as you shield yourself in the right ways you can still function; but leave a hole open, and something will find its way in there, sooner or later.)

Blue_Thunder posted...

This topic is sponsored by Script Kiddies Inc.

So you don't mind being held legally and financially responsible for if your account is used to exploit vulnerabilities that could affect other users? If your account is impersonated and used for social engineering attacks?

Not sure how my Hulu account can do that, though I can only account for stuff under my account

Yellow posted...

Obviously for your security. If your account gets hacked, it's bad business for them.

But its also bad for business if I stop business with them due to not being able to get into my account

Yellow posted...

To go into more depth, a hacker might only get 30 guesses in max before your account gets locked. If your password is one of the 30 most used passwords, you could get hacked.

Some of these companies maintain a policy that keeps your data encrypted on their end so that they (or an attacker in case of a breach) can't access it without you. A short password would not make that possible.

Wouldnt that be if it were the commonly used ones. Technically, my password isnt a commonly used one. It just didnt have the required characters

Sahuagin posted...

it sounds like you're picturing it at an individual (ie: your own) scale, not a global scale. imagine it as a slider in a strategy/sim game. at the bottom of the slider we couldn't even have this conversation since we'd both be locked out of our own accounts already, and having an account in the first place would not be possible. for the internet to function as it does requires a minimal level of security.

I'm not sure people know what the internet is really like. even with some security, you can setup a basic site and be instantly inundated with bot spam and hijack attempts. (actually it's kind of like the warp in WH40k. it's brimming with chaos, but as long as you shield yourself in the right ways you can still function; but leave a hole open, and something will find its way in there, sooner or later.)

But I am talking about individuals here. The internet as a whole doesnt have to not be as secure as possible. I just mean accounts that people set up. For example, my Hulu account. Before this, the password I chose was fine. It worked, kept people out who I didnt allow to use it, and let the people I gave the info to use it. It wasn't the most secure, but it worked That what I mean. And not everybody would feel the same. But not everyone would have to be as unsecure as others

LinkPizza posted...

I think just let people do what they want. The reason most people dont remember every oh one number is because they cam gave us a way to store it on phones (though, people should try to remember important numbers) Forcing people to try and make better passwords doesnt really help, anyway. The little kick from trying to remember wont matter if they write it down, or use a password manager It just makes it so people forget their password more, or make it somewhat easier for someone else to get it because they wrote it down

It's their product. You're free not to use it. They're free to make it more secure so their security has a higher percentage change of not being breached.

I do think that people aren't really educated properly on how to make a good password that's also easy to remember, so I am sympathetic to it. like, if your password is 'peanutbutter', how do you make it 'complex' while also easy to remember? 69#Peanutbutter

and even if people write them down at home, it still usually prevents the most common forms of password-cracking, which is just that, cracking the password with a simple programmed dictionary that while go through thousands of easy words quickly. a few silly numbers can easily make a password way better.

ReturnOfFa posted...

It's their product. You're free not to use it. They're free to make it more secure so their security has a higher percentage change of not being breached.

I do think that people aren't really educated properly on how to make a good password that's also easy to remember, so I am sympathetic to it. like, if your password is 'peanutbutter', how do you make it 'complex' while also easy to remember? 69#Peanutbutter

and even if people write them down at home, it still usually prevents the most common forms of password-cracking, which is just that, cracking the password with a simple programmed dictionary that while go through thousands of easy words quickly. a few silly numbers can easily make a password way better.

I know Imd free not to use it. I even mentioned how people might stop using it because its hard to remember the password in an earlier post Doesnt change what I said, though I still think they should let people do what they want with their passwords

As for how complex, it can be hard to remember something when youve been using another password for years (or even over a decade), and now have to remember you changed it, and what you changed it to, if you dont use it for anything else I still sometimes try to use old passwords for certain accounts quite often, as I forgot I had to change them I usually know it similar to the old one. So, I try a few things, and usually get it

And Im not saying it dosnt make it more secure. Just weird that they force it. Especially after youve been using the same one for so long

LinkPizza posted...

But its also bad for business if I stop business with them due to not being able to get into my account

Getting branded in headlines as a company with poor security is a lot worse than losing a single customer.

And tbh this is the first I've heard of someone threatening to leave a service over password requirements.

LinkPizza posted...

Sure. But at that point, the call center just tells them over and over theres nothing they can do until that person hangs up

Which costs a non-trivial amount of operator wages (especially on the scale of every tech-incompetent person out there who would use a stupid password if they weren't forced not to), results in an unsatisfied customer that will review the service poorly (which no amount of "we encourage customers to use secure passwords" will mitigate), and generally just reflects very poorly on the company.

LinkPizza posted...

But its also bad for business if I stop business with them due to not being able to get into my account

Which is why they offer password recovery services. Perhaps more saliently, the most convenient way of terminating your relationship with the company (cancelling the service and removing your payment information) is locked behind your password. Even if you do decide you want to cut them off, it's generally going to be much more efficient and convenient for you to go through the password recovery process than to cancel the associated credit card or keep paying for the service until the card expires. By the time you get through the password recovery process, your problem is solved and your primary motivation to leave is gone, so the vast majority of customers annoyed by password requirements aren't going to follow through on cancelling.

