Re: Password strength (was: Are users right in rejecting security advice?)

["Basgen, Brian" <bbasgen () PIMA EDU>]

On Mar 17, 2010, at 2:35 PM, Justin Azoff wrote:
Combinatorics was never a strong subject for me, but I'm pretty sure that
by having both a short minimum required length(like 8) and 'special'
character requirements actually decreases the security of a password.
Especially when additionial requirements like "the special character can
not be the first or last character" are added.

 Password security is a function of X randomness at Y length. Password policies may appear to reduce randomness by 
creating criteria such as Y length, special character requirements, etc. Yet, the premise behind password policies is 
to remediate the extremely poor randomness of a person "randomly" choosing a password. In this sense, password policies 
are important to the extent they improve upon the randomness an average person will generate.

 That said, a reality in our modern world is that only very strong randomness and length are resistant to cracking. In 
a practical sense, that means only high austere password policies can effectively resist such attacks. Better, of 
course, is multi-factor authentication.

Is there any research out there that shows that a 'complex' 8 character
password is more secure or easier to remember than a 16 character
passphrase?  I don't know of any reason to still be using short 'complex'
passwords other than that some old systems did not support passwords longer
than 8 characters.

 The password vs passphrase question is a policy point of distinction. Technically, only randomness and length matters. 
Passphrases, as commonly implemented, typically have very low randomness at medium length.

 Directly to your question, a length of 8 is hard to substantiate, even with a 96 character set. Yet, a length of 8 at 
5 bits of entropy per character equates to a 40-bit password strength, while a 16 character "passphrase" at 2 bits of 
entropy per character (e.g. just slightly better than english text) has only 32-bit password strength.

 The NIST publication on this subject is pretty good:
    http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873




As long as a user isn't going to use a dictionary word, forcing them to use a
number or a special character will decrease the number of possible passwords.
Furthermore, not all special characters are used equally.

I had the list of 1million+ passwords that was leaked in that myspace
related incident a while back. I finally took a look at it to confirm a
hunch I had, which was that when a number or special character is required
most users will use 0,1,!,@.

filtering out passwords that don't have any letters (which tend to be phone
numbers and things like !@#$%^&*) the character frequencies are:

4311399 1
3047197 2
2912554 0
2015274 9
2002411 3
1665517 8
1647072 4
1526430 5
1508622 7
1453701 6
238435 .
189902 _
140388 !
117390 -
108022 *
104680 @
46974 #
35110 /
34576 $
29025 ,
26736 \
26324 &
23644 =
21949 +
17965 ?
17646 )
15802 (
15124 '
12299 ;
11551 "
10930 <
10490 ]
9798 %
8038 ~
7940 :
7466 [
5612 ^
4930 `
3416 >
1024 {
905 }

So the chance of the 'digit' being a '1' is almost 3 times it being a '6'.
the chance of the 'special' character being a '.' is 13 times it being a '?'

Also interesting that the digit frequencies almost follow a pattern of
10 29 38 47 56

I don't think it should come as a surprise that things like '1password!' or
'123456789!@#$%^&*(' end up being the most common passwords.

Do any sites out there actually have a 'password' policy that is simply
'minimum length: 16' ?

Is there any research out there that shows that a 'complex' 8 character
password is more secure or easier to remember than a 16 character
passphrase?  I don't know of any reason to still be using short 'complex'
passwords other than that some old systems did not support passwords longer
than 8 characters.

--
-- Justin Azoff
-- Network Security & Performance Analyst