Recommended policy on password complexity

Question

Is there any research on how how a password complexity policy can increase or decrease the quality of passwords?

If you don't have any requirements on the password then probably 90% of users will use their name or something just as insecure, but they will not be as prone to forget their password.

But on the other hand if you have to have a password with upper and lowercase characters, numbers and special characters like ! % €, that increases the problems (and associated support costs) of users forgetting their password.

So is the any documentation on how to create a password policy that helps the user create passwords they can remember but still have sufficient complexity to them?

Answer 1

Some links and recent research related to policies and the actual resistance to cracking of the resulting passwords is presented by Matt Weir in Reusable Security: New Paper on Password Security Metrics and CCS Paper Part #2: Password Entropy

One quick takeaway is noted: "forcing users to change their password every six months isn't very useful"

See also other questions here like this one.

Answer 2

Passwords are generally considered fundamentally broken, so that any password policy is an attempt to shore things up at best. Having said that, a 'best practice' password policy will typically include at least the following requirements, in addition to minimum password length:

Password Aging:

A maximum age for the password, so that the same password is not used indefinitely

A password history, to stop users changing back to one of N previously used passwords (and thus effectively not changing it at all).

Some policies will also have a minimum age, to stop people changing their password N times (and thus effectively bypassing the password history mechanism, and not changing it at all).

(Notice the last two of these controls are to stop users attempting to get round the first! This is yet another clue that passwords are pretty broken)

Password Complexity:

Typically these will include requirements for 'special' characters, or use of several character classes, with the goal being to increase the effective number of bits in the password and increase the amount of time it takes to brute force a password.

It is also useful to have a policy that disallows not just dictionary words (such as password), but dictionary derived words (e.g. password123, drowssap321 etc). The goal here is to prevent dictionary attacks which can speed up automated password cracking.

Beyond this it is possible to debate all sorts of other requirements and exact values for the various parameters (must users change passwords every 90 days or 30 days or every 5 minutes? etc), as well as the amount of entropy you gain/lose by complexity requirements - but where these things matter greatly then passwords are almost certainly not a good enough control in the first place.

Answer 3

It is my understanding that developing a balance between security and usability is an on-going battle. Ideally, users should use the most secure password possible but many of them (possibly all) cannot remember these complex strings.

It's my personal experience that the most secure passwords are phrases or the first letter of phrases that I know. By doing this it creates a seemingly arbitrary string of letters (using the phrase: You can't guess this password easily --- ycgtpve). Then require a number and it will create a difficult password that a hint will not divulge easily.

As far as documentation goes I managed to find a couple resources on creating powerful passwords:

-http://technet.microsoft.com/en-us/library/cc736605(WS.10).aspx

This article outlines how to instruct users on good password practices.

-http://www.techrepublic.com/article/lock-it-down-creating-passwords-that-are-secure-and-easy-to-remember/1047939

This article gives good algorithms to creating difficult passwords which are easily remembered.

Hope this helps.

Answer 4

Here's a little drawing:

And the study that support it.

Answer 5

Since password restrictions are usually defined by people with a strong technical background but zero insight into psychology, the status quo ultimately decreases security.

What security guys fail to understand is that the users do not have to memorize ONE password. One might think "a person should be able to memorize one password, even with my crazy special character, numbers and upper-lowercase restrictions, right?"

Well, yes.

But the user has to memorize not one password, but five different ones at work plus more at home. Now we have a situation where the user has five passwords on different change timers where the first needs at least three special characters, the second may not start with a number, the third disallows "$" and "/" for whatever reason, the fourth must be exactly 8 characters long and the fifth needs to at least 10 characters long and needs to have 3 numbers.

Now guess what the users will do! Will they...

a) devote infinite resources to finding the perfect password system that appeases all change timers and password restrictions at once, uses completely independent passwords for the different systems and yet still can be memorized

b) throw their hands in the air and give up. Write the passwords on a piece of paper (unencrypted of course) and stick it into a desk drawer.

c) use every trick in the book to somehow appease all restrictions and still be able to remember all passwords. This includes using the same password for all systems whenever possible (including low-security systems), using running numbers to appease the change timers, using a very small set of default passwords so they can guess their own password in a couple of tries (amongst other stuff).

Somehow most security guys seem to believe that a) is the correct answer. For the life of me I can not figure out why, though.