8

Many password policies required at least one character of each group (upper case, lower case, symbols, and numbers) in the password.

Does this really improve a passwords strength?

e.g.: Is (number included)

3i{M?tofQPI.'C`dfmSK

really stronger than (no number)

ni{M?tofQPI.'C`dfmSK

Please try to keep answers simple. As the question may indicate, I'm not really skilled in cryptographic science.

T. Christiansen
  • 191
  • 1
  • 6
  • The above question is what basically any question about password strength comes down to. While the accepted answer is not perhaps *simple* (depends on your math background), it is comprehensive. Do you think it answers your question and if not, why? – otus Nov 29 '16 at 18:50
  • I try to figure out, if the mentioned policies improves the password strength only by forcing users to set semi-random passwords or does it also improve random generated passwords? –  Nov 29 '16 at 19:10
  • 3
    Mr. Christiansen, the system requiring the password has no way of knowing how the password was generated, whether it was "semi-random" or not. It can compute the guessability of a password based on some rules (length, matching existing dictionary words, etc.) but communicating a wide set of password requirements to an ordinary user who just wants to log on has challenges, too. The theory is that by making ordinary people "use characters from 3 of 4 sets" that they will chose meaningful and memorable passwords while still not being put off by harsh password requirements. – John Deters Nov 29 '16 at 19:45
  • [Related](https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes). In practice, it's most important for users to be able to _remember_ passwords so they don't write them down. Especially with expiration-policies, users tend to use **weaker** passwords given extra requirements, not stronger ones. – Seldom 'Where's Monica' Needy Nov 29 '16 at 23:57
  • @SeldomNeedy That depends on the attack vector you're protecting against. Better to have a strong 60 character password written down than a weak 10 character password remembered, if your attackers are remote. Writing passwords down isn't inherently bad, although sticking them to the computer they relate to isn't advisable... – Matthew Nov 30 '16 at 10:37
  • @Matthew We can agree for sure that good length is an important defense against many common attacks, BUT... under the *kinds* of requirements OP describes, research shows more users will select the ***shortest possible*** password allowed. – Seldom 'Where's Monica' Needy Dec 05 '16 at 04:38

5 Answers5

20

For the people who just pick the simplest allowable password, this is indeed an improvement on entropy, such as password to pa55word (the first being about as bad as you can get, the second being significantly better yet still unacceptably simple). Password1 is ten times as complex as Password, but only because it is longer, though Passworda would be 26 times as complex as the original Password.

For the people who pick secure passwords, this is a hindrance. It forces passwords like ni{M?tofQPI.'C\`dfmSK to become 3i{M?tofQPI.'C\`dfmSK. From a sheer entropy perspective, there are fewer possibilities in digits (10) than in lowercase (26), uppercase (26), or special characters (~32). That n… password arguably* has 2.6 times as much entropy as the 3… password (2610).

Consider a more strict password scheme: you must have one uppercase, one digit, and one special character. An attacker therefore knows that there are a very large number of passwords that are impossible and therefore do not need to be tested in a brute force attack.

Using psychology, the attacker will also prioritize the first character as being uppercase and the last character as being either a digit or a special character, meaning that 1pa*sswoRd is much stronger than Password1* (but again, unacceptably simple). This is called "password topology" (learn more from Rick Redman's PathWell: Password Topology research).

* Calculating password entropy is very very difficult and nobody does it correctly (it's impossible to do "correctly" unless you're talking about measuring an automatic password generator). One must assume the worst-case scenario, that your password generation scheme is fully known to the attacker, since you cannot rely on security through obscurity. I've got my own way of calculating entropy that I like better than others I've seen, but it's imperfect as well. The best password generation advice is therefore to make a very long passcode that meets most recommended password guidelines even ignoring the first and last characters of the code.

When changing e.g. password to Password, you're doubling the entropy because it's the most common location to make uppercase (and upper-vs-lower has two options), whereas changing password to pAssword at least implies that the uppercase could be anywhere, instead increasing the complexity by 16x in this example (eight characters times two case possibilities).

Don't forget words. A word is worth 2-3 "random characters" and no more. Super obscure words (especially from rarer languages) may be worth up to four characters (see my entropy link above), but it's better to be conservative in your estimate. I say if it's in a spelling dictionary for any language you're known to speak, it's worth 2. Any other nontrivial word is worth 3. Password and other common passwords (even 1qaz2wsx; look at your keyboard) are worth 1, so Password1 is about as secure as K%. Since attackers can comb through your drives, any "word" found anywhere on your computer (excluding dictionaries) is worth 2 characters at most.

Random is hard for humans to come up with and harder still to remember (and, contrary to human intuition, arbitrary/obscure/clever is not "random"). That's why password managers offer to do it for you, creating a system in which you only ever need to remember one big fat password which you could e.g. memorize half of and stick the other half in your wallet.

