You know how it goes, you signup to a new service and need to create a password. You are then usually presented something similar to:
- Minimum of 8 characters
- Minimum of 1 upper case character
- Minimum of 1 lower case character
- Minimum of 1 digit
- Minimum of 1 special character
- May not be longer than 24 characters
- Cannot contain your username
- Cannot be the same as your last 3 passwords
So you think you have a password which meets the requirements, only to be presented with an error message screaming at you that "your password does not meet the required password complexity requirements". Not only that, the error lacks details on WHY your new password failed.
So I posted a poll in Twitter recently:
Which is a stronger password?— Sean Wright (@SeanWrightSec) October 17, 2018
The purpose of this poll was to determine how people perceive what constitutes to a strong password. Many people assume that having more complex characters in the password results in a strong password. The remainder of this post will attempt to illustrate why this is not the case.
The primary reason for enforcing strong passwords is to prevent anyone guessing your password. Typically an attacker would either take a common set of passwords and try use these to login as a user. Or alternatively they will turn to brute forcing the password. They would start with the password 'a' and then move to 'b' and then 'c' and so on and so on.
So the strength of the password can be thought of as how many characters the passwords consists of as well as how many characters (let's calls this the password alphabet) that could possibly used to create a character of the password. Putting this into the simple formula you end up with: (password alphabet) ^ (password length) = total password possibilities
Now back to my poll. Let's assume that the password alphabet was as follows:
- Allowed any alpha character (a-z, and A-Z)
- Allowed for any digit (0-9)
- Allowed for the special characters (!, ", £, $, %, ^, &, *, (, ), #, @)
This means that our password alphabet is (26 * 2) + 10 + 12 = 74. Using the first password [email protected] we have a password strength of 74 ^ 9 = 66,540,410,775,079,424.
And for the password somesandmuddieswater we have a password complexity (total possibilities) of 74 ^ 21 = 1.7941804260607139468015386285554e+39 (which is a REALLY large number). This means that the possibility of guessing the longer password successfully as opposed to the shorter password is significantly less, i.e. the attacker would have a significantly higher chance of brute forcing the first password.
Now here is the other thing when it comes to brute forcing a password. It requires that the attacker is able to submit thousands of consecutive authentication requests. But one common, and best security practice, is to temporarily lock and account after x (typically 3) failed authentication attempts. This time out typically ranges from a few minutes to potentially a few hours (which I would not recommend, since you have a Denial of Service vector in this case). Even for a simplistic password, say 26 ^ 6, it could possibly take the attacker the total of 308,915,776 tries to successfully brute force the password. Even assuming that they managed to get it with half the amount of tries (154,457,888), this would then take 154,457,888 / 3 (3 attempts before the lock out) * 5 (5 minutes lock out), which results in 257,429,813 minutes, which results in about 4,290,496 hours, which is about 178,770 days, which finally ends up around 489 years!
Complexity Kills Security
So I've highlighted how complexity for a password does not equate to a stronger password. The combination of both password length as well as the number of possible characters which that password comprises of, makes for a stronger password. The attacker still has to go through all the possible characters, even if they are not used, to be able to brute force the password successfully. Now I am not saying that you must not have special characters or digits in your password. In fact you should, but they should be random, making it difficult for the attacker to work out what is and is not in the password.
Remove Password Restrictions
This may sound counter intuitive, but bear with me. By having password restrictions an attacker has some idea what the password looks like. For instance they know that is at least x characters long. So the attack and ignore trying to brute forcing password less than that length. They also know what the password alphabet is, so again limiting what they need to test for. Say you had zero restrictions, and allowed for any characters. Now the attacker would have to test for EVERY possible combination and have no idea what the password length is.
Easy To Remember
The other benefit of removing password restrictions, you allow users to create passwords which are easier for the to remember. In my poll, which to you is easier to remember? A phrase, or some letters, digits and characters put together? I know which one would be easier for me to remember. And while I do use a password manager, there are times where I have to manually type in the password. Having some long random string is a nightmare to have to type into say for instance a smart TV. A longer phrase is much simpler, and less prone to having a mistake and having to type the password from scratch again (I know all to well about this).
Like so much security advice, at the time password complexity seemed like a good idea. But as time has gone on, it has proved to not quite be the case. Allowing users better control over their own passwords makes it easier on the users as well as potentially more secure. An area where we can help users is educating them why choosing a suitable length password, as well as a unique password is so important, as opposed to enforcing complex requirements on them. This in my opinion would have a much better outcome to password security. It is also worth investigating integration with services such as Have I Been Pwned, which can warn a user if a password which they are chosing has been previously involved with a breach. This on it's own would far outweigh any password complexity requriement.