What is a dumb password rule?

Question

What is a dumb password rule?

DimitriPapadopoulos opened this issue 4 years ago · 6 comments

DimitriPapadopoulos commented 4 years ago

How do you define a dumb password rule?
Some countries may have recommendations or regulatory rules. Companies need or tend to follow them. Instead of shaming the company, shame the recommendations and regulatory rules.

Answer 1 · 2021-01-13T12:15:17.000Z

There are countries with password rules :O ? I don't think we have some in Germany. There is a pretty good understand what a bad password is and insurances wont pay in these cases but I don't think they rely on a written law.

Can you name a country that has such regulatory rules?

Answer 2 · 2021-01-13T13:25:14.000Z

France for example, but these are general "recommendations" from the data protection authority (CNIL) more than regulatory rules:
L’authentification par mot de passe : longueur, complexité, mesures complémentaires

Companies will follow the above recommendations, because in case of personal data loss they might be held responsible.

But then is a mere minimal length for passwords considered to be a "dumb password rule"?

Answer 3 · 2021-01-13T13:29:06.000Z

In Germany:

BSI TR-03148 Sichere Breitband Router / CCC und OpenWrt: Technische Richtlinie des BSI zu sicheren Routern unzureichend
Hinweise zum Umgang mit Passwörtern but then this document does not suggest "dumb password rules" as far as I can see.

Answer 4 · 2021-11-23T15:10:06.000Z

I would define a dumb password rule as one that:

restricts max length
restricts characters allowed/disallowed
enforces rigid complexity (kind of ambiguous, but stuff like need 1 uppercase, 1 lowercase, etc) xkcd

Password guidelines (aren't to my knowledge enforced, but are there as reference on what people should do)

NIST: National Institute of Standards and Technology (US)
- password minimum length 8+
- block/reject compromised/common/sequential passwords
- ALL characters allowed
NSC: National Cyber Security Centre (UK)
- encourage password manager use (generated passwords can be super complex)
- encourage memorable password (3 word (diceware) or CVC-CVC-CVC format)
- don't enforce complexity
- block/reject compromised/common passwords

Answer 5 · 2021-11-24T00:18:41.000Z

Is this a duplicate of #80 ?

Answer 6 · 2023-02-15T02:32:02.000Z

I've added a note on the new site about page on the definition of a dumb rule. Which is, in fact, that there's no real definition here except that you'll probably know one when you see one. https://dumbpasswordrules.com/about/