## Number in password required? Why not be more intelligent?

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantieLP, JoeSiegrist, robyn

### Number in password required? Why not be more intelligent?

One of the features that I liked the most about LastPass is that, when I last created an account, I didn't need to use numbers or any special characters in my password.
The only requirement back then was, was that the password had a minimum length of 12 characters.

Apparently this has changed since then, since, when I tried to set up a new account today, I was told that the password needed to include at least 1 number.

To the regular person, this might sound like an improvement, but in reality passwords that contain numbers are barely any safer than passwords without them.
Passwords with numbers and/or special characters in them are just more prone to being mis-typed or forgotten by the owner.

The minimum password length for a LastPass master password is 12 characters. Let's assume it also needs to include at least 1 special character, 1 number and 1 upper- and lower-case letter.
I'll have you know that the password I tried to set (without any numbers or special characters, but with lower and uppercase letters) contained over 30 characters spread over more than five words.
Now let's compare these two:
• Most people choose the special character in their password from a rather limited set of... let's be generous and assume this set contains 20 characters.
This makes the number of possibilities for any character in the LastPass password 20 + 10 + 26 + 26 = 82 different characters.
82^12 = at least 9.24 * 10 ^ 22 possibilities for the complete password.
• Let's assume that my password of 30 characters only contains lowercase letters, so only 26 different characters
26^30 = at least 2.81 * 10 ^ 42 possibilities for the complete password.
That is 3 * 10 ^19 which is 30.000.000.000.000.000.000 times as many possibilities. It's almost the square of the number of possibilities of the 12-character, many-possibilities password.

Now I said that My password contained more than 5 words that you are, arguably, able to find in an English dictionary.
The Oxford English Dictionary lists +- 171.500 words. The average length of English words is +- 5.1 letters, which would lead to passwords of 30 characters having +- 6 words on average.
171.500^6 = at least 2.54 * 10 ^ 31 possibilities for the complete password.
So that'd make the password less safe if it only contained officially spelled English words, but still way safer than the 12-character, many-possibilities password.

What we observe here is that:
1. Adding more possible characters does increase the safety of the password.
2. Increasing the length of the password seems to be way more effective than increasing the number of possible characters.
• If increasing the number of possible characters by x results in n possible passwords, increasing the length of the password by x, seems to results in +- n^2 possible passwords.
3. Using only words that actually exist in a language is less safe than using random letters, but still more effective than increasing the number of possible characters.
4. A password cracking algorithm would probably have an easier time cracking a password with only correctly spelled English words.

So that is why I wonder why numbers suddenly became a requirement (again).
Is it a legal thing or something? Because if anyone should know about this stuff, I'd expect it to be the people from LastPass.

Since LastPass remembers all other passwords for you, the only password users really need to remember themselves and NEVER EVER forget, is their LastPass password.
This is why I opt for a requirements system for passwords in which the minimum password length depends on the number of optional requirements that are fulfilled.
Optional requirements:
• Capital letters
• lowercase letters
• numbers
• special characters ("!", "?", "@" etc.)
• very special characters ("(", "{", "[", "¿", etc.)
[/list]
Number of optional requirements fulfilled -> minimum password length:
1. 32
2. 22
3. 16
4. 12
5. 10

So, for instance, if someone uses only lowercase letters, numbers and special characters in their password, their minimum password length is 16 characters.

MathijsRiezebos

Posts: 8
Joined: Thu Nov 22, 2018 4:14 am

### Re: Number in password required? Why not be more intelligent

This is weird!!!
Why would LastPass backtrack their password policy against recent industry recommendation???
FlyingHawk

Posts: 776
Joined: Wed Mar 18, 2015 12:04 pm

### Re: Number in password required? Why not be more intelligent

To be honest, I think you are reading too much into it. Their "Create account" lists those minimum requirements, but it also includes "Advice" literally stating that numbers and characters aren't that important, which is the same argument you are making, so they obviously know about it.

And even when you meet all those minimum requirements, it still calculates your password strength. For example, I tried to create new account with password "MyPassw0rdiz12345678!LOL" - which ticked all their boxes, but the strength meter was on the lowest point possible.

Reason? They probably want new users to think about their password instead of typing it right away. I think them combining these requirements with advice and strength meter is just psychological attempt to disrupt automatic thinking of people who never thought about secure passwords before but heard people talking about some "password manager thingy". I am fine with that.
Rich4422

Posts: 58
Joined: Tue Jan 02, 2018 8:53 am

### Re: Number in password required? Why not be more intelligent

But latest recommendations (e.g. the famous NIST guideline) advice against composition rules.
They hinder usability without effectively increasing practical security, and are especially unfriendly towards passphrase.

