5

We have two factor authentication, with passwords and one time code received on SMS.

Now normally I know you could restrict users to create passwords with min 8 character length, lower and caps letters, and one number.

But since we are using mobile codes together with passwords, how far can we relax requirements on password complexity? e.g. can we allow only 6 character length passwords?

schroeder
  • 123,438
  • 55
  • 284
  • 319
george
  • 51
  • 1
  • Note that SMS is no longer considered a secure method for sending codes. – schroeder Nov 15 '19 at 11:18
  • Why do you want to reduce password complexity? – schroeder Nov 15 '19 at 11:19
  • @schroeder do make them easier to remember –  Nov 15 '19 at 11:48
  • @schroeder in case you have links which say why SMS or codes via email isn't secure anymore appreciated –  Nov 15 '19 at 12:02
  • The problems with SMS being insecure have been standard since 2016. https://security.stackexchange.com/questions/158770/should-2fa-over-sms-be-considered-insecure-in-the-wake-of-recent-ss7-attacks/158783 – schroeder Nov 15 '19 at 15:24
  • Making passwords shorter does not make them easier to remember! Making them memorable makes them easier to remember. It is ***far*** easier to remember a *phrase* than a jumble of characters. – schroeder Nov 15 '19 at 15:25

1 Answers1

3

Password complexity is not just for brute-force attempts on the account login, which 2FA would help mitigate. But password complexity also protects against the situation when the password hash database leaks.

2FA only helps if 2FA is turned on and enforced. If you have the option to "authorise" a device, then all the user has for protection is the shorter password.

Conceptually

But what about bruteforce detection measures? And what about resetting passwords when a breach occurs? And what about all the other layers of protection? Can't we reduce each layer if we use many layers of protection?

Technically, yes, but then you put all the effort into maintaining each layer of protection because now the failure of any one layer becomes more likely, which puts more importance on the other layers. In practice, reducing the strength of one layer artificially because you rely on other layers creates a "technical debt" that you have to address from then on.

Password length, specifically

But I have worked with accessibility experts who loved 2FA because it meant that people could have much simpler passwords. And that's not a factor to dismiss. With a password that was simple to type and a phone with a push authentication app (not SMS), people with challenges remembering or entering passwords could enjoy much greater security of their accounts and independence of maintaining their privacy (often, helpers need to log in for people).

So, as with all things about security, there is a trade-off of risks and costs. I would be happy to endorse a reduction in password complexity if it meant that users could better independently maintain their own accounts and there were mitigations in place.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • OP here lost access to initial account, if it makes difference want to highlight that this system is an internal system, with many users, but an internal one for an organization (government) –  Nov 15 '19 at 11:47
  • If government, you probably have security standards that you have to comply with that cut short the discussions of what might be considered. – schroeder Nov 15 '19 at 15:28