1

Password composition rule is being considered as a burden for the users and some experts are recommending the increase in the password length instead of enforcing users to comply with the composition rules.

But my point is that in the absence of any composition rule, user set easy passwords as evident from the analysis of Rockyou database. Easy passwords means common words from the dictionary, names of person and city. Moreover, the passwords are mainly composed of lower case letters.

Theoretically longer passwords (minimum length 16) does provide more security than the passwords created under composition rules (minimum length 8 with lower case, upper case, digit and symbol). But we can't say the same about the 16 length passwords if they are set by the humans. If tomorrow every one starts using longer passwords and a breach like Rockyou happens, then the attacker can learn the strategies behind the creation of longer passwords. The attacker can then create a new dictionary and wait for some hashed database to leak.

So how good is the suggestion of increasing the password length?

The passphrase created by the humans are longer but might be easier to guess. But the randomly generate pass phrase are secure if the words are chosen randomly from the dictionary of reasonable size. Why don't websites assign random passphrase and free users of any composition rules?

Rodrigo Graça
  • 111
  • 4
Curious
  • 21
  • 5
  • 1
    Look here: https://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase/6096#6096 and here: https://security.stackexchange.com/questions/32222/are-password-complexity-rules-counterproductive for the correct answers – Chris Murray Sep 16 '14 at 09:19
  • Ok, so if randomly sampling 3-4 words from the dictionary create secure passphrase then why the composition rules are still here? If it is due to human users who select words non-uniformly then the system can assign the passphrase to the user. – Curious Sep 16 '14 at 09:37
  • Have a look at Diceware: http://world.std.com/~reinhold/diceware.html – Bob Brown Sep 16 '14 at 10:16
  • Actually, I have read those articles, but my question is that if random pass phrase can be considered as secure provided that the words are chosen randomly from reasonable size dictionary(8000), then why isn't every site implementing it? Why do the sites want me to include symbols and digit and upper case as part of my password? May be sites can implement their own version of diceware and assign random pass phrases to the user. – Curious Sep 16 '14 at 10:26
  • @Xander, actually I am questioning about the scheme of random pass phrase that is claimed to be more secure, but not being implemented by the websites. The discussion has moved away from the original question now. Moreover, if humans create passwords either following composition rules or minimum length restriction of 16, those will not result in stronger passwords. – Curious Sep 16 '14 at 11:44
  • Curious - I think you are assuming that humans will do the best thing in any given circumstance. And that using stronger passwords is always the right thing to do. The first one is provably false, and the other has exceptions. If you are asking why websites are not using these, that is off topic - opinion based. – Rory Alsop Sep 16 '14 at 12:20
  • I am not assuming that all humans will choose easy passwords, but even if 10% of the database can be cracked it can be still considered as the failure of the longer password scheme. – Curious Sep 16 '14 at 12:33
  • @Curious Because sites don't choose passwords, users do. When sites generate an initial password, they often *do* generate them with good entropy. Not using Diceware, but a reasonable characterset, length, and randomness. Then the user changes the password to the one that they want. If sites used Diceware, the passwords wouldn't be necessarily stronger, or necessarily more widely accepted in lieu of a personally chosen password. – Xander Sep 16 '14 at 14:06

