New Sonic Password Strength Requirements

[jxb]

Sonic has changed the "Strength Requirements" when you change an account password. Previously you had freedom to pick your password, but now you are required to jump through hoops to get a password accepted. There is an algorithm that checks the "Password Strength" and it is way too strenuous. Furthermore, there is no explanation of what the requirements are, just a statement that it must be 8-32 characters and

"Your password should include capitalization, punctuation, and possibly even numbers. Something like a phrase from a favorite song or a funny quote can both meet the security requirements and be easier to remember. "

The password change screen suggests using a password such as "correct horse battery staple". How many people want a password that is so long that it invites mistyping?

Here are some passwords that fail the strength test, and in my opinion they are ALL strong. Can we go back to the old algorithm?

Pra@lare
**Fuelp55
son1cs*cks

[kgc]

I think the password tools all link to our wiki that goes into some detail on the subject. I particularly recommend that you take a look at some of the links provided at the end of the page. Honestly, I'm torn on the subject. It is more likely that a password will be stolen off a device or given willingly to a phisher than your encrypted password will ever get into the hands of a hacker with cracking software. You should be able to get a short password that combines both cases, numbers and symbols to be accepted but I think it penalizes repeated chars.

https://wiki.sonic.net/wiki/Password_Guidelines

[jxb]

The same password that registered an acceptable 60 a couple of weeks ago now registers an unacceptable 10. Please explain in detail what changes have been made and why these particular changes have been made.

[Mark]

While I agree, having to jump through hoops is frustrating, Having your email hacked is worse. I have not changed my password on Sonic for years? yeah, bad policy, but going through a CyberSecurity class I realize that it is good to use a password manager and a password of at least 14 characters with numbers or characters and even spaces. What the wiki actually says, makes sense a phrase that may not make sense, but at least has actual words is harder to hack than a complex looking 8 character password with numbers and odd characters (very true story). I will now change my password. Cheers

[kgc]

The same password that registered an acceptable 60 a couple of weeks ago now registers an unacceptable 10. Please explain in detail what changes have been made and why these particular changes have been made.

I made the changes to the scoring system because it did not accurately represent what we have been recommending and was allowing customers use passwords that are demonstrably "not that secure." The scoring system now correctly favors length over complexity.

[darrylo]

The password change screen suggests using a password such as "correct horse battery staple". How many people want a password that is so long that it invites mistyping?

I'm sure sonic's wiki explains this, but for everyone else: the idea is that memorizing a short sequence of words is much easier than remembering something like p$F*w1U&G@4. However, this comes from an old xkcd comic, which is somewhat controversial:

• Some people think that this is still an insecure method. Well, they're both right and wrong.
• They're right if people are allowed to choose "random" words. This is because people don't choose truly random words, and tend to choose guessable ones.
• If the words are chosen in a truly random fashion, the method is sound, although more words (than four) should probably be used.

If you want to use words for your passphrase (assuming your're not being limited by password length), diceware passphrases are good.

Here are some passwords that fail the strength test, and in my opinion they are ALL strong. Can we go back to the old algorithm?

Pra@lare
**Fuelp55
son1cs*cks

Nope, not really. Those are fairly insecure at many sites (although probably not sonic, as sonic should be using salted passwords). Assuming access to unsalted hashes, an 8-character password can probably be brute-forced in a matter of hours, using 2-year old technology (~350 billion guesses/sec for a windows password). Linkedin, anyone? I imagine today's tech is much faster.

[kgc]

I agree that using something like diceware to genereate your passphrase is a very good idea along with improper punctuation and capitalization. Using lines from books, especially religious texts, songs or movies is a bad idea.

For the record, passwords are currently stored in SHA512 with 16 chars of randomized salt. (No duplicated salt across the entire set.)

[forest]

How many people want a password that is so long that it invites mistyping?

I find typing a multi-word passphrase to be easier and less error-prone than a shorter password with capitals, numbers, and symbols. And far easier to remember.

Here are some passwords that fail the strength test, and in my opinion they are ALL strong. Can we go back to the old algorithm?
Pra@lare
**Fuelp55
son1cs*cks

No, thanks. Those passwords might be strong against a human trying to guess your password, but they do not have enough entropy to make them strong against automated attacks (which are far more prevalent today, despite what movies might lead us to think).

[Guest]

Despite their example, even random words apparently won't cut the mustard, because all alphabetic is apparently automatically considered not random enough.

Capricious password strength rules are bad and stupid. SECRET capricious password strength rules are bad and stupid and really annoying.

[kgc]

A series of all lower case strings with spaces is enough to get a score into the 70's. Without at least one number, upper case or special character (including space) it will not pass . I've updated the text to make this clearer.