Password Complexity Rules

The Benefits and Drawbacks of Password Complexity Rules

In recent years, cybersecurity experts have called into question the usefulness of password complexity rules. Password complexity rules have existed in some form since the internet and email became mainstream. They have since become a common feature in password policies across industries all over the world. However, faced with the unique struggles of cybersecurity threats in the digital age, some experts argue that some elements of password complexity rules have outgrown their usefulness and that a modern problem requires a more modern solution.

Revered standards agency, National Institute of Standards and Technology (NIST), is now recommending against the use of special characters, citing that it encourages users to respond in very predictable ways to the requirements imposed by composition rule, so attackers are likely to guess passwords that have been successful in the past

Other organizations are also changing their stance on previously universal and long-established password complexity rules. With that in mind, we want to examine the benefits and drawbacks of password complexity rules and their usefulness today.

What Are Password Complexity Rules?

The purpose of password complexity rules is to increase the universe of possible passwords, assuming more possibilities would make it harder for a stranger to guess.

Typical password complexity rules are the following:

  • Character length: Security experts differ on what is the optimum password length, but an 8-character password is generally considered to be the bare minimum. Some experts argue that 10, 12, or 20 characters should be enforced. When it comes to password length, the longer the password, the better because it is more difficult and time consuming to crack a longer password. A lot of random password generators use 20 or more characters for this reason.
  • Special characters: Special characters are any characters that are not alphabetic or numeric but still commonly displayed on keyboards, such as !@#$%#&*. The idea behind enforcing special characters is that it prevents users from using a common word as their password, which would make them vulnerable to a simple dictionary attack.
  • Uppercase and lowercase letters: Using a mix of both upper and lowercase letters makes the password harder to crack by increasing the number of different letter combinations the attacker would have to try. For example, for an 8 character password all in lowercase, there would be 26^8 (the character set plus length) possible combinations of letters. A modern computer could crack this in a few days to minutes, depending on the computing power of the computer. According to Thycotic, for an 8 character password with a mixture of lower and uppercase letters, the number of possible combinations is now 52^8, which will take substantially longer for a computer to crack.
  • Numbers: Including numbers in passwords increases the complexity for the same reason using a mixture of upper and lowercase letters does; it increases the number of possible combinations.

The Benefits of Password Complexity Rules

In theory, the main benefit of password complexity rules is that they enforce the use of unique passwords that are harder to crack. The more requirements you enforce, the higher the number of possible combinations of letters, numbers, and characters. This increases the amount of work a computer will have to do to crack the password, thereby increasing the time it takes to crack a password. If it takes too long to crack, some attackers will abandon it and attempt to go after easier targets. This is the crux of password cracking.

When creating a password, the goal isn’t to create an uncrackable password, because such a thing doesn’t exist. With enough time and computing power, all passwords can be cracked. The goal should be to make a password that is difficult to crack so attackers won’t waste their time on that password.

The Drawbacks of Password Complexity Rules

Password complexity rules try to enforce this “difficult to crack” requirement, but they aren’t always successful. This is partly to do with the diminishing returns involved in increasing complexity

How much better is a 15 character password than a 30 character password if hackers know that longer password is frequently used? And is it better if the user can’t remember the password? Password complexity only scales up to a certain point. Beyond a certain point, a complex password can be difficult to crack if the number of possible combinations is extremely high, but it can also be too complex to be useful to users.

This isn’t just an issue with very long passwords, but with any increase in complexity requirements. Many organizations have found that as complexity requirements increase, users will have worse password hygiene. If you ask users to add numbers and special characters, they will likely alter their existing easy-to-remember password, and create a similar password with 1 or 2 extra characters.

  • For example:
  • My password is gocubuffalos
  • I would likely reuse this password and just add a few characters like: goCUbuffalos

Complexity requirements by themselves don’t assume any bias when it comes to which letters, numbers, and characters the user will pick. In reality, there’s a whole lot of bias. For example, in an analysis of over 3 million 8 character passwords, the letter “e” was used 1.5 million times, while the letter “f” was only used 250,000 times. The number “1” is also the most commonly used number in passwords. To illustrate this further, let’s go back to our example of the possible combinations of lowercase 8 digital passwords. We said there were 26^8 possible combinations here, and that’s true if the letters are arranged in any order. There are around 17,000 8-letter words in the English language, and only around 500 of these are in common use. This significantly reduces the number of possible 8-digit passwords.

However, people also often don’t choose randomly ordered letters for their passwords.

Leetspeak is common in passwords. Leetspeak is when standard letters are often replaced by numerals or special characters that resemble the letters in appearance or vice-versa. So the word leet, would possibly equal 1337.

  • For example:
  • My password is gocubuffalos
  • I would reuse this password and make some common character substitutes like: gocubuff4l0s

People also use very common patterns in passwords, like adding numbers and characters before a base word or after a base word. This is something we refer to as “root passwords.”

  • For example:
  • My password is gocubuffalos
  • I would reuse this password and just some characters before or afterwards: gocubuffalos1!

Complexity or No Complexity?

As complexity requirements have been added and accounts requiring passwords have increased over the years, we’ve found ourselves in a situation where passwords are hard for humans to remember but easy for modern computers to guess or estimate. This doesn’t necessarily mean that all password complexity rules should be removed, but that we need to reconsider what makes a password complex while also considering its usefulness. This is why the NIST password guidelines and many other organizations are removing the requirement for special characters in passwords.

Some organizations are instead recommending passphrases instead of passwords. Passphrases consist of several random common words that are easy for a human to remember but difficult for a computer to crack and estimate. For example, the passphrase “kiln harmony mockup outscore” would take centuries to crack with modern computers, according to our password cracking calculator. While this will help make a password more secure, even passphrases are not strong if they are exposed and reused across accounts.

While most security experts agree that password length requirements are critical for password security, there is a lot of debate around the other complexity requirements of special characters, upper and lower case letters and numbers. Whether you are in support of these password complexity rules or against it, it is clear that password complexity rules alone will not do enough to make passwords safe. NIST recommends that organizations should be considering implementing exposed passwords screening as part of their password policies to ensure that their users are not reusing passwords or passphrases that are compromised. This layered approach of password security is the best way to keep passwords safe, strong and unique.