In a previous life, I consulted with various large enterprises on the complex requirements around password security. They wanted to be compliant with various regulations, which made sense. But focusing on security for the sake of compliance rather than because it’s a best practice is misguided.
The end result can be the same. But the path to getting there is littered with misinformation and confusion. It leads end users to misunderstand what a “strong” password looks like entirely.
The password on my owner portal account is an extremely unique and sentimental password (due to the fact that the house was previously owned by my Father). The password is strong, used on **nothing** else and very personal only to me.
Statement from an end user of a home management system who suffered an account compromise.
A truly strong password is one that you can easily use but which cannot be easily guessed by an outside attacker. If a password is sentimental – it’s guessable. If you reuse the same password across multiple sites – it’s susceptible to brute force. Frequent password changes lead to end-user security fatigue and introduce further weaknesses like password reuse.
Password security starts with understanding the strength of a password and the guidelines around crafting one.
NIST Recommendations
The National Institute of Standards and Technology (NIST) regularly published and maintains guidelines around digital authentication – the use of passwords. In 2017 they updated their guidance to establish 7 guidelines for application developers:
Password Length
Short passwords are easy for computers to guess, particularly when using a limited character set. A strong password should be at least eight characters in length, but ideally longer for more sensitive accounts. In practice, NIST also recommends a maximum length of 64 characters for passwords, but limiting the maximum length doesn’t necessarily make a system more secure.
The Use of Special Characters and Spaces
Password strength increases as the available character set grows – the more characters to choose from, the longer it will take an attacker to brute force a password. Allowing spaces makes it easier for users to leverage pass phrases (a collection of random, human-readable words) over an unpronounceable or hard-to-remember password.
Reducing Complexity
Similar to the two previous changes, reducing the required complexity of a password makes it easier for users to leverage pass phrases. Older complexity requirements forced users to mix upper and lower-case characters, numbers, and special characters when creating a password. This rendered passwords difficult to remember. The burden of complexity often rendered systems less secure and individuals would either forget their passwords or resort to writing them on slips of paper left next to the systems they sought to secure.
Removing the complexity requirement while also increasing password length (see above) increases the usability of an application’s authentication system.
Allow Pasting
Standalone password managers (like 1Password) keep the individual application passwords stored in an encrypted vault and enable users to copy the password (once decrypted) into the correct entry field. In the past, applications would explicitly block copy/paste functionality as a security measure. This unfortunately cripples the utility of password managers and prevents users from leveraging strong, unique passwords. Modern applications should encourage the use of separate password managers and enable pasting.
Disallow Password Hints
Many password-secured systems permit users to configure a hint to help them remember a password. On the surface this feels like it would increase the usability of a system. In reality it makes the system easier to breach as it gives an attacker insight into what a password might be.
No Frequent Change Requirements
There are several organizations that require periodic rotation of authentication passwords by way of corporate policy. Often, this is counter to the usability of the system being secured and doesn’t actually increase its security. Moving forward, NIST has recommended removing the requirement that passwords be rotated.
Screen Against Compromise
The final recommendation is that any password system leverage information about previously-breached passwords to proactively disallow any password that might exist in an attacker’s lookup table. Services like HaveIBeenPwned provide simple APIs that allow you to safely and securely check a user’s password to check if it has been part of a previous breach. If a password has been used and breached in the past, it should be considered vulnerable and rejected.
Passwords should be checked against previous breaches when they’re first set in the system – i.e. during user registration. The system should also periodically re-check to see if a user password has been externally breached. The HaveIBeenPwned API is useful for these ongoing checks. 1Password also implements a feature called Watchtower that automates this check for individual users.
What Makes a Strong Password
Even if your organization implements all of the aforementioned recommendations, it’s important to understand how to grade the strength of any user-defined password. Rather than guessing with various character sets, you need to evaluate the entropy of a user password – how many possible passwords are available?
The reason special characters made it into our password rules of the past was to account for the fact that we already use a limited alphabet. Twenty-six letters (both upper and lower case) plus ten digits evaluates to roughly 24 bits of entropy for a 4-character password. This is because there are a total of 15 million possible 4-character passwords in that character set.
Modern computers are capable of guessing more than a million passwords per second. No one would ever consider a 4-character password to be safe or secure.
Selecting instead 4 random words to create a passphrase would give you roughly 52 bits of entropy (as there are 3 quadrillion possible 4-word passphrases)! Using the same “million passwords per second” calculation rate, this would take a single machine more than 9 years to guess.
While 4 words isn’t a strong enough passphrase – moving this to 6 or more dictionary words takes guessing your password far beyond the means of any attackers you might need to worry about in the near future.