Better password policy: Complex? or longer passwords?

by

What is the better password policy?

A longer password like NIST 800-53 says?

 

Key NIST password guidelines

  • Minimum length of 8 characters and maximum length of at least 64 characters if chosen by the user.
  • Allow usage of ASCII characters (including space) and Unicode characters.
  • Check prospective passwords against a list that contains values known to be commonly used, expected, or compromised. This includes passwords obtained from previous breach corpuses, dictionary Words, repetitive or sequential characters (‘aaaaaa’, ‘1234abcd’, etc.) and context-specific words, such as the name of the service, the username, and derivatives thereof.
  • Limit consecutive failed authentication attempts on a single account to no more than 100.
  • Allow “paste” functionality while entering a password.
  • Provide a password strength meter.
  • No complexity requirements or password expiration period.
  • Enforce multi-factor authentication (MFA).
  • Store passwords in a form resistant to offline attacks.
  • Passwords shall be salted and hashed.

(Some of this information was brought from Securden.com blogpost)

NIST 800-63B Digital identity guidelines from 2017, but here is an updated version of this document:

The updated version is here from NIST 800-63B with errata  (2020)

A.2 Length

Password length has been found to be a primary factor in characterizing password strength [Strength] [Composition]. Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords.

The minimum password length that should be required depends to a large extent on the threat model being addressed. Online attacks where the attacker attempts to log in by guessing the password can be mitigated by limiting the rate of login attempts permitted. In order to prevent an attacker (or a persistent claimant with poor typing skills) from easily inflicting a denial-of-service attack on the subscriber by making many incorrect guesses, passwords need to be complex enough that rate limiting does not occur after a modest number of erroneous attempts, but does occur before there is a significant chance of a successful guess.

Offline attacks are sometimes possible when one or more hashed passwords is obtained by the attacker through a database breach. The ability of the attacker to determine one or more users’ passwords depends on the way in which the password is stored. Commonly, passwords are salted with a random value and hashed, preferably using a computationally expensive algorithm. Even with such measures, the current ability of attackers to compute many billions of hashes per second with no rate limiting requires passwords intended to resist such attacks to be orders of magnitude more complex than those that are expected to resist only online attacks.

Users should be encouraged to make their passwords as lengthy as they want, within reason. Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes. Extremely long passwords (perhaps megabytes in length) could conceivably require excessive processing time to hash, so it is reasonable to have some limit.

A.3 Complexity

As noted above, composition rules are commonly used in an attempt to increase the difficulty of guessing user-chosen passwords. Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules [Policies]. For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required.

Users also express frustration when attempts to create complex passwords are rejected by online services. Many services reject passwords with spaces and various special characters. In some cases, the special characters that are not accepted might be an effort to avoid attacks like SQL injection that depend on those characters. But a properly hashed password would not be sent intact to a database in any case, so such precautions are unnecessary. Users should also be able to include space characters to allow the use of phrases. Spaces themselves, however, add little to the complexity of passwords and may introduce usability issues (e.g., the undetected use of two spaces rather than one), so it may be beneficial to remove repeated spaces in typed passwords prior to verification.

Users’ password choices are very predictable, so attackers are likely to guess passwords that have been successful in the past. These include dictionary words and passwords from previous breaches, such as the “Password1!” example above. For this reason, it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose. Since user choice of passwords will also be governed by a minimum length requirement, this dictionary need only include entries meeting that requirement.

Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner. While these practices are not necessarily vulnerable, statistically some methods of recording such secrets will be. This is an additional motivation not to require excessively long or complex memorized secrets.

 

Thus  our question must be answered with relevant information – Complex passwords seem like they would take longer to crack, but since computer speeds are always increasing the actual length of passwords (or the entropy of the password)matters more than the complexity.

Another aspect is how people actually run their password management functions. If one has to create a password every 90 days and it has to be complex, what are the chances you can remember 4 new passwords every year? After 3 years one has to have 12 new passwords which are complex. (Upper case, Lower case, numbers, and special characters).

