In recent years, cybersecurity experts have called into question the usefulness of password complexity rules. Password complexity rules have existed in some form since the internet and email became mainstream. They have since become a common feature in password policies across industries all over the world. However, faced with the unique struggles of cybersecurity threats in the digital age, some experts argue that some elements of password complexity rules have outgrown their usefulness and that a modern problem requires a more modern solution.
Revered standards agency, National Institute of Standards and Technology (NIST), is now recommending against the use of special characters, citing that it encourages users to respond in very predictable ways to the requirements imposed by composition rule, so attackers are likely to guess passwords that have been successful in the past
Other organizations are also changing their stance on previously universal and long-established password complexity rules. With that in mind, we want to examine the benefits and drawbacks of password complexity rules and their usefulness today.
The purpose of password complexity rules is to increase the universe of possible passwords, assuming more possibilities would make it harder for a stranger to guess.
Typical password complexity rules are the following:
In theory, the main benefit of password complexity rules is that they enforce the use of unique passwords that are harder to crack. The more requirements you enforce, the higher the number of possible combinations of letters, numbers, and characters. This increases the amount of work a computer will have to do to crack the password, thereby increasing the time it takes to crack a password. If it takes too long to crack, some attackers will abandon it and attempt to go after easier targets. This is the crux of password cracking.
When creating a password, the goal isn’t to create an uncrackable password, because such a thing doesn’t exist. With enough time and computing power, all passwords can be cracked. The goal should be to make a password that is difficult to crack so attackers won’t waste their time on that password.
Password complexity rules try to enforce this “difficult to crack” requirement, but they aren’t always successful. This is partly to do with the diminishing returns involved in increasing complexity
How much better is a 15 character password than a 30 character password if hackers know that longer password is frequently used? And is it better if the user can’t remember the password? Password complexity only scales up to a certain point. Beyond a certain point, a complex password can be difficult to crack if the number of possible combinations is extremely high, but it can also be too complex to be useful to users.
This isn’t just an issue with very long passwords, but with any increase in complexity requirements. Many organizations have found that as complexity requirements increase, users will have worse password hygiene. If you ask users to add numbers and special characters, they will likely alter their existing easy-to-remember password, and create a similar password with 1 or 2 extra characters.
Complexity requirements by themselves don’t assume any bias when it comes to which letters, numbers, and characters the user will pick. In reality, there’s a whole lot of bias. For example, in an analysis of over 3 million 8 character passwords, the letter “e” was used 1.5 million times, while the letter “f” was only used 250,000 times. The number “1” is also the most commonly used number in passwords. To illustrate this further, let’s go back to our example of the possible combinations of lowercase 8 digital passwords. We said there were 26^8 possible combinations here, and that’s true if the letters are arranged in any order. There are around 17,000 8-letter words in the English language, and only around 500 of these are in common use. This significantly reduces the number of possible 8-digit passwords.
However, people also often don’t choose randomly ordered letters for their passwords.
Leetspeak is common in passwords. Leetspeak is when standard letters are often replaced by numerals or special characters that resemble the letters in appearance or vice-versa. So the word leet, would possibly equal 1337.
People also use very common patterns in passwords, like adding numbers and characters before a base word or after a base word. This is something we refer to as “root passwords.”
As complexity requirements have been added and accounts requiring passwords have increased over the years, we’ve found ourselves in a situation where passwords are hard for humans to remember but easy for modern computers to guess or estimate. This doesn’t necessarily mean that all password complexity rules should be removed, but that we need to reconsider what makes a password complex while also considering its usefulness. This is why the NIST password guidelines and many other organizations are removing the requirement for special characters in passwords.
Some organizations are instead recommending passphrases instead of passwords. Passphrases consist of several random common words that are easy for a human to remember but difficult for a computer to crack and estimate. For example, the passphrase “kiln harmony mockup outscore” would take centuries to crack with modern computers, according to our password cracking calculator. While this will help make a password more secure, even passphrases are not strong if they are exposed and reused across accounts.
While most security experts agree that password length requirements are critical for password security, there is a lot of debate around the other complexity requirements of special characters, upper and lower case letters and numbers. Whether you are in support of these password complexity rules or against it, it is clear that password complexity rules alone will not do enough to make passwords safe. NIST recommends that organizations should be considering implementing exposed passwords screening as part of their password policies to ensure that their users are not reusing passwords or passphrases that are compromised. This layered approach of password security is the best way to keep passwords safe, strong and unique.