Wednesday, July 17, 2019 [Tweets] [Favorites]

Lowercase Passwords

Stuart Schechter:

Your master password should be at least 12 lowercase characters or five words. Why use lowercase characters or words when you’ve probably been told (and coerced) to use uppercase characters and symbols in the past? If you have to enter the password on a device with on on-screen keyboard (like your phone’s), each uppercase letter or symbol may require extra key presses. You can get the same security, and save yourself a great deal of frustration, by making your all-lowercase password just 30% longer than if it were mixed case [9]. In other words, a randomly-generated 13-character lowercase password, which can be entered with 13 keystrokes, is as secure as a 10-character mixed password, which may require many more.

Via Ricky Mondello:

This plays into why the passwords that iCloud Keychain generates are dominated by lower-case letters; you might have to type them somewhere, sometime (but not remember). I explain this in the talk I gave at PasswordsCon 2018.

Previously:

8 Comments

I don’t disagree with this. However, many password policies require a mix of numbers, symbols, and uppercase/lowercase letters.

@Matthew The context here is a password manager app. The ones I’ve seen don’t have such requirements.

My favorite are the ones that require you to use a symbol, and then basically only allow you to use like 6 particular symbols. If you can write code to accept $+-=_*#! then why can't you also add ()[]:;.,/? etc... or the sites that restrict you to only 12 characters or less. WTF. Especially when it's something that needs to be high security like a bank or government website -- they seem to be the worst offenders of imposing arbitrary limitations on passwords.

The iCloud password manager doesn’t seem to create passwords that fulfill the password requirements of some sites. Do solutions such as 1password have options for creating passwords that can meet specific requirements?

1Password allows you to set the password length between 4 to 64 characters, including how many are numbers (Num_Length) or symbols (Sym_Length) -- both with values 0 to 10.

If (Total_Length <= 10) AND (Num_Length >= Total_Length) you can generate purely numeric passwords.

If (Total_Length <= 20) AND ((Num_Length + Sym_Length) >= Total_Length) you can generate passwords with only numbers and symbols.

You CANNOT tell it to not use only lowercase. It also cannot exclude certain symbols.

Once Total_Length > (Num_Length + Sym_Length) it will start inserting characters which are either upper or lower case.

There is an option to use "Words" for passwords instead of random strings. This will generate something like disown-fable-coxswain-kinsfolk which are always lower case. You can change the separator from a hyphen to a space, period, comma, or underscore.

> the sites that restrict you to only 12 characters or less

This isn't just bad because it forces you to use a bad password. Any time you see a service that imposes an upper limit on password length, you know for damn sure it's because they're storing that password in plain text in a database, and that field in the table has a limited length. If they were properly hashing the password, there wouldn't really be an upper limit for password length (at least not one the user would have to care about).

Sören Nils Kuklau

The iCloud password manager doesn’t seem to create passwords that fulfill the password requirements of some sites.

Apple actually made a spec for machine-readable requirements, but I don’t think uptake has been very high.

Any time you see a service that imposes an upper limit on password length, you know for damn sure it’s because they’re storing that password in plain text in a database,

Not necessarily. It can also arise from support issues. Banks, for example, tend to not want to direct customers at Reset Passwords forms when they have them on the phone.

> Banks, for example, tend to not want to direct customers at Reset Passwords forms when they have them on the phone

I don't understand how this relates to max lengths for passwords.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment