Your password must be at least 8 characters long, contain a mixture of uppercase and lowercase letters, and include at least one number or symbol

2 May 2020

Familiar with password forms like this?

Restrictive password rules are not just frustating and unhelpful for people trying to manage logins for a multitude of sites; they (officially) do not do much for security on your website.

I keep an eye on best practice for web security. And the top resource is undoubtedly OWASP (Open Web Application Security Project) Foundation. Last time I read throught their recommendations, I was interested to find the following:

The most significant change in this version is the adoption of the NIST 800-63-3 Digital Identity Guidelines, introducing modern, evidence based, and advanced authentication controls. Although we expect some pushback on aligning with an advanced authentication standard, we feel that it is essential for standards to be aligned, mainly when another well-regarded application security standard is evidence-based. (emphasis mine)

From (The OWASP Application Security Verification Standard 4.0 (March 2019, PDF)

And further on, in the section on “Password Security Requirements”, this is where they “expect some pushback”:

2.1.9 Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. (again, emphasis mine)

Now, I’d not come across the NIST 800-63-3 Digital Identity Guidelines so I went and looked them up. It’s a publication from the US Federal Government, and the source document for many OWASP current recommendations.  Here’s the relevant section:

Appendix A—Strength of Memorized Secrets

Despite widespread frustration with the use of passwords from both a usability and security standpoint, they remain a very widely used form of authentication [Persistence]. Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed. To address the resultant security concerns, online services have introduced rules in an effort to increase the complexity of these memorized secrets. The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought [Policies], although the impact on usability and memorability is severe.

Complexity of user-chosen passwords has often been characterized using the information theory concept of entropy [Shannon]. While entropy can be readily calculated for data having deterministic distribution functions, estimating the entropy for user-chosen passwords is difficult and past efforts to do so have not been particularly accurate. For this reason, a different and somewhat simpler approach, based primarily on password length, is presented herein. Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones.

NIST 800-63-3 Digital Identity Guidelines from the US Department of Commerce (PDF)

So there we have it. Time to stop forcing people to select passwords with letters AND numbers AND symbols.