Password Complexity - Should it be enforced or not?

I've been wrestling with the idea of whether enforced password complexity is a good thing or not for the past while and wanted to share my thoughts and hopefully get some input from the security community.

tldr: I think it actually doesn't really matter all that much, but it's been fun going down the rabbit hole! It's critical that we re-evaluate these kinds of "accepted truths" regularly as what was the right thing last year (or >20 years ago in this case) may not still be the best option. Refreshing our own understand and really digging into the "why" and "is it still valid", especially when it's related to cyber-security policies and risk mitigation is absolutely vital to staying relevant and ensuring we support our businesses the best we can.

I encourage anyone in our organisation who thinks a policy or rule is dumb, outdated or is slowing the business down to contact me and ask why we have this rule or policy in place. If I don't have a good answer for them, I will go and research and find out the original reason it was established and if it's still valid. If I or the team still can't give a good reason or explain how this effectively mitigates a real risk, we will investigate updating or changing the policy. Sometime the reason is compliance related and there isn't much we can do, but often it's just because it's "the way it's always been done" which is an innovation and productivity killer. I always try to fix these if possible.

Ultimately there are other far more important factors in securing our user and customer accounts than choosing to enforce password complexity or not, so I don't actually think it matters all that much anyway, but please read on in case it helps you at all.

Reducing the Security Burden

Reducing the security related burden we place on our employees and users of our services is something I'm very passionate about. The fact that an entire organisation and huge amounts of valuable data can be compromised due to a receptionist clicking on a malicious link in an email is our failure as an industry and we need to do better. We also expect our parents and grand-parents to be cyber-experts and be able to spot phishing links and other social engineering attacks just to hang onto their hard-earned retirement savings. This is a sad state of affairs, and we need to do better as a cyber-security industry and as providers of services to customers to ensure we go the extra mile to help them be safer when using our platforms.

This means we need to think both harder and smarter and possibly invest more in cyber-resiliency to ensure neither the companies we work to protect or the customers who trust us with their data, finances etc. can be significantly harmed by a person clicking a link or being conned by some other social engineering technique.

Password Policy

Until Passkeys and other password-less technology is broadly available and used by the majority of sites and services, we're stuck with passwords. What constitutes a good password and how to encourage people to choose and use good passwords is what this discussion is mostly about.

Password Changes

Earlier in my career, I never understood the rationale to force regular password changes but everyone seemed set on it being the best way so I figured I must be missing something. Only after NIST changed their recommended guidance on forced password changes that had been the established "best practice" since the 70s did I realise how important it is to question the status quo and what "best practice" really is. Just because a standard with a thousand tick-boxes says it should be so or the auditors raise it as a finding does not mean it is actually the best or most secure practice.

The only benefit to forcing regular changes is that it does limit the usefulness of credential stashes available online to a shorter period of time. Everything needs to be weighed up, and in my view, driving a better user behaviour to choose better passwords is worth more than limiting the lifetime of online credential dumps.

Passwords alone are effectively useless

Obviously, using passwords alone, irrespective of your password policy is asking for trouble. Forcing changes every 90 days, 6 months, or never results in the same thing when a user gets phished or gives their credentials away.

Any security professional (and fortunately now most people who live, work and raise a family while connected to the internet) knows that MFA is non-negotiable. We are assuming MFA is in place for this discussion.

Password Complexity

I have always seen enforcing password complexity as a good thing. Why would making people use additional characters in their passwords not help security? It is another burden we add to our users, but I think everyone knows and accepts that a complex password is better than a simple one with all lowercase characters. I do wish that what constitutes a complex password was more standardised. Microsoft's definition of password complexity is different from SAP, Linux (which doesn't like certain special characters), some cloud services etc. This does make it hard for people.

NIST recently changed their guidance on complexity and now do not recommend enforcing complex passwords be enabled. I've seen many articles over the past few years with long mathematical proofs with numbers all in X^Y notation explaining it, but I'm not really a numbers guy and numbers expressed as powers don't really mean much to me. It could be grains of sand on a beach or stars in the sky or whatever. These numbers are too big to comprehend for non-numbers people.

I put my own little Excel calculation together to help visualise and understand the actual impact on the number of possible options a normal low-tech brute force attack would need to run though with complexity not enforced, and then with complexity enforced and the results are quite astounding.

Assuming there are 26 lowercase, 26 UPPERCASE, 30 special characters (%&$@ etc.) and 10 numbers on the keyboard, means that each possible character in a password could be any one of 92 possibilities (assuming you're a normal person and not using any non-keyed ASCII characters).

I've done my calculations on a 10 character password just to keep the numbers semi-reasonable and able to be read. The principle applies to any length password though. Obviously ensure your passwords are longer than 10 characters. This is just for illustration!

92^10 (92x92x92.... 10 times) means that there are 43 438 845 422 363 200 000 possibilities to try assuming an attacker start at "aaaaaaaaaa" and goes all the way through to "ZZZZZZZZZZ" including all other characters. We know this is not how brute-force attacks are actually done and there is a lot more science involved, but this is the worst-case scenario and keeps it simple for now.

What is interesting is what happens as soon as we ENFORCE complexity and require a CAPITAL, a number and a special character. Three of the options that could have been 92 possibilities change to a 10, 26 and a 30. There are still 7 others that are still 92, but the new total number of possibilities drops by a whopping 99% to 435 120 348 964 454 000. A 99% reduction in the total number of password possibilities by enforcing complexity! I honestly did not realise it was this large.

