7

I can't understand why we commonly force users to come up with difficult to remember passwords.

* Your password must contain at least one number, one uppercase character, and one special character.

Is this to protect the user from themselves (someone logging in by guessing their password), or is it meant to protect our application or other users?

As a user, I find password format restrictions very annoying. As a programmer, I don't understand what the point is. If we force someone to create a password that's hard to remember (if it's not one of their "usual" passwords), there's a good chance that they will write it down or store it in a file somewhere in plain text, which seems like it defeats the point (at least to some extent).

Doesn't a strict password format make it easier for an attacker to "guess" a password by reducing the number of possibilities?

What's the motivation behind forcing a user to come up with an obscure password?

Wesley Murch
  • 212
  • 2
  • 8
  • 1
    have you had a look at http://security.stackexchange.com/q/6095/485? Lots of good discussion on password strength there. – Rory Alsop Jan 26 '12 at 16:31
  • I did find this which is quite similar but not exactly: http://security.stackexchange.com/questions/6474/who-is-responsible-for-the-strength-of-users-passwords I'll take a look at that link, thanks. – Wesley Murch Jan 26 '12 at 16:33
  • @Rory: The post is interesting, but it speaks to password strength itself. I'm basically asking why we care about strong passwords in the first place. I've been reading posts here all morning and still can't fully understand it, I guess I need it in laymen's terms or I need to have another coffee and read more carefully. In case it's not apparent, this is not a strong area for me. – Wesley Murch Jan 26 '12 at 16:41
  • 1
    I think equally annoying is when certain sites force you to choose a poor password. A (large) bank I know of FORCES you to choose a numerical "password" between 6 and 8 numbers long. There are additional safeguards in place to prevent brute-forcing from the client-side (but come on, 6 and 8 numbers are just screaming for dates), but I better hope they have amazing security on the inside! – logicalscope Jan 26 '12 at 16:43
  • @logicalscope: Totally agree, my credit card company does something similar. My "usual" password is already fairly complex, and they wouldn't accept it because it had an asterisk. I did write them an email and the reply I got pretty much made it clear that the discussion was going nowhere. But *numerical* passwords? That's a new one to me. – Wesley Murch Jan 26 '12 at 16:45

3 Answers3

7

When a site implements something, it is always to serve their interests; however, this sometimes coincides with serving the user's interests as well, e.g. as in "protecting the users against themselves", which is the case here.

The point of the restrictions is to (try to) make the password harder to guess by an attacker. Truly, preventing some users from using some specific password values mathematically reduces the number of possible passwords; but, practically, this is more about forbidding the easy passwords that users would almost always choose if they had the choice. The total number of possible passwords is ludicrously large. If we consider that a password may include letters (lowercase and uppercase), digits, and, say, some punctuation signs which are accessible from a common keyboard; and if we allow passwords to go up to 30 characters in length, then the number of possible passwords is equal to 157935773974908502215194845377591539584935386309545795005451 (including the "empty password" of length 0; otherwise, subtract 1 to that count). Possible passwords are not a scarce resource, and there is little problem in removing a few billions from that count.

The scare resource is user imagination and patience. Given the possibility, most users will use short passwords with only lowercase letters, because that's what most easy to remember and type. And they will pick "meaningful" words, e.g. "castle" and not "bsigrz". The attacker knows that: easy passwords are the first that he will try, and there are not many of them, so the attacker will succeed.

The "password rules" are an attempt to force users away from the easy passwords. If you force them to include a digit and an uppercase letter, they will do so, but with a digit that the attacker cannot predict, and with the uppercaseness applied to a random letter. (At least theoretically; in practice, users will put the uppercase on the first letter, and the digit will be added at the end, and will be a '1'). The fervent hope is that this will increase the number of possible passwords that user will effectively choose, and thus make things harder for the attacker.

Password rules may backfire, sometimes spectacularly; users will forget their password and nag the helpdesk; users will write the password on a stick-up note cunningly concealed under the keyboard. (As far as backfiring goes, writing a complex password on a piece of paper stored in the user's wallet is not that bad: at least, users care about the whereabouts of their wallet.) One very common instance of backfiring is, exactly, having a "usual" password which the user uses with many sites. This means that a security breach on one site immediately extends to all other sites on which the user also has an account. That's Bad.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 1
    If *every* site did this though, isn't it likely that a user's "usual" password would end up being the same on every site anyways? I know that's what I do... I use the same fairly-complicated password (with a couple variations for those sites that *do* have their own "preferred format") for almost everything. – Wesley Murch Jan 26 '12 at 16:55
  • 1
    @Madmartigan - As seen in the Gawker exploit, where one database was compromised - the attackers then targeted other sites and tried the same usernames and passwords. You should never re-use passwords on different sites - which is where KeePass and the like are useful. – Rory Alsop Jan 26 '12 at 17:52
  • @Rory: But we can't force users to do that. As you see, I'm an example of how "complicated" passwords don't provide any additional security in that respect. My password can be as strong as possible, but if I'm using the same one for every site, once someone gets hold of it my other accounts are compromised. This is the essence of my question. Would the answer then be: "Helps against dictionary attacks, nothing more."? – Wesley Murch Jan 26 '12 at 17:57
  • 1
    But the websites are protecting themselves and you as best they can. They can never protect against users wanting to weaken their own security. That is up to the individual. – Rory Alsop Jan 26 '12 at 18:06
  • @RoryAlsop: So once again, the only reason for this is to help against easily guessable passwords (by humans) and dictionary attacks, or is there something else to it? – Wesley Murch Jan 26 '12 at 18:09
  • No - it makes brute force attacks that much harder as well. This is a simple control, so everyone should get this right easily - otherwise attackers will easily get in. – Rory Alsop Jan 26 '12 at 18:12
  • @RoryAlsop: I thought that Tom just covered how knowing the password format would make brute force attacks mathematically easier? I'd love it if you'd add an answer and we can continue the discussion there, up to you. – Wesley Murch Jan 26 '12 at 18:14
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/2302/discussion-between-rory-alsop-and-madmartigan) – Rory Alsop Jan 26 '12 at 18:15
1

Most places do this because users are incredibly bad at picking passwords. Left to pick whatever they want, many people will use their birthday, "password", or something else that's easy to guess or crack with a dictionary.

In the case of web services, most attacks are happening remotely, where an attacker wouldn't have access to the sticky note on the bottom of their keyboard. So it's still more secure that way.

Many cases though are just because management said it would be a good idea.

Grant
  • 1,056
  • 8
  • 15
  • So now they choose "Password1", _or something else that's easy to guess or crack with a dictionary that's modified with a rule_. – curiousguy Nov 07 '18 at 23:44
0

A good password requires entropy. These special-character requirements happen because the site programmers were too lazy to do an entropy calculation and force a minimum amount of entropy.

Instead, they pushed the work onto users, by forcing them to use one particular method of adding entropy (greater variety of characters). However, humans are actually much better at using another way of adding entropy (greater number of characters) by putting together words in a memorable way. So a true entropy calculation is the preferred method, accommodating both number and variety of characters used.

Image cc-by-nc by Randall Munroe

Image cc-by-nc by Randall Munroe, http://xkcd.com/936/

A very readable essay on entropy by Aaron Toponce: https://pthree.org/2011/03/07/strong-passwords-need-entropy/

Entropy calculators: https://www.google.com/#q=javascript+entropy+calculator

joseph_morris
  • 175
  • 5