"Humans [...] have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed. To address the resultant security concerns, online services have introduced rules in an effort to increase the complexity of these memorized secrets. The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe." - NIST (SP 800-63B Appendix A)
Thanks to many security breaches, researchers (and criminals) have figured out pretty well how humans create passwords. That’s why experts at NIST (you can check out their easy to read password guidelines) and other authorities came to the conclusion that focusing on complexity (complexity means: does the password include uppercase, lowercase, numbers and symbols/special characters) doesn’t really increase security.
Why you might think password complexity is relevant:
Before we think about why password complexity is irrelevant, let's first think about why some people might think it is relevant. Let's look at those numbers (assuming 26 lowercase letters, 20 symbols and 8 character passwords):
Allowed characters | Possible password combinations |
Numbers | 100 000 000 |
Lowercase letters | 200 000 000 000 |
Numbers, letters and symbols | 2 000 000 000 000 000 |
We see that the number of possible passwords drastically increases if the allowed characters include uppercase letters, lowercase letters, numbers and symbols. That means that criminals have to guess much longer if they want to find a password. At least in theory. In practise we have a big issue: Humans.
Human behaviour
Researchers and criminals have a good idea of how most humans behave. Before criminals go through all possible random combinations of passwords, they go through the most common behaviours.
Common passwords
Humans tend to be really bad at choosing passwords. Many people choose similar passwords: "Password", 123456, qwerty (top line of the keyboard), the name of their partner or dog, a birthday, favorite sport teams, celebrities, movies. Those are the first guesses of criminals.
What comes next?
Known passwords
It happens regularly, that even major companies suffer successful attacks which result in the passwords of their users getting known to criminals. They then distribute them and use them in password guessing attacks. If you use the same password on different services, then it will be probably one of the first guesses of the criminals, no matter how long and complex it looks.
Dictionary words
Criminals just go through the dictionary and try out all possible words. Often users are forced (or advised) to add special characters or numbers to their passwords. This seems to be a good idea (looking at the above table), but as mentioned, this table doesn't factor in humans and it is pretty well known, how humans tend to add symbols and special characters:
Add symbols and numbers
Humans often transform their password from "password" to "Password1!" if they are forced to increase password complexity. Often numbers and special characters are added to the end of the password (90%) or sometimes at the beginning (10%). This is known to criminals and they guess your password instantly if you follow this pattern. Criminals who brute force your password start with these patterns before going through all possible, random combinations of letters, numbers and special characters. It does not really increase your security.
Common substitutions
There is some popular advice to introduce special characters and numbers by replacing letters with similar looking symbols and numbers. @ instead of a, 3 for E, + for t, 1 or ! for i or l. Guess what? Tħ3 cr1m!n@!$ @l$0 ħ3@rd 0f +ħ!$ +r1ck, @nd @r3 n0+ f00!3d by !t.
“P@$$w0rd” is still a bad 8 character password with symbols and numbers. It is one of the first checked by criminals.
A combinatorial bonus argument against enforcing complexity
You might get the wrong idea of focusing on password complexity instead of password strength (how hard it is actually to brute force the password), if you are not a user but an administrator or policy writer trying to set up a password policy for your service. Why is it bad to force users to use numbers, uppercase, lowercase and special characters, apart from the human factor? By definition it reduces the number of possible passwords also theory.
Let's get to the mathematics: Assuming there are 20 special characters which users regularly use, we get the following theoretical number of 4 character passwords:
Password assumptions | Calculation | Number of possible passwords |
|---|---|---|
Allowing users to use only uppercase and lowercase letters | (26+26)⁴=52⁴ | 7.311.616 |
Forcing users to use at least one uppercase letter and one lowercase letter in a 4 character password consisting only of letters | 52²-2*26² | 6.397.664 (in theory) |
Considering that most people when forced to use uppercase and lowercase will probably just start with an uppercase character followed by only lowercase characters | 26*26³ | 456.976 (in reality) |
Allowing users to use numbers, uppercase, lowercase and special characters | (26+26+10+20)⁴=82⁴ | 45.212.176 |
Forcing users to use numbers, uppercase, lowercase and special characters | 26*26*10*20*4! | 3.244.800 (in theory) |
If we consider, that most people add the number and the special character to the end (at least for longer passwords) and probably start with the uppercase character | 26*26*10*20*2 | 270.400 (in reality) |
What do we observe? By forcing users to use all characters you rule out 93% of all possible 4-character passwords (99,4% if you consider human behaviour), making life for criminals much easier. Funny enough, by forcing users to use all 4 character types you allow just half the number of possible combinations than by forcing users to use only letters. This discrepancy gets much smaller for longer passwords (and the mathematics more complex), but restricting users to a subset of all possible (UNICODE-character) passwords always reduces the number of passwords for a given length (=making life for criminals easier) and encourages users to circumvent your restrictions as mentioned above (giving the harmful impression of safety but in reality making live for criminals easier) .
Just follow the advice of NIST: no complexity enforcement. Enforce 2FA and promote the use of password managers if you want to increase the security of your users.
Final thoughts
Our objective in general is not to create a secure, complex password but to secure our accounts. Also check out, how you can secure your accounts and don't have to remember any complex passwords, how to create an easy to remember and secure password and why promoting password complexity can be harmful to your audience.
The above points regarding complexity are known and nicely summarized in a popular xkcd-post.
Comments