Adam Katz
  • 10,418
  • 2
  • 22
  • 48
  • 7
    In practice, arbitrary password-requirements (such as mandating use of certain characters) tend to ***weaken*** security, since it increases the chances that a typical user just turns to the most insecure password-manager available: `passwords.txt` – Seldom 'Where's Monica' Needy Nov 30 '16 at 00:06
  • 4
    "From a sheer entropy perspective, there are fewer possibilities in digits (10) than in lowercase (26), uppercase (26), or special characters (~32). That n… password arguably* has 2.6 times as much entropy as the 3… password (26/10)." -- This assumes the attacker knows *which set* a particular character belongs to, as otherwise it's (10+26+26+32) total choices versus (26+26+32) choices. You talk a bit about this later in the answer, but I don't think this assumption is stated clearly (or indeed at all in that paragraph), and without that assumption it's misleading. – Xiong Chiamiov Nov 30 '16 at 00:48
  • @SeldomNeedy It still blows me away that some people actually keep their passwords in plain text on their machine . . . it shows what cyber security organizations/IT departments etc are up against when trying to encourage best practices – J Sargent Nov 30 '16 at 01:32
  • 1
    It shouldn't. Users are driven by a need to do their work in as efficient a way as a possible. Security that gets in the way of that is 'just' an inconvenience from their perspective, and if you do too much - then they bypass it, and risk the 'pain' of policy bypass. (Which may not be any more pain than 'being told off' in some companies). – Sobrique Nov 30 '16 at 09:23
  • 1
    @Sobrique It very rarely is any more pain than "being told off" currently. This might change as/if cyber attacks get more common AND more medialized. Currently if I have a Good employee whos only failure is that he keeps his passwords in an unsafe manner, the cost/time to replace said employee is usually much higher than the probability*cost of an attack using this method. My current experience is that many more leaks are intentional than unintentional and few competitors try and attack you using cyber weapons. – DRF Nov 30 '16 at 11:50
  • Approaches looking at characters tend to give accurate estimations for passwords consisting of randomly generated characters. These are not the problem, though, as they gather entropy rapidly with length. Human created passwords usually consist of words, though, and are thus susceptible to dictionary attacks. Long passwords constisting of multiple random words are great but not easily distinguishable from well known phrases, like "honi soit qui mal y pense", which are also susceptible to dictonary attacks. There may even be way less commonly used phrases than single english words ^^ – yeoman Jan 17 '20 at 08:22
5

For two randomly generated passwords of 8 characters (for example), choosing from the space (a-z,A-Z,0-9) versus (a-z,A-Z) does increase the strength of the password. You can calculate by how much by following the information in How should I calculate the entropy of a password?.

In practice, for human generated passwords, it is hard to say. Is Password1 really better than PasswordX? Probably not. Simple policies like this do not really force users to pick better passwords in practice.

mikeazo
  • 2,827
  • 13
  • 29
3

There are two components to the answer to this question: the number of characters the password allow and the quality of passwords your users select.

Say your system allows and printable ASCII character to be used in your password, and passwords are of a fixed length of 5 characters (this is just an illustrative example remember).

If your users are perfect random number generators, then there are 95^5 possible combinations an attacker would have to try, and minimum "complexity" requirements would not improve security. From an attacker's POV, if the password is "ABCDE", this is no less secure than "J(@K>" because the attacker has no a-priori knowledge of the fact that all the characters are letters; he only knows that after the password has been found, and that combination was just as likely as any other 5-character string. **in fact, "complexity" requirements actually reduce entropy, as there are several combinations that are disallowed and so can be excluded from the attack.

Unfortunately, people are not random number generators. Not at all. People will choose things that are as easy to remember as possible. Attackers know this and will optimize their attack accordingly by prioritizing strings that are meaningful to a human (because now he does have some a-priori information). This is where password complexity requirements "help" by forcing at least a minimum variation in the characters used. Without these requirements, many people would simply use letters, and most attackers would exploit this be optimizing searches accordingly. Essentially, the complexity requirements make the pool of likely passwords bigger for human users. If, however, you are using a (hopefully cryptographically secure) pseudo-random number generator like Fortuna to generate your password, do not include these "complexity" requirements.

Finally, there are two dimensions to password complexity: variance in characters and number of characters. Making passwords have numbers and special characters increases one dimension, but it is probably far better to drop the complexity requirements in favor of long passwords (or pass-phrases). The entropy lost in having only English letters in the password is generally more than made-up for by having 6-10 words in a pass-phrase. These are also generally easier to remember than "complex" passwords.

Dan_JH_YK_CC
  • 111
  • 4
2

There is evidence to support the notion that adding requirements to include numbers, caps, special characters, etc. reduces password strength in practice. This is probably the best explanation I've read: https://xkcd.com/936/

Glen Pierce
  • 567
  • 1
  • 3
  • 9
  • But remember that "correct horse battery staple" is only secure if the words have been chosen randomly, and not by a human. (Those specific four words are of course a VERY bad password) – Martin Bonner supports Monica Nov 30 '16 at 10:42
-1

Does this really improve a passwords strength?

Does this really improves security of the system?

Let's compare two scenarios:

  1. System A: no password policies enforced
  2. System B: uppercase + number + symbol

In system A lousy users can select "password" or "letmein" as a password.

In system B one of the simplest password I could think are "Pa55word!" and "Password1!"


Taking into account complexity, entropy, brute-forcing, cracking tools - which system requires more effort?


For users that use strong passwords anyway ni{M?tofQPI.'C`dfmSK adding / removing / replacing number doesn't move a needle. For password and letmein it can make a difference.

Mars Robertson
  • 555
  • 4
  • 14