Are complex passwords necessary in web applications?

Question

If there is a web application that holds important data, how important is it to use a complex/long/secure passphrase?

When I use for example something like "applefreezer" as password for my admin account in a forum, one would say that its not very secure. No special characters, not long enough, predictable words and combinations. And of course, I would never use this with an important encrypted piece of hardware.

But if I know, that a web application is programmed to prevent brute force attacks and even password lists, why should I need a passphrase that withstands these kind of attacks?

One reason might be, that someone could crack the password when he/she hacks data from my database. But honestly, if someone hacks the server, the password is senseless anyway. Of course, its important then that its not reused in other applications.

TL;DR do I need complex passwords for applications that prevent bruteforce/list attacks?

What do you mean by preventing "buteforce/list attacks"? Limiting login attempts? — Arminius, Feb 22 '17 at 19:38
@Arminius You can use account lockout, incremented timeouts, IP blocking... — MiaoHatola, Feb 22 '17 at 19:42
@MiaoHatola Well, the answer would depend on which of these techniques OP thinks of. — Arminius, Feb 22 '17 at 19:49

score 3 · Answer 1 · answered Feb 22 '17 at 20:01

Assuming that you have every popular brute-force prevention technique in place. You are still a web service that serves users. So, you must allow some leeway in login procedures. Now, login brute force attacks are most likely to be targeted at high-value targets so an attacker would probably be committed to compromising your account.

Assuming an attacker can try 10 passwords every hour (Probably stricter that any regular web service), it is still possible to try 7200 passwords per month from a single attacking endpoint. Now consider a dedicated attacker with more than one computer attempting to log in to your account.

This makes passwords such as applefreezer that would be close to the top of password lists, somewhat vulnerable. Depending on the value one would assign to his/her account on that specific web service, that may be tolerable or not.

So there are reasons why strong passwords should be used anywhere, no matter the other defenses. But if you are not a high value target then yes, brute force mitigating techniques are a pretty solid defense, even with a weak password.

TL;DR: You are right, brute force mitigations are enough to allow you to use a weak password. But since brute force is usually targeted at high value targets, an attacker will be patient enough to try long enough and break weak passwords.

To add to this answer; if an attacker had multiple, 10's or 100's of botnets, they all get their 10 passwords an hour too. — Mattcul, Feb 22 '17 at 22:45
@Mattcul Great point! This may even increase the pace by using multiple IPs, so it avoids IP based mitigations. — MiaoHatola, Feb 23 '17 at 05:47

score 0 · Answer 2 · answered Feb 22 '17 at 22:15

I guess the biggest danger of using applefreezer as a password would be that in the event of a breach, an attacker would learn something about the kind of throwaway passwords you use. So while he might not get lucky with applefreezer on another site, he might use it as a hint when constructing his next attack. That's assuming he's targeting you specifically.

Are complex passwords necessary in web applications?

2 Answers2