Modern Password Policy

Myths and Best Practices

Password Complexity

Passwords have long served as the first line of defense in securing digital assets, but their strength is directly proportional to the usage habits of users and the security policies applied on them. Unfortunately, many such policies actively degrade password security by driving users towards compensatory strategies just to operate. With that risk in mind, let's discuss why the core of password strength lies in a balancing act between usability and complexity/randomness.

Two primary elements influence a password's entropy (degree of randomness and unpredictability): length and character set complexity. Brute-force attacks, where adversaries attempt every possible combination until success, rely on narrowing down the search space. Both length and complexity expand this space, but it's crucial to understand their relative impacts. Consider the following table, detailing hypothetical attack durations against passwords of varying types, given a conservative base of crackers achieving 10 trillion guesses per second (open source is pretty close):

Example Password Type Possible Combinations Time to Brute-force
"phantoms" 8 characters (lowercase only) 26^8 (53.4 trillion) <1s
"RainboWz" 8 characters (letters only) 52^8 (53.4 trillion) ~5 seconds
"R4!nB0&z" 8 characters (letters + numbers + symbols) 95^8 (6.6 quadrillion) ~10 minutes
"CloudySkiesB" 12 characters (letters only) 52^12 (7.4 sextillion) ~1 year
"Cl0ud$Sk!3sB" 12 characters (letters + numbers + symbols) 95^12 (540 sextillion) ~1700 years
"thunderstormsatnoon" 20 characters (lowercase only) 26^20 (199 duodecillion) ~1 billion years

As emphasized by the table, length often trumps complexity in determining password resilience. This underpins NIST's latest guidance, which promotes longer passphrases over complicated, hard-to-remember passwords.

Myth 1: Frequent Password Rotation Enhances Security

Reality: Frequently changing passwords by policy lead to weaker password choices as users resort to slight variations of their previous passwords or choose simpler patterns for ease of memory (e.g. "StrongPasswordBase!1", "StrongPasswordBase!2"). It also fails to impact attackers; they'll conclude their attacks well ahead of any 30 or 90 day rotation period (as the table illustrates), acquire the password through other channels anyhow (enabling them to recapture after rotation), and generally establish continuing access with needing to further rely on any particular password.

NIST Guidance: "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator." - NIST Special Publication 800-63B

Myth 2: A Complex Mix of Symbols and Characters Makes the Best Password

Reality: Password length combined with unpredictability is more crucial than using a diverse set of characters. Avoid common structures and opt for entire unpredictable phrases.

NIST Guidance: "Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization. Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets." - NIST Special Publication 800-63B

Myth 3: Two-Factor Authentication (2FA) Makes Passwords Irrelevant

Reality: 2FA significantly enhances security, but carries its own technical and societal vulnerabilities. For instance, SMS-based 2FA can be compromised through "SIM swapping" where attackers trick telecom providers into transferring a victim's phone number, allowing them to intercept verification codes. Additionally, cryptographic tokens have periodically proven vulnerable due to flaws in algorithms or weak random number generators that render tokens susceptible to being reproduced or predicted by attackers.

NIST Guidance: In Special Publication 800-63B, NIST recognizes the vulnerabilities of certain 2FA methods like SMS-based verification, yet underscores the role of 2FA as an enhancement, not a replacement, for strong password practices.

The Merits of Using a Password Vault

Given the complexity of managing various robust passwords, a password vault becomes a practical solution. These tools:

  • Securely Store Passwords: Encrypted storage ensures your passwords remain confidential.
  • Generate Strong Passwords: They can produce random, high-strength passwords for each service.
  • Simplify Access: Users only need to remember one strong master password to access their entire password library.

Tools like LastPass, 1Password, and KeePassX not only enhance convenience but also security. With such tools, the temptation or need to reuse passwords is eliminated, ensuring a unique and strong password for each service you use.