Do password policies make passwords weaker?

Question

Password policies have certain requirements for creating a password on a service.

My question is, do password policies make passwords weaker, therefore counterproductive?

Let's give an example:

I'll be using letters to represent charsets:

 L = abcdefghijklmnopqrstuvwxyz

U = ABCDEFGHIJKLMNOPQRSTUVWXYZ

D = 0123456789

S = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

A = L and U and D and S combined

Ok, so a password policy says minimum is 8 characters. Now, using this information, a bruteforcer limits attempts to length >= 8, vastly reducing attack space.

Another common policy is passwords must have at least one upper case letter, one number, and one symbol.

Assuming the password is 8 characters, instead of the password being 8 As,we now know the password is 5 As, 1 D, 1 U, and 1 S. Now instead of (A^8), it is (A^5xDxUxS) possible combinations.

If the policy asks for one lower case letter, we reduce the attack space even further.

If the password policies significantly reduce the attack space, what's the purpose of implementing a policy that extends beyond a minimum length requirement? Wouldn't it be safer to implement a simple policy like minimum length of 10 or something?

By adding required charsets like digits and symbols, we give hackers more information about the contents of the passwords.

Answer 1

I wrote about password policy impacts on password space a few years ago and it includes more of the math that you didn't find in the similar question Xander linked. I can expand on that here if you have additional questions. Essentially my answer there is that eliminating the risk of the weaker passwords is more beneficial than the risks of the attackers only having to crack conforming passwords.

Regarding your comment about a known minimum password length 'vastly reducing attack space', that's not really true. The number of 8 character passwords (not to mention those greater than 8 characters) dwarfs all 1-7 character password possibilities combined. While you do lose those possibilities you also eliminate the riskiest shorter passwords by setting a minimum length. In practice, cracking anything shorter than 8 characters using a brute force attack against fast hashes takes almost no time at all.

Also, as far as the policy requirements leading people to choose predictable character patterns that is true, but not quite as risky as you expected. When observing these patterns in real corporate password choices they do show up, but it isn't a straightforward choice by every single user. Certainly more users do this than most of us would prefer, but it is challenging to eliminate these patterns without causing a lot of usability problems in the process.

Answer 2

The policy is there to encourage the user to choose a complex passcode. Although in theory having the full set available increases the combinations, in reality most people don't think of passwords that way and will choose something as simple as they can.

You are correct in general though that it is the possibility of having the full set of options in a password that add strength not necessarily the actuality of using them. But only if the passcodes are actually chosen randomly.

The restrictions reduce the available choice in a minimalist way while encouraging users to actually use complex passcodes. The information given to attackers is also minimal and at least tells them that the possible address space is large which might send them looking for easier targets.

If you want security, ensure that passcodes can be very long and enforce a fairly long minimum, 8 is very poor these days, even 10 is not brilliant. 12-15 for anything requiring reasonable security. >15 for top security.

Remember though that people are the weak link far more than the system (in general).

Answer 3

Poor policies with bad timing and execution put passwords at Jeopardy. A good password policy protects users and data. Password policies requiring (victims) users to change their passwords frequently more than every few years, puts users at risk of forgetting their passwords, so users are more apt to record it, making it easier to steal. Also password policies that limit user key selection to a subset of the keyboard prevents them from using creative pass-phrases and builds frustration, a password policy should allow a user to use every possible key on their keyboard and require four distinct types, no repeating sequences, no keyboard walks, etc. A good password policy should increase security while also making it evident to the user why.

Answer 4

Ok, so a password policy says minimum is 8 characters. Now, using this information, a bruteforcer limits attempts to length >= 8, vastly reducing attack space.

This does not actually reduce the time required for brute force attacks since the number of password with length less than a given limit is small compared to the number of passwords with length greater or equal that limit.

Also requiring that certain characters are present is not a problem if the length of the password is big enough.

what's the purpose of implementing a policy that extends beyond a minimum length requirement?

A password policy must ensure that the password space is large, and it should avoid weak passwords, e.g. by rejecting well known passwords such as 12345678.