Lengthy/complex password policies : waste of time?

So, ok, over the years, various online services - whether it be the log-ins for bank accounts, institutions, and so forth, have kept making the minimum password requirements ever longer and more complex. 7 characters? Too short. A whole damn sentence but only lower case letters? Too simple. Etc.

As far as I understand, this is a total and complete waste of time.  It does not improve security at all.  Note this thread is in general questions because I don't feel this is an opinion, it's a mathematical fact.  

Take a 5 character password that is just lower case letters.  Hugely "insecure" and almost no website or bank will let you use it now. 

So, there are 5^26 possibilities, or 1.4 * 10^18.  Now, the *only* risk here is (1) whoever is trying to "crack in" can see the hash of that password, but they need to guess the password itself, or (2), they can guess an unlimited number of times at some ridiculous number of guesses per second.

For an online service done competently, neither should be true. The password hash file should be as well protected as the data the password protects (aka, if hackers can access the file that has the password hash, they can steal everything else anyway), and there should be a limited number of guesses allowed per unit time. A simple solution to limit guesses is, say, after 10 password attempts, you add a timeout that doubles for every subsequent attempt. Nothing onerous. This means that a cracker can maybe try 100 passwords in a 24 hours period -> they will never break in if there are 10^18 possibilities.

So it’s all smoke and mirrors and a waste of everyone’s time. Crackers don’t guess passwords, they get them reset by social engineering or they just steal the actual password, no matter how complex or long it is, from the computer the user typed the password in at. (keystroke logging hardware or software)

The only check that should be performed is if a password is on the list of the 1000 or 10k most common passwords. If it is, bzzt, try again. Other than that, anything should work.

Err, I meant 26^5, or 11 million. Still not guessable if the cracker only gets 100 guess a day.

Forever and ever? If your password is weak, someone could recover it from an old backup tape.

People typically use botnets with a bunch of different IP addresses from over the world to do these things (though they’re not commonly done simply because it’s easier to just farm passwords from pre-cracked databases that people reuse on other sites). Your options end up being: be susceptible to this, or do the password lockout based on account rather than IP.

The problem with the lockout being based on account, of course, is that someone can lock you out of your bank account by deliberately getting your password wrong.

Yes, arbitrarily complex password requirements aren’t good, but you’re a bit too eager in your reasons. Generally, any >8 character password that’s not some permutation of something in the dictionary (and not something super common like “letmeinplease”) is pretty safe, if for no other reason than there’s always lower hanging fruit.

The real danger is reusing weak passwords. If your password is 5 characters and someone grabs it from a database from a weak site, all other sites you use it on are compromised, because now they can crack it on a local computer. The real danger here is you don’t know which sites are weak, or which sites hackers will pick. And it’s possible for tons of sites to be weak in ways that escaped years of security audits, see the recent heartbleed fiasco.

There has been some study on the subject. Long complex passwords don’t seem to offer significantly more security. One problem is users need to write down the long complex passwords because they can’t remember them and that provides more opportunities to steal the password. Passwords don’t provide the kind of security people think they do anyway. It’s like putting a huge lock on the front door of your house and doing nothing to secure the back door or any of the windows. Just read the news, you’ll see that security is getting breached all over the place, and usually strong password protection was in place.

This is where it all falls down.

For all the big chains–Target, Home Depot, Marshall’s, etc–that were hacked, the affected customers used their credit cards at a physical location. There were no problems at the actual stores. The people in charge of computer security at the back end failed at their jobs.

Moral: if you assume that somebody else will keep your information safe, you are a fool.

Many security “experts” would be aghast at this, but I maintain that in many cases, the most secure thing you can do is to pick a fairly complex password, and then write it down, rather than trying to memorize it.

If somebody who has nefarious plans is ever in a position to find your written-down password, computer security is quite likely to be the least of your problems.

just for the record, you don’t have to try all 11 million combinations. You can stop guessing as soon as you find one that works.

What’s your cite?

I’m not being combative; I agree that password rules miss the point. But it’s just a gut sense. Or do you think what you have written in the rest of your post demonstrates it? I think it’s more complex than that.

If done right, that shouldn’t matter. The hash should be salted, so that my password1 resolves to a different hash than your password1. And hashes have the property that they aren’t reverse-engineer-able.

This is more what I would accept as proof. If people aren’t getting hacked by successful algorithms that ‘solve’ passwords, it’s stupid to insist it have a number, a capital, and a weirdo character.

I love that idea. After a while it runs into the problem that *other *passwords become the 1000 or 10000th most common, but we can deal with that later.

You’re missing another attack vector, which is that a hacker will break into a database and download hundreds of thousands or millions of passwords. They’ll have all the password salts there, and then all they needs it the password encryption key to start brute forcing the passwords on their own computer. All of this is pretty trivial in the event of a successful hack.

