Title: your password doesn’t matter

Content: your password matters very much

What?? My takeaway is that your password matters quite a lot, you need to use a password manager to generate strong, unique passwords, and turn on MFA everywhere you can. Not “your passwords don’t matter”

Found:

> Your password doesn’t matter except for password spray (avoid the top guessed passwords with a dictionary checker of some kind) or brute force (use more than 8 characters, or use a password manager if you are really nervous). That’s not to say your password isn’t terrible. It’s definitely terrible, given the likelihood that it gets guessed, intercepted, phished, or re-used.

At the bottom of the article.

To be charitable to the article: people who are not security-minded often make password decisions that "don't matter". You advise your grandpa to do better than "password" and he might move to "Password1!". You advise him to not reuse passwords...and that's really hard without a password manager, so he reuses passwords.

But yeah, your password choices very much matter and those choices can foil {credential stuffing, password spray, brute force}, which is admitted but downplayed in the article.

Considering that most people reading the article will be security-minded, a far better title would have been "Your Users' Password Choices Often Don't Matter".

Check out the table. I believe the bottom line is, that length and symbols and all those restrictions don't add any security because the relevant threats are not password probing.

I did look at the table, and the very first row, credential stuffing, requires that your password be non unique. So your password matters.

yeah I think the point is that, a typical password validation policy wont be able to spot that risk.

although one that cycled passwords regularly would presumably do the trick.

Password cycling studies show that it generally weakens passwords and only increases the likelihood that fallible human beings recycle the same (variations of) passwords across multiple services.

About all this article shows that is the only "complexity" test that matters is that a password shouldn't be in the Top X most used passwords, and X may be as low as 10 (much less the thousands you can easily check with Pwned Passwords) if you are attempting (distributed) password spray detection in your login systems, MFA, etc.

Wonder if anyone has ever written password validation to attempt credential stuffing on a few popular websites and reject the password if it works.

Pwned Passwords is a most common password (hashes) database compiled from years of breach data: http://haveibeenpwned.com/Passwords

Though the takeaway in the article is that you really only need to check Top X and Top X may be as low as 10 assuming other mitigations are in place.

While there's nothing new here, it's good to see some real numbers from a big organisation. It shifts the discussion about effectiveness from opinions to fact. Next time someone says 'no on does that' or 'costs way too much in practice' we can point to this.

This makes a ton of sense, and yet I can't think of a time I've seen it mentioned in a discussion about passwords.

Are there any notable exceptions, where attackers don't have the db, but can probe pretty quickly?

Why are we still forced to use passwords? client certificates stand up to every attack in that table.

You need a way to sync them on multiple computers, use them as a guest (eg when you've borrowed a machine temporarily), do recovery flows, manage their regeneration and rotation, generate unique certs per site, basically all the management hurts. As a web site, you also have to teach everyone in the world how they work, and who wants to be the first to do that?

One day WebAuthn might be usable for all the things. I want that to come soon but it is not here yet.

Sounds like sin #1 to me - Your face presumably still has the same shape, so that's password reuse ;)