The Case for Stronger Passwords with Less Complexity
If a user chooses passwords with 16 or more characters, then complexity rules can be dropped. This means a password does not need to be mixed case or contain numbers or special characters. And, most importantly, long passwords or pass-phrases are more secure, even with limited character sets.
22 June 2009
It's a paradox that very long passwords (16+ characters) are easier to remember and to maintain than their 8-12 character cousins.
Here is why: If a user chooses passwords with 16 or more characters, then complexity rules can be dropped. This means a password does not need to be mixed case or contain numbers or special characters. And, most importantly, long passwords or pass-phrases are more secure, even with limited character sets.
As an aside, I would like to mention that long passwords tremendously aid the usability of mobile applications. If you have ever tried to enter a mixed-case password with numbers and special characters on a smart phone you will know what I mean.
But back to the strength of long passwords. They do away with complexity, and complexity is an enemy of security. People will remember ‘intralinksisnumberone' much easier than ‘Intralinksis#1'. They will be less inclined to write it down somewhere and risk exposing it. At 16+ characters, pass phrases are more difficult to guess or crack by brute force. They simply have more possible permutations than shorter and more complex passwords (see NIST publication 800-118 for more details).
This is a huge change from the weaknesses of complex passwords, and the predictable patterns that people use in order to remember them. It is not uncommon for a password start with capital letter, substitute all ‘s' characters with the dollar sign and end in numbers to reach the ‘8 character minimum' requirement. ‘Fluffy12' or ‘Pa$word1' will probably log you in to a large percentage of online applications. Common sense says that the criminals have already built databases with those ‘clever' complex passwords. Paraphrasing Bruce Schneier - anybody can come up with a password that they themselves cannot crack.
As the table above shows, case-insensitive 16 character-long pass phrases have 4*10^22 possible values. And it needs just 26 combined English-language characters to achieve this strength. In comparison, 8 character passwords that requires numbers, upper and lower case characters and all the symbols on the standard keyboard have 7*10^15 possible values. This is much weaker - in my estimation about 10 million times fewer values. This type of password overcomes medium-length passwords of 12 characters with 5*10^23 possible values.
So, by offering users the choice of less complexity in characters, we are not only giving them an option of having easy-to-remember and difficult-to-guess passwords, but also nudging them towards longer and stronger passwords. They will thank us later when use of mobile internet will become the norm rather than the exception.
In Intralinks' most recent platform release we have introduced pass phrases as passwords.
Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.