Password policy – Length vs. Complexity
Friday November 2, 2007 at 9:33 am CST
Posted by Juan Bocanegra
One of the many topics I like to cover in detail when teaching Essentials of Hacking and Ultimate Hacking is password brute forcing and cracking. I usually start off by letting the students come up with what they think is a strong password policy and later, we analyze common implementations & attacks against them. Inevitably, the password policy they come up with looks a lot like this:
- At least one uppercase character
- At least one lowercase character
- At least one digit
- At least one symbol
- At least 7 characters
A quick analysis of this password policy yields the following:
- Character set is roughly 52 alpha characters + 10 digits + ~12 symbols
- Password length is >= 7
- Most people will pick a password that’s 7-8 character (we’ll compromise here)
- Password keyspace is approximately 74^9 = 66540410775079424 or ~6.7e16
This password policy is inline with what I see on most security engagements. However, the matching implementation that enforces these rules is not as common, but that’s another blog entry. Still, a password policy like this is the common case.
Here’s my password policy (just trying to prove a point here):
- All lowercase characters
- At least 15 characters
- Non dictionary words
A quick analysis of my password policy yields the following:
- Character set is 26
- Password length is >= 15
- Password keyspace is approximately 26^15 = 1677259342285725925376 or ~1.7e21
Let’s figure out which password policy is stronger by using Cain & Abel to test the time required to brute force passwords that are MD5 hashed, which is a common case for web applications.
Exhibit A:
Here’s Cain & Abel attempting to crack all possible passwords for the typical password policy.
Exhibit B:
Here’s Cain & Abel attempting to crack all possible passwords for my password policy.
The bottom line:
- In general, password length trumps password complexity. This applies to both cracking and rainbow table attacks.
- Given the opportunity, users will choose the simplest passwords, such as ‘Password1!’, , etc. If you don’t believe me, check out an analysis of the ‘hacked’ Myspace accounts.
- Make sure you account for human tendencies that include usernames in passwords, too many repeating characters, passwords based on dictionary words, capitalization of the first letter, symbols & digits at the end, etc.
- Enforce your password policy - duh. Rememer AOL’s old implementation?
November 2nd, 2007 at 11:12 am
Nice blog. Harry Waldron, MS MVP, posted a link to this blog at our site, and a discussion has ensued. I myself have posted as well, but re-reading your blog makes me wonder - you say length trumps complexity, but would length + complexity still be better than just length alone?
You can check out the discussion at the following link:
http://www.dozleng.com/updates/index.php?showtopic=16191
November 3rd, 2007 at 6:54 am
Yes, length is good, but length + complexity is better - but not by much. The main reason I wrote this post entry was to get people thinking and experimenting on finding the sweet spot for their password policy. Every password secured system is different and the password policy that governs how the passwords are created should be tweaked accordingly.
I believe that after you account for common mistakes in the creation of these policies, you should focus on password length - that’s the main variable that gives passwords their strength.
My next entry will discuss the intersection of password policies and common (associated) problems, such as account harvesting, lockout, and the rest. Once you start putting these pieces together, entire applications and their user bases can quickly crumble.
November 7th, 2007 at 7:25 am
When it comes to users’ imagination in choosing a password, length is probably preferred over complexity or length + complexity
…and if accounts lockout after, say, 5 tries. Doesn’t that pretty much make it safe to use simple password?
November 7th, 2007 at 3:34 pm
Simple password with account lockout sounds tempting. But, what does that do for someone running a reverse brute force?
November 8th, 2007 at 3:59 pm
One of my password idea is as follow;
If we memorize password character, it is very difficult to memorize a long characters for password.
However, if you memorize a password patern, you cannot memorize your password itself.
That is, I call my password system is “Password Patern memorize system”, instead of “Password memorize system”.
Fist of all, you create random character table, 10 by 10 for example. (Fig. 1, bellow)
Then you decide to memorize a password patern.
For example, 10 characters from 5 column at 2nd line in the ramdom table, your password is JjDX[6$bp}.
Or to memorize another password patern, L format, that is, 19 characters from 1st row and 10th line, that is, your password is #$Z(!Y`e”%cq]Kau0)>.
You can decide your password patern and start point in your password patern on your own.
And if you have 10 accounts, you create 10 random password tables and print them. Probably, If you have these random password table, noone does not crack your password when you memorize a good password patern, even though you show it to a password cracker.
If your password policy have 35 day password life time, you creat a new random password table and use it as a same password patern, which contains different password characters.
I creat a random table by Excel, because I do not get a same random table for a long time.
One of my friend print a random table and past it on his wrist watch, and I print some random tables and past them in my pocket diary.
Fig. 1: A sample random password table created 10 by 10
(You can change number of row and column.)
1 2 3 4 5 6 7 8 9 0
1 # a o * I g A U \ 3
2 $ b p } J j D X [ 6
3 Z 8 | ; F d x R | _
4 ( f t . N h B V @ 4
5 ! 9 m + G i C W ‘ 5
6 Y 7 k { E c w Q - ?
7 ` e s
PS
My website is only Japanese.
If you can read Japanese, please read the following pdf file.
http://www.uchidak.com/papers/20060406_Uchidak.pdf
November 9th, 2007 at 2:53 am
Obviously length+complexity is better than length alone. But based on my personal experience when you forced user to used a long and complex password, the changes are they can’t remember it. System policy is one thing, user acceptance is another. More often than not if they can’t remember it they will write the password down. I have seen them do it, and know where their password is on physical medium. Furthermore long complex password will just tempt them to reuse the first few characters of the password. You can have the best system security but it’s useless if the users let you down.
December 1st, 2007 at 9:26 am
How to choose a password…
Another interesting post on the McAfee Avert Labs Blog discusses the relative importance of password complexity versus password length. They used the Cain & Abel utility to work out the time required to break various passwords and came to the con…
April 27th, 2008 at 3:41 pm
i’m just wondering does it matter what length a password is or is there a maxinim length?