So now they’ve got your password on their computer and they can try a few thousands combinations a minute. The first thing they’re going to try is a dictionary attack, which is a bunch of common passwords and phrases run through the encryption algorithm with the salt to see if it matches the encrypted password that they stole out of the database. If your password is short, the odds of it existing in their dictionary of possible passwords is greatly increased. If it’s short and an English word, then it’s almost certainly in that dictionary, and they’re going to crack your password in seconds. If it’s short and gibberish (this is where complexity requirement come in), you might survive a dictionary attack, but…

Then they’re going to move on to a brute force attack. At this point, length is really all that matters*. They’re going to start with all possible combinations of 8 digit passwords (or whatever the site minimum is), and then 9 digit, etc. The more digits they add, the longer it takes to run through all of the combinations, until they hit a point where it’s basically just not worth it.

The best passwords are therefore long but memorable, the most famous of which is “correcthorsebatterystaple”.

*Obviously if they know that the site doesn’t allow, say, numbers or special characters in passwords, that’s going to reduce the number of combinations they have to try. But note this is dependent on the site’s policy, not what you actually include in your password. You don’t necessarily need to include special characters or numbers or capital letters, as long as the site permits them and the hacker can reasonably assume that it’s probable that you’ve used at least one of those, they’re going to have to include them in the brute force attack.

Thank God for yellow sticky notes.

I should add, in the attack I described it’s unlikely that the hacker would be trying to get the password for any specific user. Rather, he’s trying to crack the .01% of passwords that are terrible, which will still probably yield him thousands of user accounts. The goal here isn’t to make passwords that are uncrackable, it’s to make them tough enough that it’s not longer worth the cracker’s time to brute force them. He’ll get his thousands of accounts and then dump the database to move on to the next one, rather than spending increasing amounts of time on diminishing returns.

An easy and easy to remember long password would be capital A plus a childhood phonenumber and area code you remember. Make it just about impossible to crack by using three old phone numbers.

If only this were possible. almost all logins I have require AT LEAST 1 number, 1 symbol, 1 upper case, and 1 lower case, and most require 2 of each.

My question is, if everyone knows that a series of 4 small words (like “correcthorsebatterystaple”) is just as secure as hard-to-remember gibberish, why does everyone still use the old 2 symbols, 2 lower-case, etc?

Probably because it’s a simple way to prevent easy, predictable passwords like “passwordpasswordpassword”.

Also, I’d caution that “correcthorsebatterystaple” is no longer a strong password, because it’s almost certainly been added to every competent password dictionary.

If everyone picked 4 lowercase English words, then the cracker’s brute force attack can just be every combination of 4 lowercase English words in their normal dictionary. Still a bunch of things to try, but now we’re getting back down to reasonable numbers.

The important thing is variety. If your password is giantsnorkelcatfishsoup, and my password is BillyQ69!, the cracker has to be prepared for both possibilities and it makes his job a lot harder.

Dammit, quit posting my password! :mad:

:smiley:

If there are 250,000 words in the dictionary (conservative, because there are about 1 million words in English), then that would be almost 4 x 10[sup]21[/sup] combinations. That would be a helluva brute force effort.

Oddly. I have none of these. Passwords that have to be written down arent secure at all.

Just want to say, great post, you said a lot of what I came in here to say, including the xkcd link. But basically, this is the type of attack that password complexity requirements are intended to defeat, and the xkcd comic easily shows why complexity requirements are silly when sheer length should be enough.

The thing is, you can’t stop someone from doing something stupid. Even with really hard complexity requirements, its easy to come up with something that trivializes the requirements. So, for instance, if you require one of each type (upper, lower, number, special), then “Password1!” is a very common way to defeat the intention behind the complexity and making it still super easy to attack. And, from a brute-force approach, “Password1!” is trivial to crack compared to even “passwordpasswordpassword”.

All of that said, overwhelmingly, passwords are cracked through social engineering. I follow good password protocol, and never had them defeated, but I’ve still had my accounts compromised because someone social engineered the account support people. One not too long ago, they just called up called up account support, claimed to be me, and didn’t even make them verify their ID and removed my second factor and reset the password. I only know because, after I realized it was compromised, I called up and the person I talked to said that was in the account notes. :smack:
The other thing to be concerned with is lateral use of passwords. It’s common for people to use the same password, or a small set of passwords, across multiple systems. So they’ll put it in a really unsecure system that’s easy to compromise, like some game website, forum, or “adult” site, and then between that password and the registered email, they can take stabs at trying to crack the email account, various banking or other critical sites. But, again, this has more to do with using fundamentally different passwords for different sites, and really focusing on the strongest ones on the most important (like email and bank). Frankly, I use fairly simply passwords for sites I couldn’t care less about getting compromised.

I’m not an expert, but I’d wager that you could pick the most common 2500 English words and be rather successful if you had a big pool to target. I seem to recall that dictionary attacks tend to have a dictionary of about 10,000 options (no cite, could be wrong), which includes a lot of stuff like password1 and p@ssword which we could exclude if we knew the passwords were all combinations of lowercase English words.

Still a big number, but again the idea isn’t to crack the MOST passwords, but just to crack a lot of them in a reasonable amount of time and then move on.