I hope some of my readers are cybersecurity experts, and can answer a fundamental question that has troubled me for a while.
This question concerns the ever more complex requirements for creating passwords. Capital letters, numbers, special symbols, lengths, etc. You all know what I'm talking about.
I believe the typical justification for these rules is that simple passwords are easy to hack. I've seen academic papers that compute how many guesses it would have taken to find the right one, under different classes of passwords.
There is definitely widely circulated "advice" that one should never use a real word in the dictionary as one's password.
I'm troubled by this because I don't think real-world authentication servers allow anyone to keep trying wrong passwords till you get to the right one. I'd think any server would lock the account after say 10 unsuccessful attempts. If that is true, then it doesn't matter that I'm using a real word so long as the chance of guessing it within 10 tries is very small.
***
My framing of the problem is a little different. There is a downside to complicated password rules. It creates a need to write the password down somewhere, or store it somewhere since one can't store so many different passwords in one's head. (Even more so when the system admin requires one to change the password every so often.) So we are trading one risk against a different risk.
***
It also may be the case that random guessing is not the most popular way to hack into user accounts. It seems like it is easier to steal large lists of passwords from the server where they are stored (if the website owner fails to encrypt them). Also, tricking people into giving up their passwords (various type of phishing) requires no guessing.
If these are the primary ways to hack into one's account, then it doesn't matter what the passwords look like.
***
So, readers, what am I missing? What is the rationale for making us rack our brains for really complicated passwords that are impossible to remember?
P.S.
(1) A former student raised another good question. Have these rules stopped hackers more or stopped legitimate users from accessing their own accounts?
(2) In your replies, please stick to the question. Resist the tendency to run around the question by saying don't use passwords, etc.
[Image is from a web search, hosted at a site called bestsecuritysearch]
[12/10/21] A number of people have mentioned this xkcd comic:
Short answer: In my opinion you are right. There is no need for such complex password requirements.
Longer one: human-readable passwords based on a few words can be really good as this xkcd comic explains well: https://xkcd.com/936/ Of course, password manager helps a lot. And everybody nowadays uses the password manager, right? :)
Posted by: Aleksander B | 12/10/2021 at 10:18 AM
Simple: a, not all websites lock accounts (though most throttle login attempts). b) if you steal an encrypted password list you can break it using dictionary attacks.
Of course, as xkcd has taught us complex password rules are often fulfilled in very nonrandom ways.
Posted by: Ruben | 12/10/2021 at 10:18 AM
So People don't crack passwords that way. What they do is:
Normally a password file is leaked. This file contains not passwords, but "hashed" passwords. The users password is sent through an algorithm that converts it to a string. This algorithm is deterministic, so you always get the same string when you send it through the function. Instead of trying on the site, you have something that can do the same hash, and you try on your own computer till you get a hash that matches. This means you've cracked the password.
Here's a great explanation of how cracking these passwords works, and it's done, not on the system where you'd enter the password, but on a "local" supercomputer.
https://www.youtube.com/watch?v=7U-RbOKanYs
Posted by: David | 12/10/2021 at 10:23 AM
Near as I can tell, the common password attack vector is not the "front door" where one types in their password to gain access to a website – it's leaked/breached tables of hashed passwords, thousands of them, representing all of the users of a site. There's nothing preventing someone from chewing on such a file to their heart's content, and it is valuable to do so because it represents a large number of users, many of whom use the same password on other sites. So the password rules are intended to make passwords harder to crack. But even in 2013 cracking tools were very good: https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html
Posted by: Jon Plummer | 12/10/2021 at 10:52 AM
I am not an expert, but I am somewhat informed.
I think the rationale is "we thought longer passwords are going to save us, and we were wrong". Modern security recommendations go beyond "try to think of long, complicated password". I believe most of experts today would agree on following recommendation as suitable for common folks like you and me:
1. Use password manager. It will create and store long passwords for you. You will only have to remember one password - master password to password manager (that unlocks all the other passwords). There are many password managers out there - some are free, some are paid, some sync across multiple devices, some do not. Apple has password manager built-in, works on all of their devices. Google has password manager, but it works only in Chrome browser and on Android devices.
2. Enable multiple-factor authentication where possible. So when your password is eventually leaked (although password managers can help in making this a little less likely), it will be useless - as criminals don't have your other authentication factors. Usually MFA comes in the form of short message sent to your mobile number, but "authenticator" apps are becoming more popular. Some password managers have that built-in. Google and Microsoft both have "authenticator" apps for your phone.
Here is an article from actual security expert: https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/ . It advises AGAINST some of the things that you mention - like requiring people to change passwords regularly.
Finally, to reply to opening paragraphs. Password guessing game usually does not take place on actual system, in part because - as you pointed out - authentication system is likely to lock out attacker after couple of tries, in part because sending password over the wire is just way too slow. Most of the time, attacker will obtain authentication system database dump. It will contain password field, and passwords are usually stored in encrypted (hashed) form, so they can't be read directly. So attacker has two unknowns to figure out - function input (password) and actual hashing function. On any sufficiently large system database you can count on someone setting password to "123456", "password" and common words from dictionary. There are few popular hashing functions you can blindly try (MD5, SHA256, bcrypt, Argon2), and sometimes you actually know how hashes are derived, because you obtained source code of system itself.
Posted by: Mirek Długosz | 12/10/2021 at 11:20 AM
It's the same power kick that gets the CDC making people wear masks and upping regulations on Omicron. Made stronger by identifying those that resist as the deplorables.
For me, far worse than long passwords (or not being able to re-use old ones) is rushed covid era websites that don't allow the browser to save the password.
There is also a push to double up on or replace passwords with alternative authentication like the Windows phone authentication app. Hugely age discriminating.
Posted by: Michael Droy | 12/10/2021 at 11:30 AM
As an actual export, the state of the art recommendations are to use a multi-phrase password with multi-factor authentication. So something like "fling standard batton" (or longer) and then use an app-based MFA code. If you can't use that code, perhaps use a 4-5 word phrase. The complexity requirements don't work well unless you use a password manager, but you're still better off using generated phrases with a password manager than trying to remember them all yourself.
Posted by: boB Rudis | 12/10/2021 at 01:47 PM
re: Your student's question #1, I think the question of whether more legitimate users vs. hackers have been stopped this way is the wrong way of framing it, depending on the sensitivity of the data behind the password. For example, if the page you're trying to access is your bank account, how many times would you be OK with being prevented from logging in, assuming that the single time that someone else logs in they could steal all of your money? The risk of a single successful login is far greater than the risk of a single legitimate user being blocked from logging in.
Posted by: Abby Martin | 12/13/2021 at 07:36 AM