I recently read an interesting article on Computerworld.com by Michael Scalisi called "The Art of Creating Strong Passwords." It discussed how to create secure passwords but took an approach that didn't necessarily reflect best practices. I filed this away until I came across the same article at Threatpost and realized something needed to be said. The "artsy" approach to password security this piece suggests, combined with Microsoft's infamous password checker, misinforms the public on what constitutes a secure password and how they should be created. These suggestions can quickly go from uninformative to plain harmful. In other words: An "artsy" approach suggests using emotions rather than logic. This is hardly a good strategy for information security.
Passwords are supposed to be secret ‘words' that can be used as tokens to authenticate a user. They have been used by humans long before the electronic era. Inventors and early users of passwords have understood their limitations (that people need to remember them) from the get-go. Yet passwords have remained popular for a number of reasons, especially because they are an affordable and convenient way of identifying people who request access. Even centuries ago, passwords were a part of nascent two-factor authentication systems. In the case of a long-ago military engagement, one would need access to the uniform of the enemy (something you have) and know the password (something you know) to pass a checkpoint. That is why for hundreds of years passwords were good protection mechanisms for the most sensitive of assets.
When people started to use passwords for authenticating to computers, the inherent flaw of the passwords (they had to be human-friendly) became apparent. Add to that the anonymity of submitting the password (user IDs have replaced the actual human element of previous passwords systems) and you have a disaster in the making. Today, the problem is that instead of people there are machines that can calculate millions of possible passwords in the matter of seconds, while users themselves can remember only a fraction of possible permutations from available character sets, thus reducing the passwords' entropy and making cracking them easier. The unfortunate reality is that making passwords more complex is a losing battle because machine speeds will always grow, whereas human capacity of remembering passwords will remain relatively unchanged.
Early password protection mechanisms recognized this truth and had a good solution for this problem. Systems started to implement features prohibiting dictionary words and then added "three strikes and you're out" rules to login processes. Systems began to enforce minimum length requirements, expiration dates and rules around reusing old passwords. In parallel (and for reasons unknown to me), additional 'security' measures were being added. People embarked on a battle with machines and came up with password composition requirements that cybercriminals and their scripts supposedly could not break. Combined with the forced change of passwords on a scheduled basis (60, 90, 120 days) these new techniques not only do not add to password security but actually reduce it.
This is the reasoning for my conclusion:
1. People don't remember gibberish (the basis for a "perfect password") that well - so they tend to substitute characters for letters and/or add a numeric prefix or suffix to satisfy password character requirements. The problem with this approach is the difference in motivation between the valid user and the criminal. (It is a point of frustration for the first and a source of monetary or other benefit for the second.) While the legitimate user has to solve this problem once in 90 days (or whatever password expiration date policy is enforced), often under time constraint (think about how long you contemplated your current password), the criminals have practically unlimited time to whip up utilities (and they do) that would review all the possible character substitutions for the most popular passwords. Criminals will also create (and they have) databases of those password strings to be used for attacks. They also take into account the recommendations of security experts and the rules that popular password grading utilities (Microsoft Password Checker, anyone?) use to substantially reduce the pool of passwords to try.
2. Users tend to quickly run out of password compositions they can remember. When they do create complex passwords they often e-mail it to themselves or store it in a file on their computer, thus exposing themselves to low-tech password theft attacks. These users also start resetting their passwords frequently, sometimes for almost every use, feeding the vicious circle. This consumes application and/or customer service resources, thus affecting availability of the application. Not to mention productivity loss and frustration.
3. The result of complex password requirements is that when creating password people try to produce the simplest string that the system will let them save. They often forget about protecting the password from guessing or brute-force attacks and thus choose something as simple as ‘Pa$word.' Hey, the system took it, so it must be strong, right? You've double-checked it with a password strength indicator tool and it says ‘strong,' so we are compliant. Right? Wrong. Psychologically, users trust the system to pick a secure password for them and then they stop thinking. ‘Idiot-proof' systems are usually secure from attacks by those same ‘idiots.' Unfortunately, the number of those idiots among cybercriminals is not very high.
You don't have to trust my word - just try the following passwords on the password checker: Password1, Pa$word, Pa$wordPa$word, AAAaaa111!!! and tobeornottobeismyfavoritequote. Can you guess which one was rated ‘Weak'? If you guessed ‘Password1' you guessed wrong. It was rated ‘Strong'.
Actually, the strongest password in the list (the passphrase consisting solely of English characters) was rated ‘Weak,' the only one from this list that was rated so low.
The premise itself — that providing guidelines so detailed it largely limits the entropy of all passwords of the world — is atrocious. And the idea that by taking a dictionary word and using a primitive algorithm to make some substitutions would make a password unbreakable is plain dangerous.
What is my advice? Use a phrase that you will remember. For an online banking application, to use one example, a passphrase ‘ilikebankinginthemorning' is more secure than ‘I$Bank1234' because it is longer and any password cracker will get the second one much, much earlier. But most of us are forced to use the less secure option because somebody was successful in selling the illusion that we can beat the machines in mundane, repetitive tasks like password cracking.