NIST Cannot quite get it right. They have gone from encouraging the use of special characters to discouraging them and relying only on password length.
The strength issue is not about what the user must enter in an ascii or other code but how much work it would take an exhaustive, or brute force attack to find it. Both length and special characters are ways to increase the work of attack. Each adds bits.
We first started to Insist upon upper and lower case and special character to get more bits in fixed length passwords. While most of you are to young to remember it, for years passwords were limited to 8 characters, or one fetch, for performance reasons. While modern computers are so fast that performance is no longer an issue and modern database managers will accommodate passwords of any length, there may still be systems that limit the length of passwords. Unfortunately, we forgot why we were insisting upon complexity.
Before the Internet, most end users had fewer than a handful of passwords, many only one. Today many users have tens, even hundreds of passwords. (As I write this, I have 310.) As the number of passwords grew so did bad practice. Users chose passwords that were easy to remember and enter, and then reused those that met these tests.
To resist this user behavior, many managers introduced rules to encourage strong passwords and resist weak or reused ones. This solution has become the problem. Choosing passwords was already hard enough; choosing passwords that meet well intended but otherwise arbitrary rules is often too much. Otherwise strong passwords, including those generated by a password manager, might not meet the rules. Forcing periodic changes added insult to injury.
Thus, NIST now recommends length. While length adds to strength, the longer the password, the harder it is to enter, particularly without error. The strength is measured in bits, not , but the use of the entire character set may help; in some special cases may still be required.
All this is by way of saying choosing, remembering, and using strong passwords is not easy. Choosing, remembering, and entering, more than a handful of passwords is not easy. It has become a computer application. Password managers are somewhere between popular and necessary.
Courtney taught us that "nothing useful can be said about the security of a mechanism (including passwords) except in the context of a specific application and environment." Writing guidance that covers all applications and environments has always been what we call a "hard problem." Writing guidance that will stand up to changes over time is particularly hard.
A final word. Well chosen and managed passwords are resistant to brute force attacks. Those are not the kind of attacks that we are seeing. Rather, we are seeing social engineering followed by fraudulent replay attacks. Passwords, of whatever strength, are fundamentally vulnerable to replay attacks. Rather, we need strong authentication, that is, at least two kinds of evidence, at least one of which is resistant to replay. Said another way, all strong authentication is multi-factor but not all multi-factor is strong.
Prefer length to complexity, but allow the whole character set. (Encourage complexity if length is otherwise restricted.) Encourage your users to use a (cross platform?) password manager. Offer them strong authentication options. Mandate strong authentication for employees. Consider, indeed prefer, passkeys (https://whmurray.blogspot.com/search?q=passkeys). Use biometrics for convenience in applications where replay is otherwise resisted. Prefer one-time passwords to mandatory periodic password change.
Posts
