Menu
On more than one occasion I've been asked to implement rules for password selection for software I'm developing. Typical suggestions include things like:
And so on.
Something has always bugged me about putting any restrictions on passwords though - by restricting the available passwords, you reduce the size of the space of all allowable passwords. Doesn't this make passwords easier to guess?
Equally, by making users create complex, frequently-changing passwords, the temptation to write them down increases, also reducing security.
Is there any quantitative evidence that password restriction rules make systems more secure?
If there is, what are the 'most secure' password restriction strategies to use?
Edit Ólafur Waage has kindly pointed out a Coding Horror article on dictionary attacks which has a lot of useful analysis in it, but it strikes me that dictionary attacks can be massively reduced (as Jeff suggests) by simply adding a delay following a failed authentication attempt.
With this in mind, what evidence is there that forced-complex passwords are more secure?
803
Password complexity is a measure of how difficult a password is to guess in relation to any number of guessing or cracking methods. In some cases, the term is also used to refer to requirements for password selection that are designed to increase password complexity in the interest of better security.
The stronger your password, the more protected your computer will be from hackers and malicious software. You should maintain strong passwords for all accounts on your computer.
The longer the password, the longer it will take to crack. When a password cracker has more characters to fill to guess the correct password, it's exponentially less likely to get it right. In other words, you don't need a complex password with lots of fancy special characters if you have a long password.
Use a mix of alphabetical and numeric characters. Use a mixture of upper- and lowercase; passwords are case sensitive. Use a combination of letters and numbers, or a phrase like "many colors" using only the consonants, e.g., mnYc0l0rz or a misspelled phrase, e.g., 2HotPeetzas or ItzAGurl .
Something has always bugged me about putting any restrictions on passwords though - by restricting the available passwords, you reduce the size of the space of all allowable passwords. Doesn't this make passwords easier to guess?
In theory, yes. In practice, the "weak" passwords you disallow represent a tiny subset of all possible passwords that is disproportionately often chosen when there are no restrictions, and which attackers know to attack first.
Equally, by making users create complex, frequently-changing passwords, the temptation to write them down increases, also reducing security.
Correct. Forcing users to change passwords every month is a very, very bad idea, except perhaps in extreme high-security environments where everyone really understands the need for security.
70
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
