jump to navigation

The Longer of Two Evils: A Resolution for Password Complexity October 18, 2013

Posted by mtv in Security.

When people ask me what I do as a systems administrator, I often respond with: “I’m the guy who makes you change your password.”  I say this tongue-in-cheek because I recognize that managing multiple passwords is perhaps the most frustrating experience users encounter on a daily basis, but it is important to try to educate and offer advice on why security is important, how passwords are your single line of defense, and how to cope with the demands of numerous passwords & policies enforced by various service providers.  I won’t go into great detail on password strategies I use & recommend–for security reasons, of course–but one of my key points is that, instead of meeting the bare minimum to satisfy any given password requirement, you should follow the lead of the strictest requirement you face and get used to making all your passwords to follow suit, even if not enforced–because it is only a matter of time before all complexity & length requirements rise to that level.  Much to my chagrin, I’ve encountered new password policies in recent years that make it harder and harder for me to follow my own advice. I hereby offer a resolution for password complexity.

The Committee on User Frustration,

ALARMED BY the demands placed on users to meet increasingly “sophisticated” password-composition policies,

OBSERVING that even the best current guidelines for designing password-composition policies are based on theoretical estimates and small-scale studies [1],

NOTING WITH DEEP CONCERN that password-composition policies affect users’ behavior, and those that lead to more difficult-to-predict passwords may also lead users to write down their passwords more readily, or to become averse to changing passwords because of the additional effort of memorizing new ones [1],

HAVING STUDIED several variations of password composition policies–namely 8 character, 16 character, and 8 character minimum with one uppercase, lowercase, symbol, and digit–and their effects on password strength, user behavior, and user sentiment, researchers concluded that a 16 character minimum with no additional requirements provides the most entropy while proving more “usable” than the strongest alternative [1],

GUIDED BY evidence that symbols, contrary to popular belief, contribute less overall entropy than numbers [1],

GUIDED BY evidence that dictionary checks add much less entropy than expected, and are also found to significantly increase user frustration [1]

NOTING WITH SATISFACTION that users typically create passwords that exceed minimum requirements [1],

1. CALLS UPON designers of password-composition policies to take into account user frustration as well as resultant password entropy;

2. DISCOURAGES imposing a maximum length on passwords, especially those with maximum of only 8 characters; and

3. NOTES that a maximum length requirement suggests the possibility that your password is being literally stored, and not hashed [2];

4. CONDEMNS dictionary checks and similar rules that do not provide the user with an understanding of why a password is rejected [3];

5. REMINDS that the most common way to hack a password is by simply asking for it [4]; and

6. FURTHER REMINDS that a complex password policy will have no effect on tried & true techniques of human manipulation, e.g., phishing;

7. ENDORSES password length over complexity as the best balance of security and usability.

[1] http://users.ece.cmu.edu/~mmazurek/papers/chi2011_passwords_people.pdf

[2] http://stackoverflow.com/questions/98768/should-i-impose-a-maximum-length-on-passwords

[3] http://arstechnica.com/security/2013/04/wtf-ats-profane-password-ban-lets-some-swears-through/

[4] http://www.baekdal.com/insights/password-security-usability



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: