Join Bridge Winners
New MyACBL Password Requirements

Has anyone changed their MyACBL password recently?  It seems the password requirements have been changed:

Your new password must be:

  • Between 8 and 16 characters in length
  • Contain at least one upper case (capital) letter
  • Contain at least one lower case (small) letter
  • Contain at least one number
  • Contain at least at least one of the following special characters: ! @ # $ % & * ( ) - _ +

This is an AND, not an OR - all requirements must be met in order to create a new password.  This is not good security.  

Before I go into that, I do want to point out one improvement - I remember in the past when I used the "Forgot Password" option, I received an email with my password in plain text!  Other ACBL members have confirmed receiving their passwords via email as well, which means the ACBL was storing them in plain text (a definite security no-no).  Now, the "Forgot Password" link asks you for your ACBL number, and then emails you a link to reset your password.  This seems to indicate that the ACBL is no longer storing passwords in plain text, which is good.

Why aren't complex passwords good security?  After all, if I'm an attacker and I'm trying to guess someone's password, the more complex the password, the more combinations I'll have to try until I guess it.  However, at the end of the day, passwords are created by humans.  Humans usually aren't very good are creating random passwords (because they're hard to remember).  So while the complexity requirements above increase the total theoretical number of passwords, in practice a lot of people are going to create passwords like Acbl123!@#.  I'm not the only one who thinks this.  There are a lot of security professionals that have studied this topic and come to the same conclusions:

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

http://arstechnica.com/security/2013/06/password-complexity-rules-more-annoying-less-effective-than-length-ones/

Just search for "password complexity" and you'll find many more articles like these.

Or if you prefer something more visual, here's a now famous comic strip on the subject (courtesy of xkcd):

https://xkcd.com/936/

The tragedy here is that there are still security professionals preaching the false gospel of password complexity through required use of different character classes (i.e. special characters, digits, capital letters).  I'm sure the ACBL did not come up with these new requirements themselves.  They spoke with security consultants who said something to the effect of "these are the industry best practices".  

That was true 30 years ago, when these complexity requirements were first created and passwords could only be 8 characters long due to operating system limitations.  But times have changed.  Attackers have pre-computed password hashes so they can instantly guess any password (which is why salting is so important). Even with salting, attackers can guess thousands of passwords a second using cloud computing services.

There is still debate on this subject (in fact, the first article I linked to references the comic by saying it's no longer a good way to create passwords, in part due to its popularity).  However, one thing nearly all security professionals agree on is that password complexity requirements like those now used by the ACBL are outdated and don't actually help make users more secure.

ACBL - please fix this.  Two changes:

  1. Increase the maximum number of characters.  16 is way too small - how about 64?  Or 100?  Many people use password managers which let us create and store very large, random passwords.  If I want a 100 character password, why stop me?
  2. Change the complexity requirements to 3 out of 4 (so I can have a password with a capital letter and a number, or a number and a special character, etc.).  This preserves some complexity but doesn't overwhelm the user.
49 Comments
Getting Comments... loading...
.

Bottom Home Top