Instead if one can put several words(which could have uppercase/lower case) with a number

 

 

I asked Gab AI:    complex passwords or long passwords?

Long passwords are generally more secure than complex passwords. While complex passwords can be difficult to remember and type, a long password with a mix of characters, numbers, and symbols is more challenging for hackers to crack. This is because the longer the password, the more possible combinations there are, making it harder for brute-force attacks to succeed.

 

How about  you.com AI?  Ask “complex passwords or long passwords?”

When it comes to choosing between complex passwords and long passwords, it’s generally recommended to prioritize long passwords. While both complexity and length are important factors in creating a strong password, research has shown that longer passwords tend to be more secure than complex ones. Here’s why:

Length:

  • Longer passwords are harder to crack through brute force attacks, where an attacker systematically tries different combinations of characters to guess the password.
  • Increasing the length of a password exponentially increases the number of possible combinations, making it more difficult for attackers to guess or crack the password.

Complexity:

  • Complex passwords typically include a combination of uppercase and lowercase letters, numbers, and special characters.
  • While complexity adds an extra layer of security, it can also make passwords harder to remember and more prone to being forgotten or written down, which can introduce security risks.

So, the general recommendation is to choose a long password that is easy for you to remember but hard for others to guess. Consider using a passphrase, which is a series of unrelated words strung together, as it can make your password both long and memorable. For example, “correct horse battery staple” is a passphrase that is much stronger than a short, complex password. Additionally, it’s important to use unique passwords for each online account and to update them periodically. Using a password manager can help you generate and store strong, unique passwords for all your accounts securely.

Smart Assistant

You may also want to ask

Do long passwords offer more protection?

Can I combine both for maximum security?

How do long passwords improve security?

Long passwords improve security in several ways:

  1. Resistance to brute force attacks: Brute force attacks involve systematically trying different combinations of characters to guess a password. Longer passwords have a larger number of possible combinations, making them more resistant to these types of attacks.
  2. Increased password entropy: Password entropy refers to the measure of uncertainty or randomness in a password. Longer passwords, especially those that include a mix of characters, increase the entropy and make it more difficult for attackers to guess or crack the password  (This section is from infosecinstitute.com)

  • Reduced vulnerability to dictionary attacks: Dictionary attacks involve using precomputed lists of common passwords or words to guess passwords. Longer passwords that are not based on common words or patterns are less susceptible to dictionary attacks.
  • Protection against password guessing: Longer passwords make it more challenging for attackers to guess the password by trying common patterns, personal information, or commonly used passwords  (This section is from veruscorp.com)

    Mitigation of password reuse risks: Using longer passwords reduces the likelihood of reusing the same password across multiple accounts. Password reuse can be risky because if one account is compromised, the attacker can gain access to other accounts as well.

It’s important to note that while long passwords improve security, it’s still essential to follow other best practices, such as using unique passwords for each account, regularly updating passwords, and enabling two-factor authentication when available. Additionally, using a password manager can help generate and store long, complex passwords securely  (this section is from blog.1password.com)

 Remember, creating a strong and secure password is an important step in protecting your online accounts and personal information.
Interesting to note the answers by AI (basically a fancy program with specific instructions to find answers from database or Internet as far as it knows).  I like to use  AI programs that are a bit different from the mainstream (Google Bard, OpenAI, or Microsoft Copilot). I use gab and you.com.
Above is from https://gab.ai/c And a pictorial representation of a “simple password”?
Here is the complex password image representation:
I guess the image generator can’t understand the juxtaposition between complex and simple passwords that are longer.
I understand that you may be having difficulty truly understanding this as well. But the idea is to make it more difficult for new password cracking methods and trying to get people to remember long passwords (versus writing complex passwords down – which is a security issue).
Contact me to discuss this issue for you.
here is the famous xkcd comic: