Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

We did pcpartpicker.com dirty #518

Open
rpdelaney opened this issue May 26, 2023 · 2 comments
Open

We did pcpartpicker.com dirty #518

rpdelaney opened this issue May 26, 2023 · 2 comments
Labels
help wanted

Comments

@rpdelaney
Copy link
Contributor

There are no rules for passwords. Passwords can be any length (including one character) of any complexity.

We complain that pcpartpicker doesn't have any dumb rules?

No password change confirmation emails are sent.

Okay I guess that's dumb, but it's not a password rule.
@depperm
Copy link
Contributor

depperm commented Jan 9, 2024

Passwords can be any length (including one character) of any complexity. I think length requirements are generally one of the more acceptable requirements. I'd argue any complexity also is bad in that known bad passwords (such as password) should be rejected.

@rpdelaney
Copy link
Contributor Author

rpdelaney commented Jan 9, 2024
edited

Thank you for the thoughtful comment!

I think length requirements are generally one of the more acceptable requirements.

That's my understanding as well, but to be sure I checked on the latest NIST guidelines:

5.1.1.1 Memorized Secret Authenticators

Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist of compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorized secrets SHOULD be imposed. A rationale for this is presented in Appendix A Strength of Memorized Secrets.

You also wrote:

I'd argue any complexity also is bad in that known bad passwords (such as password) should be rejected.

I agree with this also, and so it seems we both concur with NIST's guidelines.

However, I feel the linked Appendix A is as close to a perfect statement of what's wrong with the world that dumbpasswordrules.com is aiming to call out. That is, in a misguided attempt to help users choose better passwords, many websites add onerous "complexity" requirements that bother users and don't improve security for anybody.

Worse, these complexity rules inhibit users from following best practices as recommended by NIST -- in particular, using a cryptographically secure password generator, which can create high-entropy passwords that nonetheless don't meet the complexity requirements of a specific site.

With that in mind, a low-risk site like pcpartpicker having somewhat inadequate requirements isn't ideal, but in my opinion it is easily preferable, and so it feels out of place on the site.

That's just my $.02. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rpdelaney @duffn @depperm