Password policies do not work
When users are asked to create a password that includes uppercase letters, lowercase letters, numbers, and special characters, the result is:
- One uppercase letter
- Then small letters
- Then a number, a couple of numbers, or a year
- Finally, special character
The password "kissa" becomes "Kissa123!" or "Kissa1998@", or similar. In addition, this policy prevents the use of passwords that would actually be secure and easy to remember (such as "did you find the fish in the lamp").
Do not require anything else from the password except that it is not too short. NIST recommends that passwords are at least 8 characters long. It is good to remind users when setting a password that it is recommended to use a password management program or, if not available, create a password consisting of random words (or even better, a passphrase consisting of nonsensical words such as omen -> amena).
In critical services related to security, it may be justified to even enforce the use of a password manager or passphrase, for example by setting a minimum password length of 16 characters.
You can also check if the password entered by the user is included in one of the 12 billion leaked passwords found on Have I Been Pwned service. You only need to send the first five characters of the password's hash (SHA1) to the API, and you will receive the matching endings.
Exercise
(Coming soon)
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.