Password complexity strategies - any evidence for them?

Question

On more than one occasion I've been asked to implement rules for password selection for software I'm developing. Typical suggestions include things like:

• Passwords must be at least N characters long;
• Passwords must include lowercase, uppercase and numbers;
• No reuse of the last M passwords (or passwords used within P days).

And so on.

Something has always bugged me about putting any restrictions on passwords though - by restricting the available passwords, you reduce the size of the space of all allowable passwords. Doesn't this make passwords easier to guess?

Equally, by making users create complex, frequently-changing passwords, the temptation to write them down increases, also reducing security.

Is there any quantitative evidence that password restriction rules make systems more secure?

If there is, what are the 'most secure' password restriction strategies to use?

---

Edit Ólafur Waage has kindly pointed out a Coding Horror article on dictionary attacks which has a lot of useful analysis in it, but it strikes me that dictionary attacks can be massively reduced (as Jeff suggests) by simply adding a delay following a failed authentication attempt.

With this in mind, what evidence is there that forced-complex passwords are more secure?

Answer 1

A nice read up on this is Jeff's article on Dictionary Attacks.

Answer 2

Those kind of rules definitely help because it stops stupid users from using passwords like "mypassword", which unfortunately happens quite often.

So actually, you are forcing the users into an extremely large set of potential passwords. It doesn't matter that you are excluding the set of all passwords with only lowercase letters, because the remaining set is still orders of magnitude larger.

BUT my big pet peeves are password restrictions I've encountered on major sites, like

• No special characters
• Maximum length

Why would anyone do this? W.H.Y.????

Answer 3

Something has always bugged me about putting any restrictions on passwords though - by restricting the available passwords, you reduce the size of the space of all allowable passwords. Doesn't this make passwords easier to guess?

In theory, yes. In practice, the "weak" passwords you disallow represent a tiny subset of all possible passwords that is disproportionately often chosen when there are no restrictions, and which attackers know to attack first.

Equally, by making users create complex, frequently-changing passwords, the temptation to write them down increases, also reducing security.

Correct. Forcing users to change passwords every month is a very, very bad idea, except perhaps in extreme high-security environments where everyone really understands the need for security.

Answer 4

Whilst this does not directly answer your question, I personally find the most aggrevating rule I have encountered one whereby you could not reuse any password previously used. After working at the same place for a number of years, and having to change your password every 2/3 months, the ability to use a password I chose over a year ago would not seem to be particularly unsafe or unsecure. If I have used "safe" passwords in the past (Alphanumeric with changes in case), surely reusing them after a perios of say a year or 2 (depending on how regularly you have to change your password) would seem to be acceptable to me. It also means I am less likely to use "easier" passwords, which might happen if I can't think of anything easy to remember and difficult to guess!

Answer 5

One also might point out the recent fiasco over at twitter where one of their admin's password turned out to be "happiness", which fell to a dictionary attack.

Answer 6

For questions like this, I ask myself what Bruce Schneier would do - the linked article is about how to choose passwords which are hard to guess with typical attacks.

Also note that if you add a delay after a failed attempt, you might also want to add a delay after a successful attempt, otherwise the delay is simply a signal that the attack has failed an other attempt should be launched.

Answer 7

1. Never prevent the user from doing what they really want, unless there is a technical limitation from doing so.
2. You may nag the hell out of the user for doing stupid things like using a dictionary word or a 3-character password, or only using numbers, but see #1 above.
3. There is no good technical reason to require only alphanumerics, or at least one capital letter, or at least one number; see #1 above.

I forget which website had this advice regarding passwords: "Pick a password that is very easy for you to remember, but very hard for someone else to guess." But then they proceeded to require at least one capital letter and one number.

The problem with passwords is that they are so ubiquitous that it is essentially impossible for any person without a photographic memory to actually remember them without writing them down, and therefore leaving a serious security hole should someone gain access to this list of written-down passwords.

The only way I am able to manage this for myself is to split most of my passwords -- and I just checked my list, I'm up to 130 so far! -- into two parts, one which is the same in all cases, and the other which is unique but simple. (I break this rule for sites requiring high-security like bank accounts.)

By requiring "complexity" as defined as multiple types of characters all present, is that it forces people into a disparate set of conventions for different sites, which makes it harder to remember the password in question.

The only reason I will acknowledge for sites limiting the set of allowable password characters, is that it needs to be typeable on a keyboard. If you have to assume the account needs to be accessed from multiple countries, then keyboards may not always support the same characters on the user's home keyboard.

One of these days I'll have to make a blog posting on the subject. :(

Answer 8

My old limit theorem:

As the security of the password approaches adequate, the probability that it will be on a sticky note attached to the computer or monitor approaches one.