Password complexity requirements - ABSURD

Answered

The new password complexity requirements you have for Jetbrains accounts are complete insanity.

 

1
13 comments
Official comment

Hello,

Thank you for reaching out.

Our password complexity requirements are currently based on OWASP (Open Web Application Security Project) recommendations related to password authentication: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls.

There is the following recommendation in particular:

Include password strength meter to help users create a more complex password and block common and previously breached passwords.
- zxcvbn library can be used for this purpose.

We use the zxcvbn library to ensure that the password's entropy is enough because such an approach can be considered one of the industry best-practices. 

One of the worst possible user experiences you could possibly create. This anti-user behavior deserves to face loss in sales. Your account abandonment (and proxy, shopping cart abandonment) rate rightfully so should go through the roof.

0

Thank you for your feedback. 

We're sorry to hear that you had such an experience with our portal.

Unfortunately, your comment does not contain some suggestions and password examples that you would like to use, but the portal does not let you go.

Please describe in more detail and share your thought about improving the portal and your ideas about the password complexity with some examples.

0

Eliminate passwords entirely. Your service has no justification to be an identity provider.

0

Well, our portal contains customers' private data, which is quite sensitive and most of our customers want to keep it safe. Unfortunately, you have not provided details and some password examples. 

I can discuss with our security team what can be done about the password complexity, but I wanna hear your suggestions and examples to be able to do so.

0

I didn't say eliminate security. You just should have no place in authentication.

0

We're working on a feature to give our customers a more flexible way to sign in, such as authentication to JetBrains Account via 3rd party providers (Google, Facebook, Github, etc.).

Could you please clarify that it would be more convenient and user-friendly for you to have that feature or mean another point to consider?

0

A length of 9, a mix of upper and lower cases, digits, and special characters should be sufficient for any use.  Instead I get this from JetBrains when I tried to update my password.

This password is easy to guess. Add another word or two. Uncommon words are better. Predictable substitutions like '@' instead of 'a' don't help too much.

This really provides no clue to what JetBrains is looking for in a password.  I refuse to write a novel.  At least respond with the rules to follow.

0

Hello,

In YouTrack, we use entropy as a measure of password strength. Entropy is an estimation of the number of guesses needed to find a password, measured in entropy bits. Adding one bit of entropy to a password doubles the number of guesses required. You can find the details, instructions, and information on how to change the password policy in this article: Set a Password Policy.

 

0

I'm evaluating jetbrains as a potential alternative to visual studio, this password requirement nonsense was almost enough to fail it before I got to even open the app.  Seriously reconsider which standards authority you decide to follow for password practices, many including the US Government have recognized that extensive requirements lead to users leaning on password recovery systems and postit notes.  I threw a random password in, so every single time I'm required to reauth I'll have to reset my password.  Going "above and beyond" is usually a good thing, but in this case I promise you it will cause far more security issues for your users than the basic NIST standards.

https://blog.netwrix.com/2022/11/14/nist-password-guidelines/

https://www.starlab.io/blog/why-enforced-password-complexity-is-worse-for-security-and-what-to-do-about-it

0
Hi Rob,

I assume you mean JetBrains account password requirements. Sorry if it caused problems for you.

We do use [NIST guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html) for password strength evaluation alongside with additional security checks. Our customers have a lot of sensitive information in JetBrains account, and we're providing all security measures to keep it safe.

I can suggest using password managers or any SSO with 2FA to avoid the situation you got in.

Thank you!
0

"alongside with additional security checks"
This is the portion that means you folks aren't adhering to NIST standards. Much like adding extra flour to a bread recipe, the additional measures that are implemented are lessening it's effectiveness.   I do understand the support staff can't really do much about an over zealous security director, but hopefully enough noise might help them see the light one day.

A password manager is definitely the right thing to recommend to your customers, hopefully they can find one that doesn't create a single point of failure.  Hope you have a great week, I'm sure it's not super fun dealing with us grumpy devs day to day.

0
Rob, thank you for pointing this out.

Unfortunately, I can't promise anything for now. Will pass your feedback to our security team.

Wish you nice week too!
0

Please sign in to leave a comment.