I'm no statistician so I'm not sure what the statistical impact to this number is when we consider that the "complex" characters could be in any of the 10 character slots. The fact that slot one could be a number (10 possibilities) or any other character (92 possibilities) and the attacker does not know if it is a number or not may mean this calculation is incorrect. I've done some research on this and it looks like this is an area of mathematics called Combinatorics which after reading about and glazing over pretty quickly, is probably not something I should have any reason to poke around in. I'll leave it for the Stats PhDs.

Entropy and Human Behaviour

While I don't claim to understand combinatorics, I do understand entropy and how hard it is to get anything that is truly entropic in computer science, and even less likely from a human. (Entropy is a measurement of how random or chaotic something is.) Using our 10 character password example above, the 43 Kajillion possibilities we had with no complexity assumes that every character in the password has an equal chance of being any of the 96 possible options. There can be no pattern or increased likelihood that any particular character would have a higher chance of being in a particular position than any other character.

We know this is not the case. Here are some common behaviours that are also used by brute-force attack systems to reduce the number of possibilities needed to be attempted. How many of the passwords you use fall into these behavioural norms?

• Most passwords are made up of words from the English language.
• Most people use a CAPITAL letter as the first character
• Most people put a special character or number at the end (most often a ! or a 1)
• Thinking they're very smart and l33t and change an E to a 3, O to a 0 or L to a 1 etc. are pretty common.

These common patterns (apart from the first one) are due to enforced complexity. The English language one is because people need to remember them and remembering a good high-entropy password like "p-_`G,q9h\" is pretty hard. Most organisations should require much longer passwords than 10 characters making remembering a truly random password virtually impossible.

The point of this section is that the attackers know all these statistics and the tools they use take these and many other factors into account when doing brute-force attacks on password hashes. The total number of attempts needed is far, far lower than this total number of possibilities.

I do dislike these charts showing that a 12 character password takes 34000 years to crack whereas an 8 character password only takes a few hours. It's an interesting thing to help people understand the benefit and exponential improvement of longer passwords, but the numbers are usually completely made up. They also provide no detail into how they're being cracked, what hashing algorithm is used etc. and there are also many other factors to consider. They can also make people think that they can use a shorter password because "34000 years is kind of overkill, right? I'll just use 10 characters because 5 years is probably fine". No, it's not. These charts, while well-meaning, ultimately can drive the wrong behaviour.

So, Should We Enforce Complexity or Not?

After a lot of pondering and changing my mind a few times, I think I've reached a conclusion that I'm at peace with.

In a perfect world where everyone was using a high-entropy password generator for their passwords and these were all safely stored in Password Managers where people only needed to remember one password to unlock the Password Manager, not enforcing complexity would be a good thing to do and would make the job of the brute-forcers more difficult (because that is ultimately what we're trying to achieve).

Sadly, this is not yet the reality for most people. Password reuse is rife because we have so many online identities and credential sets to remember. People are also (as a generalisation) naturally lazy and will drift into the path of least resistance and highest convenience (or is that just me?)

Taking this natural human laziness into account, it's likely that in our example above and if we didn't require complexity, many people would default to 10 character, all lowercase passwords since this is the path of least resistance. This results in our 43 Kajillion possible options coming down to just 141 167 095 653 376 which is another 99.97% reduction over the already 99% reduced enforced complexity option (not taking the mostly English words scenario which is now even more likely into account).

Password Length

Password length is the most important factor when considering password security although having a minimum password length that is known by an attacker also assists them in lowering the number of possibilities. In the example above, if we take the 43 Kajillion options (I asked Alexa and this is actually ±43 Million Trillion in case you were interested) but we have a minimum password length of 8, this reduces the total number of possibilities because the options below 8 characters are invalid and should be subtracted from the total. This is not a real problem as this only reduces the number of possibilities by 0.01%, so not worth worrying about. Minimum password lengths are still a very good thing! A maximum password length, however, is not. Please don't do this. They should be securely hashed with a salt and stored in an irreversible way. Hashes of passwords should always be the same length so not limiting the maximum length should never cause any database storage issues.

Summary

The calculations done in this article are obviously greatly simplified but do represent the reduction in statistical possible combinations when making changes like enforcing complexity or not in your organsations password policy.

There are many other factors to consider when it comes to password security over and above the possible number of combinations that a password could contain as:

1. Multi-Factor Authentication (ideally phishing resistant)
2. Password Length. This is the most important factor for password security. Please don't limit the length of passwords.
3. Limit password reuse by encouraging the use of a password manager
4. Validate passwords against a list of known breached credentials
5. Probably a few other things I can't think of right now
6. Some others I haven't thought of
7. Enforcing complexity or not

In conclusion, I really don't think it matters because complexity should NEVER be something you are relying on for security. As explained above, I don't think it hurts and encourages the use of less well-known English words, but if you have MFA enforced and a good long minimum and no maximum requirement, complexity is a not all that important.

It might seem like it was a lot of effort for a "it's a good thing, it doesn't really matter" result, but as mentioned at the top, we should always be able to provide a good reason to our customers or user base as to why we enforce certain additional security burdens on them and have properly thought through it. I think I can now provide one. Hopefully this helps you too.

Please let me know if you have reached the same conclusion or have any differing views. It's important that we learn from each other.

I always reserve the right to change my mind again, and again as often as necessary as new threats emerge, technology changes or new information or points of view are presented. This is a critical part of learning.

These thoughts are my own and do not necessarily represent those of my employer.