Password Complexity: You’re Doing It Wrong!

Just like the physical keys to your car or house, passwords add a bit of inconvenience in exchange for security. However, if you’ve ever been frustrated by password rules (complexity, special characters and numbers, etc.), you might be happy about the latest news.

Crypto researchers have always known that longer, more complex passwords are mathematically more difficult to guess. To illustrate the value of complexity, consider a password that is only one character long. (This is a thought experiment. Consider it while reading, but PLEASE DON’T DO IT.)

If the possible characters are limited to only lowercase letters, then there are 26 possible solutions. If we add uppercase letters, there are now 52 possible solutions. If we then add numbers and special characters (except spaces), the number of possible characters then goes up to 94 possibilities, which makes it more difficult to guess but still possible to crack in a short time. If you add more characters, however, the number of combinations goes up extremely quickly.

If “C” is the number of characters in a password, and “X” is the number of possible characters in each position, then the number of possibilities (“n”) is given by the formula n = CX. OK, that’s enough math for today, but you see the point.

As you know, passwords with greater complexity are more difficult to guess and are considered a stronger form of security. That’s simple math. Therefore, security experts have always recommended those password rules you’ve probably come to despise: add in upper- and lowercase letters, numbers, and special characters. Oh, and make it at least eight characters long for good measure.

Now, however, new research has come to light indicating that isn’t the whole story. The math neglects human behavior. As it turns out, humans are highly predictable in picking upper- and lowercase letters, numbers, and special characters. Many people use simple substitutions, such as the number one for the letter “I” or the number zero for the letter “O.” Then, they might substitute the dollar sign, “\$,” for the letter “S.”

They also tend to use upper- and lowercase letters in predictable ways. (What? Did you think you were the only one who did that?) In fact, humans are so predictable that guessing passwords is not nearly as difficult as most people think. Even worse, as password complexity increases, people are much more likely to use the same password for multiple sites and applications because they are more difficult to remember. (Wait…you do that too, don’t you?)

As a result, the latest research in this area has pointed in a different direction. Rather than focus on the complexity of the character set, it’s often easier to simply add length to a password. After all, longer passwords are also more secure.

Although there are quiet directives or unspoken rules of password protection, sometimes large scale approaches are necessary. For example, the National Institute of Science and Technology (NIST) has been tasked with promoting cybersecurity for the U.S. government, but many of the recommendations and standards are applicable to everyone. In the draft of the latest standard on Digital Identity Guidelines, NIST added Appendix A to discuss this very topic.

You can find the document here.

NIST now recommends that password length be the primary indicator of strength rather than the complexity of the character set. As such, it’s a good idea to use pass phrases and other ways to add additional characters to a password. The good news for humans is that although more keystrokes are required, they are easier to remember.

Moving forward, expect your system administrators to begin to require longer, but possibly less complex, passwords. In the end, we’re all responsible for the security and safety of our institutions’ networks. Let’s be safe out there.