Do we really need strong passwords? by Mark Stockley.
Mark reviews “An Administrator’s Guide to Internet Password Research” by Dinei Florêncio, Cormac Herley and Paul C. van Oorschot.
From the post:
The authors, Dinei Florêncio, Cormac Herley and Paul C. van Oorschot, contend that “much of the available guidance lacks supporting evidence” and so set out to examine the usefulness of (among other things) password composition policies, forced password expiration and password lockouts.
They also set out to determine just how strong a password used on a website needs to be to withstand a real-world attack.
Their conclusion is that creating strong passwords is wasted effort a lot of the time.
They suggest that organisations should invest their own resources in securing systems rather than simply offloading the cost to end users in the form of advice, demands or enforcement policies that are often pointless.
To understand their conclusions we need to look at the difference between online and offline attacks.
…
Don’t take the conclusion:
that creating strong passwords is wasted effort a lot of the time.
You need to read Mark’s post in full and/or the article to know when it is “a lot of the time.”
The abstract from the article:
The research literature on passwords is rich but little of it directly aids those charged with securing web-facing services or setting policies. With a view to improving this situation we examine questions of implementation choices, policy and administration using a combination of literature survey and first-principles reasoning to identify what works, what does not work, and what remains unknown. Some of our results are surprising. We find that offline attacks, the justification for great demands of user effort, occur in much more limited circumstances than is generally believed (and in only a minority of recently-reported breaches). We find that an enormous gap exists between the effort needed to withstand online and offline attacks, with probable safety occurring when a password can survive 106 and 1014 guesses respectively. In this gap, eight orders of magnitude wide, there is little return on user effort: exceeding the online threshold but falling short of the offline one represents wasted effort. We find that guessing resistance above the online threshold is also wasted at sites that store passwords in plaintext or reversibly encrypted: there is no attack scenario where the extra effort protects the account.
Empirical research is creating a new genre of mythology. Computer Science Mythology, coming to a bookstore near you.