I am very skeptical of passwords. Rules for password length and complexity may offer a feeling that you are behaving safely but they provide much less security than promised. As we see in Learning Tree’s Cloud Security Essentials course, the major cloud providers configure their Linux servers providing the majority of the cloud Infrastructure-as-a-Service so that password authentication is impossible. The only way to authenticate is with cryptographic keys.
I will trust math. But passwords that humans devise, and can remember, and can type accurately with no visual feedback?
My belief that password complexity rules don’t gain you very much is a rather unpopular one in some places. So I was glad to come across a couple of concrete examples supporting this.
A 2011 study by Carnegie Mellon University and US NIST showed that requirements for more complex passwords led to greatly increased user frustration but only very slightly increased resistance to automatic discovery or cracking. By “complex” they mean the mixture of character types — both upper and lower case letters, plus digits, plus symbols. Longer although simpler in terms of character content meant that users could fairly easily remember and type them, but typical automated attacks discovered far fewer. Their model used 8-character “short” and 16-character “long” lengths. The complex version had to have at least one of each of the four character classes and could not contain an embedded dictionary word, while the non-complex version had no content restriction.
On the frustration side, people had a hard time generating acceptable short-but-complex password strings. Under 18% could generate one on the first attempt, and over half had to store them on paper or electronically as they could not remember them. Harder to create and remember must mean harder to crack, right?
They measured the entropy of the resulting passwords, a measure of their unpredictability and thus difficulty to guess. They were surprised to find results that contradicted conventional wisdom.
Adding digits is surprisingly helpful. Prohibiting embedded dictionary words is surprisingly unhelpful. And the 16-of-anything passwords had higher entropy than the 8-character highly complex ones.
Then there are the organizations with annoyingly arbitrary rules about their rules. You have to use at least one digit and one symbol, but you can’t start the password with either. Why? Just because. You have to use at least one symbol, except don’t use that symbol. Why? Just because. Or you have to use upper case, lower case, and digits, but symbols are not allowed at all.
Ars Technica reported that the brokerage and banking company Charles Schwab strictly limits password length to 6, 7, or 8 characters. That’s it — at least six but no more than eight. A major financial institution must have strong reasons to insist on short passwords.
Meanwhile I will rely on cryptography.