8 reasons for dumping password policies
Any of them should be good enough, just pick your favorite one! I invite you to share your experience in the comments and to add other reasons I have missed
1. As argued in Your future passwords - breached already? policies weaken the password generation process. As long as generation is not random, the domain of definition is shrunk and it will be all the easier for any decent password cracker to infer
2. Policies do not protect against weak passwords, only against careless users. Even with the most inventive password policy, as long as there is ‘a’ policy, users will devise a scheme to produce deterministic (ie weak) passwords
3. As I tried to demonstrate in What's a good password in 2018, policies have little impact on passwords entropy. The key factor for good passwords entropy is not the kind of characters but the characters length.
4. Password policies are not backed by a strategy. The choice of a given passwords policy should be aligned with a clear and formal strategy of risks reduction. But the truth is, there is neither tools nor a methodology to establish a link between a risk reduction strategy and a given passwords policy implementation.
5. The effects of policies on passwords protection is not measurable. Even when sysadmins do have a plan in mind, they still don’t know how much the probability of password breaking is decreased (or increased…) when they choose such or such parameter.
6. Policies are inconsistent. If one cannot break the password of a user in application 1, maybe the password policy in application 2 is such that both passwords become easy to guess.
7. Policies are generating stress. People under stress make mistakes and will generally take the shortest path to get back into their comfort zone or simply to be efficient. This means picking a very deterministic password.
8. Policies impair competitiveness. If vendors A and B offer the same business solutions and the same legal protection against cybercrime, if B makes my life easier, busy people will opt for B.
So what should I do after I drop the policy?
- carry on your relentless endeavor to eliminate passwords altogether! See if you can add a second factor (think that you will have to manage the lifecycle of second factors, the support issues, the integration of this factor into your authentication chains, ...);
- chase careless users: implement detective and preventive controls, imagine good deterrents, gamify it all!
- seduce your smart users: now that policies are out of their way, smart users will be more inclined to make use of random passwords, because such passwords will be accepted without complaints by your systems. But for that, you need to give the proper tools (password vault, mazemint, ...)!
Check out my previous article on demystifying PaaS security.
Senior Cloud security architect at Société Générale
3 年#freepassword
DO NOT SEND ME F**CKING INVITES IF WE HAVE NOT WORKED TOGETHER! mail:<[email protected]> only. I wish I could write it larger!
6 年And the most important is *not* to force users to change them too often. I prefer everyone using the same 12-chars long password for one year than everyone using a very deterministic 8-chars one changed every 3 months just by lack of creativity or ability to memorize it.