Your Password Policy Is Wrong
Earlier this year, I received a marketing email from LifeLock, which linked to a post warning of the ills of weak passwords, and inferring if 'Zuck isn't too cool to have his accounts compromised, neither are we.
Unfortunately, the folks at LifeLock don't appear to be experts in effective password strength policies. I want to address the following statement specifically:
When you develop your new passwords, think long and strong – using upper- and lower-case letters, special characters and numbers. And make sure the resulting passwords aren’t words found in the dictionary.
In the words of Dwight Schrute: WRONG. Adding complexity – by swapping character-case, and injecting numbers and symbols – does not improve the entropy (strength) of a passphrase much. Increasing the length of a passphrase is the best way to improve its entropy, and the easiest way to increase passphrase length is to add random dictionary words.
That's right, the oft-repeated "don't use dictionary words" is woefully inaccurate. In fact, the best method we have for generating high-entropy (very strong) passphrases is based entirely on using a sequence of randomly-selected dictionary words, called Diceware.
Diceware is a method for picking passphrases that uses dice to select words at random from a special [word] list. – The Diceware Passphrase Home Page
Diceware passphrases are easy for humans to remember, because they're composed from real words. Generating them is so simple and low-tech, that you can pay a kid to make them for you. They are also cryptographically secure:
The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system.
Diceware passphrases are not only secure in theory, but are often more secure in practice than passwords containing special characters. How is that so? Because forcing users to inject complex symbols into a password actually encourages them to use a simple base word or mnemonic in order to memorize it, thereby reducing the entropy (and increasing the guess-ability) of the password. Conversely, a random collection of dictionary words actually generates more entropy, is harder for an adversary to guess, and harder for a machine to brute-force. The following xkcd comic illustrates the principle well:
<img src="//imgs.xkcd.com/comics/password_strength.png" title="To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize." alt="Password Strength">
As noted in the comic, we're now reaping the harvest of 20 years of bad password policies, in the form of "security fatigue".
Security fatigue is defined as a weariness or reluctance to deal with computer security. – NIST
A recent NIST study confirmed what many security advocates already suspected, based on data dumps from recent breaches: People are reckless about passphrase security because they are frustrated with memorizing "useless" information.
They're also tired of policies that require changing their passwords frequently:
Users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. – Lorrie Cranor, FTC
The NIST study suggests three ways to address security fatigue:
- Limit the number of security decisions users need to make;
- Make it simple for users to choose the right security action; and
- Design for consistent decision making whenever possible.
Developing a consistent, sane, industry-wide standard for password policies is a good start. The NIST updated their password guidelines this year, and it's a step in the right direction, but falls short of advocating for Diceware-like passphrases. Regrettably, the corresponding OWASP recommendations include some disputed policies that contribute to security fatigue.
What can regular Jan Doe developers do?
OK, so the old advice is wrong, and the prevailing standards don't (yet) align, so what can we do to encourage strong passphrases, without frustrating people?
- Drop password-expiration policies altogether.
- Allow passphrases be 128 characters in length. Yahoo and Office365 are two major services whose password length limits (32 and 16, respectively) prevent using Diceware passphrases of meaningful length.
- Generate passphrases for your users with a tool like this one built with eff-diceware-passphrase, which uses an EFF wordlist. <form id="generate-passphrase"> <fieldset> <legend>Passphrase</legend> <input id="passphrase" type="text" readonly /> </fieldset> <div> <a href="#copy-passphrase" data-clipboard-target="#passphrase">Copy</a> <a href="#generate-passphrase">Generate</a> </div> </form>
- Encourage users to create their own randomly-generated Diceware passphrases, specifically for your service. Embed or link the xkcd comic above for context. Suggest they use a password manager to make using unique passphrases easier (1Password and LastPass are two favorites at Panda Strike).
- Require high-entropy passphrases. Validate passphrase strength using a password-entropy algorithm that isn't biased in favor of symbol-complexity rules, like (like zxcvbn).
NOTE: Panda Strike can help with all of these. Contact us today.