Password policy – Length vs. Complexity

I feel passwords have gotten way out of hand. Every two bob web site seems to insist on draconian passwords with the latest trend being digits letters length and symbols as you indicate.

I believe the web miesters have totally lost the plot.
99.99999999% of web sites are not CIA or some other uber secret place.

Sure I understand identy fraud etc but there must be a better way than to have a million sit5es all with differing requirements and burdening the user?
ie why the 2 word anti spam filter below?

Security risk: A password written down on a post it is easy to crack (1 attempt typically).

Ideally, we should use different passwords of infinite length everywhere, but how can we remember those without typing them down (average Internet user have 30+ passwords to remember)?

Solution: lock in your users passwords and password algorithms well and make them slow, 1 second response time on a login attempt minimum, increase with further attempts (4 mil attempts per second is just stupid) account lock-down is to be recommended.

well if you try the brute force through ophcrack, it will take much lesser amount of time than this does.
and yes its true that more the number of letters in the password, the more time it will take to crack it. but still if u keep your password of good length..probably 10-12 characters with numbers, lowercase, uppercase, special symbold etc. its not easy to crack.
so am kind of 50-50 with what is written above. most of the times it depends upon which software you are using to crack the password. basically the hash plays the important role here.OPHCRACK calculates better hash.it takes much much lesser amt of time. i hvnt tried with the passwords given above. but yes am pretty sure it will crack it in minutes.

i’m just wondering does it matter what length a password is or is there a maxinim length?

Obviously length+complexity is better than length alone. But based on my personal experience when you forced user to used a long and complex password, the changes are they can’t remember it. System policy is one thing, user acceptance is another. More often than not if they can’t remember it they will write the password down. I have seen them do it, and know where their password is on physical medium. Furthermore long complex password will just tempt them to reuse the first few characters of the password. You can have the best system security but it’s useless if the users let you down.

One of my password idea is as follow;

If we memorize password character, it is very difficult to memorize a long characters for password.
However, if you memorize a password patern, you cannot memorize your password itself.
That is, I call my password system is “Password Patern memorize system”, instead of “Password memorize system”.

Fist of all, you create random character table, 10 by 10 for example. (Fig. 1, bellow)

Then you decide to memorize a password patern.
For example, 10 characters from 5 column at 2nd line in the ramdom table, your password is JjDX[6$bp}.
Or to memorize another password patern, L format, that is, 19 characters from 1st row and 10th line, that is, your password is #$Z(!Y`e"%cq]Kau0)>.
You can decide your password patern and start point in your password patern on your own.

And if you have 10 accounts, you create 10 random password tables and print them. Probably, If you have these random password table, noone does not crack your password when you memorize a good password patern, even though you show it to a password cracker.
If your password policy have 35 day password life time, you creat a new random password table and use it as a same password patern, which contains different password characters.

I creat a random table by Excel, because I do not get a same random table for a long time.
One of my friend print a random table and past it on his wrist watch, and I print some random tables and past them in my pocket diary.

Fig. 1: A sample random password table created 10 by 10
(You can change number of row and column.)
１ 2 3 4 5 6 7 8 9 0
1 # a o * I g A U \ 3
2 $ b p } J j D X [ 6
3 Z 8 | ; F d x R | _
4 ( f t . N h B V @ 4
5 ! 9 m + G i C W ‘ 5
6 Y 7 k { E c w Q – ?
7 ` e s

PS
My website is only Japanese.
If you can read Japanese, please read the following pdf file.
http://www.uchidak.com/papers/20060406_Uchidak.pdf

Simple password with account lockout sounds tempting. But, what does that do for someone running a reverse brute force?

When it comes to users’ imagination in choosing a password, length is probably preferred over complexity or length + complexity

…and if accounts lockout after, say, 5 tries. Doesn’t that pretty much make it safe to use simple password?

Yes, length is good, but length + complexity is better – but not by much. The main reason I wrote this post entry was to get people thinking and experimenting on finding the sweet spot for their password policy. Every password secured system is different and the password policy that governs how the passwords are created should be tweaked accordingly.
I believe that after you account for common mistakes in the creation of these policies, you should focus on password length – that’s the main variable that gives passwords their strength.

My next entry will discuss the intersection of password policies and common (associated) problems, such as account harvesting, lockout, and the rest. Once you start putting these pieces together, entire applications and their user bases can quickly crumble.

Nice blog. Harry Waldron, MS MVP, posted a link to this blog at our site, and a discussion has ensued. I myself have posted as well, but re-reading your blog makes me wonder – you say length trumps complexity, but would length + complexity still be better than just length alone?

You can check out the discussion at the following link:

http://www.dozleng.com/updates/index.php?showtopic=16191