Password Complexity Rules More Annoying, Less Effective Than Lengthy Ones
Monday, July 01, 2013
Posted by: Casey Johnston, Ars Technica
(Editor's note: reprinted with permission from
Few Internet frustrations are so familiar as
restriction. After creating a few (dozen) logins for all our Web presences,
the use of symbols, mixed cases, and numbers seems less like a security measure
and more like a torture device when it comes to remembering a complex password
on a little-used site. But at least that variety of characters keeps you safe,
right? As it turns out, there is some contrary research that supports both how
frustrating these restrictions are and suggests it's possible that the positive
effect of complexity rules on security may not be as great as long length
Let's preface this with a reminder: the
conventional wisdom is that complexity trumps length every time, and this
notion is overwhelmingly true. Every security expert will tell you that
"Supercalifragilistic” is less secure than "gj7B!!!bhrdc.” Few password
creation schemes will render any password uncrackable, but in general, length
does less to guard against crackability than complexity.
A password is not immune from cracking simply
by virtue of being long—44,991 passwords recovered from a dump of LinkedIn
hashes last year were 16 characters or more. The research we describe below
refers specifically to the effects of restrictions placed by administrators on
password construction on their crackability. By no means does it suggest that a
long password is, by default, more secure than a complex one.
In April, Ars checked
in with a few companies that place a range of restrictions on how passwords
must be constructed, from Charles Schwab's 8-character maximum to Evernote's
"use any character but spaces.” Reasons ranged from whether customers can stand
typing certain characters with a mobile phone to password-cracking being the
last of a company's concerns compared to phishing or malware.
A pair of studies done in 2011 and 2012 on
password length and construction showed two things: first, customer frustration
increases significantly with complexity, but less so with length. Second, a
number of password cracking algorithms can be more easily thwarted by a long
password that is created without number, symbol, or case requirements than are
shorter passwords that are required to be complex, particularly for a large
number of guesses. That is, shorter, more complex password restrictions beget passwords
that can be more frustrating to everyone except the only entity who shouldn't
have it: the password cracker.
study in 2011 specifically addressed the problems of usability in password
complexity (full disclosure: both studies mentioned in this article were
conducted in part by Michelle L. Mazurek, wife of Ars Gaming Editor Kyle
Orland). The study authors looked at 12,000 passwords created by participants under
a variety of construction methods, including comprehensive8, where passwords
must be at least 8 characters and include both an uppercase and lowercase
letter, as well as a digit and a symbol, and must not contain dictionary words;
basic8, where passwords must be 8 characters with no other restrictions; and
basic16, where passwords must be 16 characters with no other restrictions.
Study participants experienced the most
difficulty with the comprehensive8 requirements from beginning to end. Only
17.7 percent were able to create a password that met all of the requirements in
the first try, compared to well over 50 percent for the rest of the conditions.
Twenty-five percent of comprehensive8 testers gave up before they could even
make a password that satisfied the requirements, compared to 18.3 percent or
less for other conditions. Over 50 percent of comprehensive8 participants
stored their password either on paper or electronically, compared to 33 percent
for those with the 16-character minimum and less for the rest of the
Despite the fact that passwords that impose a
lot of requirements on content are harder to make and harder to remember, their
use could be justified if they proved to be significantly more secure than,
say, basic8 or basic 16. But contrary to password creation advice external to
site-based creation rules, that did not seem to be the case.
Using 12,000 passwords sourced from
Mechanical Turk participants, the researchers applied two cracking algorithms
to see which types tended to stand up best to attacks. One was based on a
Markov model that makes guesses based on character frequency, and the other was
developed by another team of researchers and takes "training data” from
password and dictionary word lists and then applies mangling rules to the text
to form guesses.
/ The percent of passwords cracked vs. the number of
guesses, using the second, more robust cracking method.
Per the researchers'
tests, the basic 16-character passwords were the hardest to crack for a
"powerful attacker.” After 10 billion guesses, only around 12 percent of the
16-character passwords had been cracked, compared to 22 percent of the
comprehensive8 passwords and almost 60 percent of the basic8 passwords.
It's worth nothing that the cracking
algorithms used in this experiment differ from those Ars detailed in its story
on real-world password crackers: one algorithm is a modified mask attack, while
the other is based on the publicly available Weir algorithm. In either case,
the results of using these cracking methods may differ from those used by
real-world password crackers.
While the study casts doubt on whether
complex and short password requirements result in passwords that are more
secure than ones that just require length, it did find an interesting effect
from the password restrictions. When the researchers compared passwords created
under basic8 restrictions that happened to meet comprehensive8 restrictions to
passwords actually created under comprehensive8 restrictions, the latter were
significantly harder to guess.
Mazurek suggests two reasons to Ars for apparent
resilience of passwords created under long-length restrictions versus
short-and-complex ones. One is that there may not be enough good guessing data
for long passwords due to the dearth of long-password requirements, which she
said is true for both her own team and crackers in the wild. "It won't
remain true long-term if people start requiring (and using) long passwords
everywhere," Mazurek told Ars in an e-mail. The second reason is that
"the space of possible passwords is just bigger... so relatively common
long passwords are still less common than relatively common short
Between the two studies, it's less clear why
those in charge of setting password rules should ever lower length restrictions
while raising complexity restrictions. If those people are interested both in
more security and less frustration for users, the better solution seems to be
setting a higher character limit and leaving all of the other restrictions out.
But from our brief survey of sites, 16
characters seems to be the maximum more often than the minimum, and complexity
rules abound. Ironically, Microsoft, which sponsored both of these studies in
part, sets its own maximum at 16 characters. If admins are interested in a more
secure restriction, a (long) flat length requirement could go further than one
that allows short passwords but requires complications.
Listing image by Reid