a blog about things that I've been thinking hard about

The Security of Your Password is Very, Very Important to Us

10 March, 2013
your account will be very, very secure

Your password will include many strange hard-to-type characters.

You will be prevented from using your password manager to manage your account password.

You will be required to answer your security questions more often than you expect.

You can log in with Facebook, and we promise not abuse the Facebook privileges that we require you to give us.

tags:

Password Strength and Password Length

The most important thing about your password is how hard it is to guess. Technically, those of us in the industry call this password entropy.

Now you might be thinking: the best way to increase password entropy is to make the password longer. But what you think and what people actually do are different things – we have seen how short most people choose to make their passwords.

To get the right level of security, something more than length is required. And that something more is what we in the industry like to call special characters.

Namely:

We require at least one of each of these, as well as at least one ordinary lower-case letter. And don't think you can get away with making the first letter upper-case, because that would be too easy.

Also, no repeated characters, because we've seen too much of "bang repeatedly on one key to satisfy the minimum length requirement". In fact, we don't allow any character to appear more than once in any password. Ever.

Password Managers

You might have noticed that our website is one of those websites where your browser's password manager doesn't know how to manage the password.

You type in your new password, but your password manager doesn't ask you if you want to save it.

This doesn't happen just because the password manager is buggy – it happens because we have employed a very sophisticated proprietary technology to prevent the password manager from saving the secure password which our website requires.

We can't tell you exactly what this technology is, because then password manager developers might use that information against you (and us) to prevent us enforcing the no-password-manager policy for our website's passwords.

Our view is: if you store our password in your browser's password manager, what happens if your password manager "master password" is less secure than the security requirements that we impose on our website passwords? There is no way that we can control the level of security on that password.

That's why we do everything we can to prevent the password for your account on our website from being saved in your password manager.

So, if you really need something to help you remember your website password, don't use a password manager. Instead, write it down on a piece of paper.*

*But don't write your password down on a piece of paper. Because that would be insecure.

Security Questions

You've probably encountered security questions before – those questions that you have to answer when you forgot your password and you need to do a password recovery.

This is the "industry standard". But our website has significantly advanced upon standard industry practice. On our website, you have to answer your security question whenever you change your password, even if you know what the current password is.

You might think that this could lower security. For example, what if you need to change a password, because maybe you leaked it to someone, but then you can't change it because you can't remember the answers to your security questions? (And we emphasize the use of questions plural, because just one security question is never enough.)

But don't worry, you can always recover the answers to your security questions on our website the same way you recover a lost password – by asking us to send a recovery email to the email address you gave us when you created your account. This email will contain a link to a recovery page, which will ask you for your current password, and then let you choose some new security questions and answers.

(It would appear that this completely undermines the alleged extra security of requiring answers to the security questions before a password can be changed. But hey, at least we tried.)

Facebook Login

For those of you that really don't want to create a new username/password combination just so you can write one comment about one stupid article posted on our website, we do provide an additional option: the Facebook login.

Just click on the Facebook login logo, enable our website for login authentication and posting to your "wall", and presto!, you're in.

Some of our users have asked us: why does our website require permission to post to their Facebook walls? And our answer is: that's how Facebook logins work. I mean, do you know of any website that provides Facebook login and doesn't require permission to post to your wall? Exactly.

But don't worry, we won't abuse this extra power you have given us. We might not even use it at all. It's only there just in case we need it for something.

Vote for or comment on this article on Reddit or Hacker News ...