I have already been ranting online about passwords several times. They might be there to protect your digital assets but are also a liability. There are a lot of articles about user passwords being easily guessable. Usually they blame the user and his/her stupidity, the inability to select and remember a password. I consider this plain wrong. Most of those errors are enforced by anachronistic and bad password policies.
A good password must have two properties:
1) It has been memorized by the user
2) It is difficult to guess for a third person (even if he/she knows the user well)
But in most cases another requirement is thrown into the mix:
3) The password shell be complex (have a high entropy)
Usually the requirements take the form of a password policy like this:
- The password must be at least 8 characters long
- The password must contain upper- and lower-case letters
- The password must contain a number
- The password must contain a non-alphanumeric character
You notice anything? Yep, this policy only focuses on the third requirement. And it does so at the expense of the first requirement and (knowing human psychology) it also has a negative impact on the second requirement.
A good example (on how not to do it) was implemented by the Attorney General of Texas:
They try to specify entropy in details which is kind of ironic.
THREATS TO PASSWORDS
Let us take look at how the security of password can be compromised:
- The input of the password has been observed (by eavesdropping, key-loggers or by the ordinary Mark 1 Eyeball)
- The password has been re-used by the user in a different context where the attacker has access to it
- The attacker gained access to the encrypted storage of password and managed to extract it from there
- The password has been guessed by the attacker
How does having a complex password help you against these attacks?
- In case of an attacker observing the user entering the password, no complexity will help. Rather the contrary, a password with mixed upper/lower-case, numbers and special characters is entered at a significantly slower pace. This helps an attacker observing the password by good old-fashioned peeking.
- If the password is known to the attacker from the use in a different context, the complexity is no help either. Knowing the psychological side, cryptic passwords are rather compound the problem. Once a user has found a password that fits the typical policy, he tends to use it wherever such a password policy is in place and therefor increases the chances of an attacker to use a known password of the user in a different context.
- In case of access to the encrypted password store, the complexity clearly helps to hamper the attacker (if the password is encrypted properly).
- One would expect that password policy should help making a password un-guessable for a third person. From my personal observation the contrary is true. Under the watchful eye of a password policy they tend to stick to first names, upper-casing the first or last letter, replacing characters by similar looking special characters or numbers and/or adding numbers at the end (like birthdays).
Summary: Only in one attack scenario choosing a complex password helps, in all other scenarios it does not have any or even a negative impact. So let us look at this scenario a bit more detailed.
To decrypt the password of a user, the attacker has first to have access to the password storage. At which point the first and most critical security failure has already occurred. And the user had nothing to do with it.
When it comes to decrypting a password, the algorithm used is a more important than the complexity of the password. If the service provider has not done his home work, complex passwords offer only little protection. This is another critical point, where the user has no influence whatsoever.
But in case of the service provider having botched the safety of his password file but made everything correct when choosing the algorithm the complexity of the user passwords can offer extra protection against the attacker.
Does this case justify all the negative impact?
I want to point out, that the safety of the encrypted password is not the responsibility of the user. So would say: Don't make him part of the process here. Don't shift the responsibility to to him where the service provider is responsible.
Remark: I did not specifically address the issue of an attacker trying out all passwords by automatically entering them one after another. It falls into the same category since it starts with a critical error on the service provider side by allowing this.
WHAT SHELL WE TEACH USERS ABOUT PASSWORDS?
I think we should focus on the first two requirements i started this blog post with:
- Choose a password you can remember
- Use a password someone else does not associate with you
and (which is more important than complexity):
- Use distinct passwords, at least for the most critical uses (Work, Banking, Apple, Facebook, Google, Paypal, Amazon) and never use those somewhere else.
If the user follows those three advice only, his security would be greatly improved. It is much better to use several (cryptographically) weak passwords than one good one for everything.
WHAT ABOUT PASSWORD COMPLEXITY?
I am not opposed to complex passwords, as long as it has no negative impact on the more important issues. There is nothing bad about advising the user about his password being weak or strong as information.
But if you do so, please do it right. Do not just look for which kind of characters are used. Don't care about the source of entropy as long at it is there.
"Test1234!" is not safer then "mucho danke shopping magazzini", rather the opposite. Let the user find his way to create a memorable complex password. If you force him into a scheme you think best, you will weaken passwords.
And: Except for the most critical uses, 40 bits of entropy are enough. If it is not enough, you need to rethink the way you store your passwords.
That is why i think XKCD has it right, no matter what Bruce Schneier says (i never thought i would agree on a security topic rather with a comic author than one of my most respected security experts).
ARE THERE EXCEPTIONS?
Yes, of course. There are always exceptions. But in those cases you should rather look into using two factor authentication than trying to get the users brain work in a way that evolution did not intend it to.
It seems to have become a fashion to prohibit the use of password managers, either by written policies or enforcing it in web application. I consider this a bad idea. If a user tells me, that he has problems memorizing passwords of sufficient complexity, i tend to believe him. Password managers are a great help, but personally i want to be able to recite my critical passwords (Amazon, Google, Apple, Paypal) directly (even though backed up by 2FA).
My suggestion here: Instead of banning passwords managers, help the user pick the right one.