Educause Security Discussion mailing list archives
Re: Password strength (was: Are users right in rejecting security advice?)
From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Wed, 17 Mar 2010 23:06:12 +0000
Yeah, passphrases need to be long, allow dictionary words and spaces. -Eric Sent via BlackBerry by AT&T -----Original Message----- From: "Basgen, Brian" <bbasgen () PIMA EDU> Date: Wed, 17 Mar 2010 15:50:23 To: <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Password strength (was: Are users right in rejecting security advice?) On Mar 17, 2010, at 2:35 PM, Justin Azoff wrote: Combinatorics was never a strong subject for me, but I'm pretty sure that by having both a short minimum required length(like 8) and 'special' character requirements actually decreases the security of a password. Especially when additionial requirements like "the special character can not be the first or last character" are added. Password security is a function of X randomness at Y length. Password policies may appear to reduce randomness by creating criteria such as Y length, special character requirements, etc. Yet, the premise behind password policies is to remediate the extremely poor randomness of a person "randomly" choosing a password. In this sense, password policies are important to the extent they improve upon the randomness an average person will generate. That said, a reality in our modern world is that only very strong randomness and length are resistant to cracking. In a practical sense, that means only high austere password policies can effectively resist such attacks. Better, of course, is multi-factor authentication. Is there any research out there that shows that a 'complex' 8 character password is more secure or easier to remember than a 16 character passphrase? I don't know of any reason to still be using short 'complex' passwords other than that some old systems did not support passwords longer than 8 characters. The password vs passphrase question is a policy point of distinction. Technically, only randomness and length matters. Passphrases, as commonly implemented, typically have very low randomness at medium length. Directly to your question, a length of 8 is hard to substantiate, even with a 96 character set. Yet, a length of 8 at 5 bits of entropy per character equates to a 40-bit password strength, while a 16 character "passphrase" at 2 bits of entropy per character (e.g. just slightly better than english text) has only 32-bit password strength. The NIST publication on this subject is pretty good: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873 As long as a user isn't going to use a dictionary word, forcing them to use a number or a special character will decrease the number of possible passwords. Furthermore, not all special characters are used equally. I had the list of 1million+ passwords that was leaked in that myspace related incident a while back. I finally took a look at it to confirm a hunch I had, which was that when a number or special character is required most users will use 0,1,!,@. filtering out passwords that don't have any letters (which tend to be phone numbers and things like !@#$%^&*) the character frequencies are: 4311399 1 3047197 2 2912554 0 2015274 9 2002411 3 1665517 8 1647072 4 1526430 5 1508622 7 1453701 6 238435 . 189902_ 140388 ! 117390 - 108022 * 104680 @ 46974 # 35110 / 34576 $ 29025 , 26736 \ 26324 & 23644 = 21949 + 17965 ? 17646 ) 15802 ( 15124 ' 12299 ; 11551 " 10930 < 10490 ] 9798 % 8038 ~ 7940 : 7466 [ 5612 ^ 4930 ` 3416 > 1024 { 905 } So the chance of the 'digit' being a '1' is almost 3 times it being a '6'. the chance of the 'special' character being a '.' is 13 times it being a '?' Also interesting that the digit frequencies almost follow a pattern of 10 29 38 47 56 I don't think it should come as a surprise that things like '1password!' or '123456789!@#$%^&*(' end up being the most common passwords. Do any sites out there actually have a 'password' policy that is simply 'minimum length: 16' ? Is there any research out there that shows that a 'complex' 8 character password is more secure or easier to remember than a 16 character passphrase? I don't know of any reason to still be using short 'complex' passwords other than that some old systems did not support passwords longer than 8 characters. -- -- Justin Azoff -- Network Security & Performance Analyst
Current thread:
- Re: Password strength (was: Are users right in rejecting security advice?) Basgen, Brian (Mar 17)
- <Possible follow-ups>
- Re: Password strength (was: Are users right in rejecting security advice?) Eric Case (Mar 17)