This isn't to say that password requirements are necessarily handled properly (most of them emphasize entropy over length, when longer passwords are overwhelmingly more secure than more complex ones), but there's absolutely no basis to think that it might be more beneficial for a company to allow users to leave their accounts unsecured than to impose some basic security requirements.

Blue_Thunder posted...

Getting branded in headlines as a company with poor security is a lot worse than losing a single customer.

And tbh this is the first I've heard of someone threatening to leave a service over password requirements.

That wouldnt be their fault, though. That would be on the customer. And Ive heard of some people leaving over passwords. Not a ton, but some. Usually older, though It more like they cant get into their account. And then they stop using it. And decide that why pay if they cant use it

adjl posted...

Which costs a non-trivial amount of operator wages (especially on the scale of every tech-incompetent person out there who would use a stupid password if they weren't forced not to), results in an unsatisfied customer that will review the service poorly (which no amount of "we encourage customers to use secure passwords" will mitigate), and generally just reflects very poorly on the company.

Maybe. That said, couldnt the same thing technically happen if everybody still made easy to guess passwords while using the requirements? And I feel the operators would still have to be there, anyway

adjl posted...

Which is why they offer password recovery services. Perhaps more saliently, the most convenient way of terminating your relationship with the company (cancelling the service and removing your payment information) is locked behind your password. Even if you do decide you want to cut them off, it's generally going to be much more efficient and convenient for you to go through the password recovery process than to cancel the associated credit card or keep paying for the service until the card expires. By the time you get through the password recovery process, your problem is solved and your primary motivation to leave is gone, so the vast majority of customers annoyed by password requirements aren't going to follow through on cancelling.

This isn't to say that password requirements are necessarily handled properly (most of them emphasize entropy over length, when longer passwords are overwhelmingly more secure than more complex ones), but there's absolutely no basis to think that it might be more beneficial for a company to allow users to leave their accounts unsecured than to impose some basic security requirements.

I think you can just call and cancel, IIRC And I dont think you need a password for that. You may need some proof (or access to your email), though There are other ways, though. Depends on how much trouble the other ways would cost, though

It just seems weird to have these requirements to me, is all That said, Ive never been hacked. So, that could be why I dont see the point in it. I already hated long passwords when our job made us use these 18 digit (at least) long passwords for this one site. And it had to be changed every 3 months. And it could be any of the last 6 used. Eventually, everyone basically had the same password. Which was 1qa2ws3ed and then shift, and the same thing. And then you just move over one line every time you changed.

LinkPizza posted...

That wouldnt be their fault, though. That would be on the customer.

Media and regulatory bodies don't care about that. The company would still be held responsible for allowing such an opt-out in the first place.

Blue_Thunder posted...

Media and regulatory bodies don't care about that. The company would still be held responsible for allowing such an opt-out in the first place.

Thats just the dumb people. If they get a good publicist, and maybe a good social media influencer to make the others understand that its not their fault

captpackrat posted...

The dumbest "password" rule I've ever seen was creating a PIN for my American Express card. You are REQUIRED to use a date as the PIN (American style, month first). 0911, 0704, 1225 or the like. You CANNOT just use any number you want. You can't have 0666 or 1312.

That means instead of 10,000 possible numbers, there are only 366. And there's a 75% chance the first digit will be a 0 (and a 25% chance of a 1). And the third digit can only be a 0, 1, 2, or rarely a 3.

This is why you get VISA like a normal person

LinkPizza posted...

Wouldnt that be if it were the commonly used ones. Technically, my password isnt a commonly used one. It just didnt have the required characters

How about this, when you set up your website, you can change the required restrictions needed on the password. You asked for the reason why, and the reason why is plain and simple, it reduces account theft.

The extra characters ensure the character pool is larger than 26. Include capital letters, 52. Numbers? 62. Special characters? 72.

26^8 is cryptographically crackable. The others are more resistant.

Personally, I think passwords are obsolete and should be phased out, instead using OAuth, 2FA, hardware TPM, fingerprint scanners, face recognition, pretty much everywhere. People are replacing them with password managers anyway, that automatically generate and save upper and lowercase 30 character long random strings, which makes it a pain to sign in to a tv on a little remote. Password managers are basically already OAuth.

Zareth posted...

That means instead of 10,000 possible numbers, there are only 366.

Lol, executives came up with that, I guarantee you. Some programmer was about to blow their own brains out taking orders from a yuppy crackhead, trying to explain why that's a fucking stupid idea.

Yellow posted...

How about this, when you set up your website, you can change the required restrictions needed on the password. You asked for the reason why, and the reason why is plain and simple, it reduces account theft.

Personally, I think passwords are obsolete and should be phased out, instead using OAuth, 2FA, hardware TPM, fingerprint scanners, face recognition, pretty much everywhere. People are replacing them with password managers anyway, that automatically generate and save upper and lowercase 30 character long random strings, which makes it a pain to sign in to a tv on a little remote.

I dont mind face recognition or fingerprint scanners Those get used a lot. Though, Im not big on 2FA

LinkPizza posted...

Thats just the dumb people. If they get a good publicist, and maybe a good social media influencer to make the others understand that its not their fault

https://i.imgur.com/53Rqg3E.jpg