LastPass master password being the password users actually need to remember and type, should be passphrase and typing friendly.
FlyingHawk

Posts: 776
Joined: Wed Mar 18, 2015 12:04 pm

### Re: Number in password required? Why not be more intelligent

LastPass recommends using passphrases, it's in their password generator and in their blog post about creating master password. I tried to use Myvacation2paris-wasincredible and it's absolutely fine. Tho there's no harm in contacting them about the need for numbers.
Rich4422

Posts: 58
Joined: Tue Jan 02, 2018 8:53 am

### Re: Number in password required? Why not be more intelligent

Yes, it's possible to use passphrase with these rules, but not in the most convenient fashion.
E.g. I can't just generate a diceware phrase like "unequal handyman crept staleness tattling femur" and use it directly.
Numbers and upper case letters are also not typing friendly.

I already submitted a support ticket and tweeted at them.
FlyingHawk

Posts: 776
Joined: Wed Mar 18, 2015 12:04 pm

### Re: Number in password required? Why not be more intelligent

Image I forgot to include in the OP:
https://i.imgur.com/KGMmsVx.png
I also requested this as a feature here. <- this is a link!

Rich4422 Wrote:[...]
And even when you meet all those minimum requirements, it still calculates your password strength. For example, I tried to create new account with password "MyPassw0rdiz12345678!LOL" - which ticked all their boxes, but the strength meter was on the lowest point possible.

Reason? They probably want new users to think about their password instead of typing it right away. I think them combining these requirements with advice and strength meter is just psychological attempt to disrupt automatic thinking of people who never thought about secure passwords before but heard people talking about some "password manager thingy". I am fine with that.

At first glance, I'd say that that password is rather strong but hard to remember. The first part up until the "!" may be pretty generic, but if there's no way for the machine to know what the total length of your password is or whether or not you use generic passwords at all, it might try "MyPassw0rdiz12345678!" relatively soon, but "MyPassw0rdiz12345678!LOL" may follow literal centuries after.
I wouldn't say that it's a good password, but it should be strong enough...

My proposed change would help new users think about their password as well as eliminate any secondary requirement on the shape of their passphrase.

FlyingHawk Wrote:Yes, it's possible to use passphrase with these rules, but not in the most convenient fashion.
E.g. I can't just generate a diceware phrase like "unequal handyman crept staleness tattling femur" and use it directly.
Numbers and upper case letters are also not typing friendly.

I already submitted a support ticket and tweeted at them.

The gist of my proposed concept is that, with each added set of characters, the decrease of the needed length of the passphrase decreases:
First -10 characters, then -8 characters, -6, -4, -2.
This is meant to illustrate to the user that a longer passphrase is way more effective than using multiple character sets.

In my example, a minimum passphrase length of 32 characters if just one character set is used, may be a little bit over the top, and when 5 different character sets are used, a length of 7 or 8 characters might do, but it's just an explanatory example.

I would personally only like to use passwords with lowercase letters and Uppercase letters or numbers anywhere.
I consider those passphrase- and typing-friendly enough.
MathijsRiezebos

Posts: 8
Joined: Thu Nov 22, 2018 4:14 am

### Re: Number in password required? Why not be more intelligent

Quick note/question:
I noticed that a staff member, jpenny84, has locked my other thread in the "Feature Request" section of these forums.
That thread was supposed to be just that: a feature request. This thread is primarily meant to discuss the fact that LastPass now requires new users to use at least 1 number in their password.

In other words, the subject and purpose of both threads are distinctively different, so I wonder either one of them really needed to be closed.
Also, if creating a thread in that subsection of these forums is not the intended way to submit a formal feature request, please let me know, but if it is, please re-open that thread.

I do not seem to be able to send jpenny84 a PM/DM, hence this reply to my own thread. The one that isn't locked, that is.
MathijsRiezebos

Posts: 8
Joined: Thu Nov 22, 2018 4:14 am

### Re: Number in password required? Why not be more intelligent

jpenny84 is a mod but not staff of LastPass. LastPass employees usually have "LP" in their usernames.
This forum is basically abandoned by LastPass. There's no real difference in "feature request" vs "discussion". It's all user-to-user.

You'd better open a support ticket or use twitter for any chance of an official response/acknowledgement.
Even then, don't bother with the implementation details. They have their own experts and in all likelihood won't listen to your detailed proposal. Just let them know why you're unhappy with the new composition rules.
Even better if you can get the attention of someone with a large following in the infosec circle.
FlyingHawk

Posts: 776
Joined: Wed Mar 18, 2015 12:04 pm

### Re: Number in password required? Why not be more intelligent

FlyingHawk Wrote:jpenny84 is a mod but not staff of LastPass. LastPass employees usually have "LP" in their usernames.

You'd better open a support ticket or use twitter for any chance of an official response/acknowledgement.
Even then, don't bother with the implementation details. They have their own experts and in all likelihood won't listen to your detailed proposal.

Thank you very much for your answer. I know that jpenny84 isn't an LP employee. With "staff", I simply meant forum staff.

And I guess that is what I am going to do then. :/
We'll see about implementation details. Good "graphics" can topple the most stubborn minds.
You've only encouraged me to try harder.

Would you, perhaps, happen to have this "large following in the infosec circle?"
MathijsRiezebos

Posts: 8
Joined: Thu Nov 22, 2018 4:14 am

Next