DEV Community

Cover image for RegEx password validators is madness
Thomas Hansen for AINIRO.IO

Posted on • Edited on

RegEx password validators is madness

For 5 decades we've gotten used to the following; "Choose a password with one small letter, one large letter, 1 number, and 1 special character". This is probably the dumbest decision software development as a profession collectively have done since we started coding in Fortran some 70 years ago. The reason is simple, people once confronted with the above have 3 choices, which are as follows.

  1. Reuse a password you've used another place
  2. Write down your password somewhere and store it
  3. Choose a password that's very short such that you can remember it easily

All of the above techniques for remembering passwords are ipso facto madness. Examples of great passwords are presented below.

  1. This is a very, very, very good password! YES REALLY!!
  2. Rainbows are funny, because they smell like unicorns
  3. I like turtles, but not the Ninja turtles

The above 3 examples are all extremely secure passwords. More importantly, if you use passwords such as the above, you don't need to write them down, you don't need to reuse passwords, and you can create them as long as you wish - Yet still easily remember them. However, more importantly, the above passwords are a bajillion times harder to hack than 12 random characters. To understand why, let's look at the base numbers for your passwords.

If you have 12 sequential characters conforming to a regex validator, you have roughly 70 to the power of 12 possibly combinations to test in order to brute force guess the correct password. This is easily achieved with a fancy pocket calculator today in some roughly 20 minutes.

If you create sentences, that have at least 12 words, there are (at least) 150,000 words in the English language, implying 150,000 to the power of 12 possible combinations to test before you've successfully brute forced the password. This is before we start considering slang words, such as "gr8" and "luv", in addition to bad English, such as the title of this article. As we add foreign languages, and/or alternative alphabets, such as Norwegian, Swedish or Greek letters, the entropy literally explodes.

If you've got a password which is a sentence of at least 8 words, hacking this password by brute force becomes literally impossible. However, a password regex validator prevents you from creating such passwords, because you'll need an "$" in there, you'll need a "1" in there, etc. Sentences containing special characters are not particularly easily remembered, and hence eliminates your ability to construct really, really, really good passwords, that you can easily remember.

At Aista we have taken this problem seriously, by simply removing all password validators entirely, allowing users to create whatever passwords they want to themselves. You can try it out below if you wish.

Top comments (9)

Collapse
 
nstvnsn profile image
Nathan Stevenson • Edited

I am stubbornly avoiding password managers like LastPass. Single point of failure is...eh.

For myself I have several categories of passwords. Each one has several variations. Recovery > Identity accounts (gmail/service/2fA) > Financial > Games/entertainment/education > Throw aways.

From multi-word phrases with upper and lower, numbers, and symbols, all the way down to a word with numbers.

I have a system.

Ugh, just describing that madness is tempting me to give LastPass another look. Maybe just commit my identity passwords to internal memory and save the rest in an external repository. If my master repo of passwords gets compromised, I can still recover with my identity passwords. Ok, that's enough self realization for this comment. I need to go think lol.

Collapse
 
subinsv profile image
subin sv

And some sites have max password length restriction, which is even dumber.

Collapse
 
pinotattari profile image
Riccardo Bernardini

Often those sites have also a set of "forbidden" characters, a really, really, really smelly practice... Most probably they store the passwords in plain text and process them as strings....

Collapse
 
polterguy profile image
Thomas Hansen • Edited

Probably a symptom of that they're not hashing their passwords, but storing them as varchar(25) in their database as plain text. I'd stay far away from such sites if I was you ... ;)

Collapse
 
juagarc4 profile image
Raul Garcia

Yes!!!
I'm totally agree. Passwords with this kind of requirements are like security by obscurity. At the end no one takes them seriously and become more harmful than helpful.

Collapse
 
adam_cyclones profile image
Adam Crockett πŸŒ€

I work for a federated IDP and I hope to see a world without password in the next 2 years πŸ€ͺ can you imagine how much logging in I do every day!!

Collapse
 
juagarc4 profile image
Raul Garcia

I'm totally agree. Passwords with this kind of requirements are like security by obscurity. At the end no one takes them seriously and become more harmful than helpful.

Collapse
 
jingxue profile image
Jing Xue

I don't understand why you need to remove password validators.

The idea of sentences for passwords isn't mutually exclusive from requiring certain types of characters. A sentence containing only alphabetical characters is still less secure than one of the same length that contains all kinds of characters.

Both length and character types can be coded into validation logic. In fact, I don't remember when was last time I ran into a validator that does not have a minimum length requirement.

Collapse
 
polterguy profile image
Thomas Hansen

I explain the math in the article. As to minimum length, sure, that's a great idea.