1

Assuming the use of bcrypt/scrypt:

Would it be a good idea to "require" a password of at least 12 characters, also mentioning the possibility of using long passphrases, instead of your typical 8-character-minimum uppercase/lowercase/special char pass requirement?

It seems like there is a tradeoff between ease of memory and how difficult something is to brute force, and not everyone uses (or wants to use) password managers.

What's the best solution in practice? I don't know what password requirements to set for my users. Having requirements that are too complex give users an incentive to make easy-to-remember passwords, whereas requirements that are too lenient give users an incentive to be lazy and make passwords that are weak to brute force.

user49637
  • 723
  • 6
  • 9

2 Answers2

2

Stanford University a month or so ago came out with a sort of sliding scale. It allowed complexity to decrease as length increases. This is basically just a probability function. An 8-character password needs high complexity, while a 20 character password needs little.

Mathematically (character set) ^ (Length) 95^8 < 52^12 < 20^26

This works great until you consider things like antidisestablishmentarianism which passes that above strength challenge swimmingly, but is in most good pentesters' password dictionaries. If you want protection from brute-forcing, come up with a target number (7 x 10^16) and an algorithm for calculating the number of possibilities and use that. Dictionary and rule-based attacks will still grab the low-hanging fruit.

Red_Shadow
  • 177
  • 5
  • 1
    Thanks for the Stanford tip. The reference is http://itservices.stanford.edu/service/accounts/passwords Would be great if they would also have published a strength relationship between passwords and passphrases. Though again great is the fact that they explain pass phrase usage. – Dick99999 Jun 20 '14 at 07:23
  • Useable math for passphrases: (words in dictionary)^(frase length in words) i.e. 7776^5 ~ 62^12 Or 5 words from a 7776 dictionary is about as strong as Stanford's suggestion to choose from lower,upper,digits for password of length 12. – Dick99999 Jun 20 '14 at 07:39
0

I'd let them stick with what they are used to, but make them aware of the risks, that seems to be common.

8 character minimum sure but if you make them use mixed cases, horse123 becomes Horse123, and if you make them use special characters, Horse123 becomes Hor$e123. People who don't care are going to have weak passwords regardless. Just tell them they have weak passwords and educate them of the risks, suggest using a password manager for ease of use, and if that doesn't bother them then what more can you do?

Passwords must be viewed by the customer as an opportunity to secure themselves from a largely insecure internet. You can't do it for them.

Andrew Hoffman
  • 1,987
  • 14
  • 17