We website developers put up with a lot from those security folks. We’re constantly hearing them nag us to do boring things like scrub inputs to prevent SQL injection flaws. Enforce up-to-date encryption standards. Quit putting auth tokens into URLs. All of these things would make our web applications more genuinely secure. None of them, however, is visible to the user as evidence that we Take Security Very Seriously™. What shall we do?
Well, nothing says “Security!” to our users who know nothing about security like passwords. Long, inconvenient, hard-to-remember passwords. Let’s make our password authentication as difficult as possible! Then they will know that we Take Security Very Seriously™!
We’ll require a diverse character set. Their passwords will have to have two capital letters, three lowercase letters, two numerals and a special character. Donald Duck, perhaps? Brad wanted it also to have to include the tears of a virgin, but HR sent us a really nasty email about the test we were going to implement for that.
We’ll not allow passwords shorter than 8 characters, but also no longer than 14 — the DBAs are worried about the space it will require for that. Why aren’t we hashing the passwords? Well, yes, that would make the storage a non-issue, since all we’d ever store for each password is a constant-length hash. But then how will we be able to send users those friendly reminder emails when they forget their passwords, with the password in clear text?
Of course, they won’t be able to use that clear text password to log in, because we have not yet finished demonstrating that we Take Security Very Seriously™! See, now that we’ve made the passwords inhumane, we’re going to fix the front end to be sure that the ONLY way they can enter those inhumane passwords is to type them, one agonizing character at a time. Never mind the users who want to use really random passwords, so they get password managers that load the clipboard or fill in passwords for them. That black magic seems like a hacking tool to us, we won’t allow it. No sir, only human fingers on a keyboard will be permitted here!
After all, we Take Security Very Seriously™.