2 Answers2

0

Every character added to a password increases the number of possible passwords exponentially, a 16 character password has many orders of magnitude more possibilities than an 8 character password. This doesn't eliminate dictionary attacks, however it makes them much more challenging simply because there are so many more possibilities.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • 3
    true, the search space for 16 length passwords is enormous, but the points in the space had non-uniform distribution without the composition rule. Even with the composition rule passwords of the form ULLLLLLD and few others are reported to be more preferred by the users. So there is still non-uniform distribution. Dictionary attacks specifically exploit this non-uniform distribution by trying more favourable passwords first. Same can be predicted for longer passwords too. Am i wrong? – Curious Sep 16 '14 at 09:44
  • People want simplicity, it's hard to remember a short, complex password. It's easier to remember a long passphrase that has less complexity, using that type of system will have less people trying to use 16 single characters as a work-around. It's a training issue more than anything, you need to promote it. – GdD Sep 16 '14 at 09:56
  • true simplicity is one important aspect. But how does it guarantee that the human-generated long passwords will not result in higher bias, making some passwords more favourable than the others. From the perspective of attacker, the bias will result in just new dictionary, may be of passphrase of 3 words created using just 1000 words. – Curious Sep 16 '14 at 10:13
  • @Curious, this is unavoidable. If I ban the top 10 most popular passwords, then the next ten after that become the new most popular passwords. The search-space will always be biased, as humans are not capable of being truly random (whatever "truly random" means to you). It's not worth reducing the search-space for a false sense of security in my eyes. – Chris Murray Sep 16 '14 at 10:21
  • @Chris Murray, true, I agree that longer passwords provide huge search space and therefore a sense of security. I am not against increasing the minimum length, but I do not see how the problem is solved. The historical evidence suggest that the passwords without composition rule can be easily brute force searched with today's available computing power. To make this search difficult, composition rules were enforced. There is insufficient data whether this enforcement has really resulted in creation of secure passwords. And now the suggestion of increase in password length. – Curious Sep 16 '14 at 10:33
  • @Chris Murray, If the bias is unavoidable then it will be always a cat and mouse game. New strategies like increasing the password length to 16 can create new bias, which can then be exploited by the attackers. To circumvent that then another strategy might be suggested but it will too face the same problem of bias. If user is enforced to set 16 len passwords and he sets a simple one like abcdefghijklmnop, again a dictionary check has to be devised to prevent weaker passwords and slowly composition rules will be enforced upon them in the hope that these rules will result in stronger passwords. – Curious Sep 16 '14 at 10:38
  • @Curious, Yes, I think bias is unavoidable. Let's say you you do manage to make it a standard that all passwords are greater than 16 characters and must conform to certain rules. As an attacker, you've reduced the search space so much (I don't have to search for anything less than 16 characters, or not conforming to your rules) that a brute force of the remaining search space becomes feasible again. It **is** a constant cat-and-mouse game and that's why many people consider the password obsolete and not scalable. – Chris Murray Sep 16 '14 at 10:46
  • What is the problem with system assigned pass phrase, like diceware? There security is guaranteed to be as calculated. I mean security gained is exactly the being calculated mathemetically. Rarely does that happen, with humans in picture. Why don't we use system assigned passphrase? – Curious Sep 16 '14 at 10:52
  • @Curious, I personally can't see anything wrong (as such) with using randomly generated passphrases. As for why we don't use them, you'll have to ask the admins/developers at each site why they didn't implement such a system. – Chris Murray Sep 16 '14 at 11:00
  • Perhaps this discussion should be taken into chat... – GdD Sep 16 '14 at 11:41
  • Every **random** character added to a password makes it exponentially harder to crack. If the added character isn't random, this is not necessarily the case. – Gilles 'SO- stop being evil' Sep 17 '14 at 08:59
0

Increasing the password length is all about Math... it will take more processing power (more time) with longer passwords.

The best solution would be to join the best of both worlds, longer password (passphrase?) with the "composition rules".

There are some excellent answers here about this topic: XKCD #936: Short complex password, or long dictionary passphrase?

When you say:

Theoretically longer passwords (minimum length 16) does provide more security than the passwords

As far as I know, is not "Theoretically" is Math... ;)

Community
  • 1
Rodrigo Graça
  • 111
  • 4
  • exactly my thought, just imposing minimum length restriction will not create secure passwords. I think the length restriction also has to be combined with simple composition rules. – Curious Sep 16 '14 at 10:15
  • As a user I would prefer that you asked me to use a passphrase (longer character count) rather than to user "strange" symbols that I would not be able to remember... – Rodrigo Graça Sep 16 '14 at 10:54
  • that is true pass phrase might be easier to remember but the security provided is not as claimed in the case of human created passwords. It doesn't matter whether the passwords are created under composition rule or with minimum 16 length requirement. Increasing the search space merely provides false sense of security. – Curious Sep 16 '14 at 11:01
  • why do you say: "false sense of security" ? if you increase the character count it will exponentially increase the password cracking difficulty... (Math) – Rodrigo Graça Sep 16 '14 at 11:14
  • yes it is there, but human generated passwords are biased and some passwords or some kind of passwords become more probable than the others. If every one starts creating longer passwords, same will be the case and the attacker is just a leaked database away to learn the strategies behind those password creations. Once he has learned the most common one, he is ready with his dictionary waiting for the next opportunity. – Curious Sep 16 '14 at 11:29
  • 1
    Hummm, I was not assuming that people would use the same (or nearly the same) passphrase... (but people are known to do anything....). – Rodrigo Graça Sep 16 '14 at 12:09
  • Also, with longer passwords, keyboard patterns or repetitions or some other simple tricks can become quite popular among people as is the case with today's passwords. – Curious Sep 16 '14 at 12:17
  • Longer **random** passwords are harder to crack. Longer human-chosen passwords are not necessarily harder to crack. – Gilles 'SO- stop being evil' Sep 17 '14 at 08:58