0

Is there any professional consensus on what the optimal password minimum length requirement should be?

The University of Michigan recently implemented a 15 character minimum for all users.

To me (complete layperson), this seems foolish because this is difficult to remember and so now even more will record their passwords somewhere (e.g. on paper/a Google doc/word doc/text document) that can be easily stolen/hacked.

Also, there'll be many more "Forgot password" requests (and so more opportunities for being hacked).

Microsoft:

Best practices

In most environments, an eight-character password is recommended because it's long enough to provide adequate security and still short enough for users to easily remember.

user103496
  • 101
  • 3
  • 1
    hint: don't use a password (e.g. Password1!) but a passphrase (e.g. bound dollar toss <- that's 17 characters) – schroeder Sep 15 '23 at 08:02
  • 1
    With your edit you've added more points and changed essentially what you ask. Initially you asked about a reasonable minimum password length, now you ask about issues that long passwords may cause to users and why long passwords are needed since we have other security controls in place. Those are different questions and require to re-write the answers already given. If you'd like the new points to be answered, please ask a new question. –  Sep 15 '23 at 12:02
  • @Spyros: For your benefit, I have rolled back my question to the original question that was first posted. You'll see that I made the exact same points, but these points were completely ignored by you and others (which is why I subsequently made edits that merely emphasized these points more strongly without changing the Q). It seems to me that you and many others in the information security community are capable of focusing only on one issue: How long it takes to brute force a password. You are unable to imagine and consider any other costs to longer character minimums (my points above). – user103496 Sep 16 '23 at 01:35
  • @user103496 I respect your opinion, however in your initial question you state your arguments against the university's long password policy and ask about optimum password lengths, whereas in the edited question you ask from us to address your concerns. You may think that those two are the same but me "and many others in the information security community are capable of" understanding that they are not. That is why we are in the information security community. I am open to discuss your concerns, but questions should be kept focused in order to avoid writing essay-length answers –  Sep 16 '23 at 06:15
  • Users shouldn’t be remembering passwords, so ability to remember is not a criterion for password complexity rules. The complexity required for password security (bearing in mind that most people have dozens of passwords that should all be different) exceeds the capacity of a normal human memory. What they should do is mandate the use of a secure password manager. – Mike Scott Oct 08 '23 at 11:32

5 Answers5

2

Summary: the university of Michigan password creation policy seems fine, if not optimal

Explanation: NIST Special Publication 800-63 (currently version "-3") (titled "Digital Identity Guidelines") is the go-to guideline for password security. Among others, they recommend the following:

However, if you combine points 1 and 4 from above, then you may end up with simple, easy to guess passwords. Thus, it is advocated(5) that it's better to use passphrases rather than passwords, which can be safer even if they are simple in structure (e.g. all lowercase characters).

Is there any professional consensus on what the optimal password minimum length requirement should be?

If you take a look at the password cracking table from Hive, that shows how much time it takes to brute-force a password that complies with specific complexity rules, you'll see that an 8-character-password with complex character combination is easily brute-forced in 5 minutes. Going from there, you either need an 12-character password with complex creation rules or 15 characters with only lowercase characters (numbers-only-passwords are inherently unsafe).

Given that the university of Michigan permits lowercase-only character passwords, a length of 15 characters for passwords seems optimal.

Edit (based on your comments here and here): Security controls are not selected at random and policies are not set "just because". They are based on research and lessons learned. In the case of optimum password length, please read above and follow the provided links.

As a summary, long password lengths are not set in order to counter attempts using the login process of the system. If that would the case, passwords would be much, much shorter. For example, if your system locks accounts after 5 failed attempts, then with a 4-character-long password, that consists of numbers and lowercase characters only, you get 36^4(6) = 1.679.616(7) possible combinations. This number is high enough to accept the risk of 5 login attempts from an attacker (less than 0,0003%(8) probability of success). In other words, this attack vector (login attempts) is assessed and the security control in place (limit attempts to 5) is said to mitigate the risk.

However, a threat model that includes someone stealing the password db, needs to also account for password spraying or credential stuffing attacks to other systems. This is done in order to counter for lateral movements of attackers in the same network or denying them access to other networks (because humans tend to use the same password on different systems). In other words, we need to limit the blast radius of a stolen password. In order to do this, we need to make it difficult for an attacker to find out what the password is; if you used a 4 character password, any attacker, with trivial resources, would be able to brute force it in under a second. That is why you need to use longer passwords and this is where the minimum password lengths, relevant research, alternative authentication ways and the official guidelines come in.

You need to understand that information security is not a single-dimensional discipline.

1 "Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber"

2 "Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length"

3 "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator"

4 "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets"

5 "Use easy-to-remember passphrases rather than passwords, that have a minimum of 14 characters"

6 26 characters (a-z) and 10 numbers (0-9)

7 the dot is used as a separator of thousands

8 comma is used as a decimal point

  • Given that the university of Michigan allows lowercase-only character passwords Where did you see this? I'm pretty sure they allow upper case too. – user103496 Sep 15 '23 at 06:48
  • 1
    @user103496 Allow, as a minimum required complexity rule, not enforce. Amended the answer to reflect this. –  Sep 15 '23 at 06:50
  • Don't most logins allow only some maximum number of tries before locking you out? How does brute-force get around that? – user103496 Sep 15 '23 at 08:37
  • @user103496 password cracking rules address the case where an attacker (or even a malevolent system administrator) has the password at hand (e.g. has hacked the system and brute-forces the password file/db offline); your password needs to stay a secret, even if the system is compromised. Security controls that do not allow multiple (failed) attempts by using the system's login process are put in place as a norm, but do not address the offline brute-forcing case. –  Sep 15 '23 at 10:31
1

The motivation for the University of Michigan seems to be to encourage the use of passphrase / diceware. See Guidelines for a Secure Password, where 3 of the 4 tips are related to that.

In practice, I'd assume that most university users do need to remember their passwords and can't rely on password managers (the 4th tip). Then a 15-char password becomes difficult to remember, a 15-char passphrase is reasonable.

There has been a study that shows that users don't remember passphrases better than passwords with the same entropy. But passphrases with the same entropy will be longer, reaching the 15 char minimum quicker.

As for usability vs security regarding password complexity, there are numerous opinions:

Especially with the recommendation not to use complexity requirements (because they don't increase security by a lot, but do reduce usability significantly), an 8-char password may be bruteforced fairly quickly, even remotely (think password and 12345678). Requiring a 15-char password will help here. With guidance towards passphrases, usability isn't impacted by the length.

tim
  • 29,640
  • 7
  • 98
  • 121
  • Cyber Essentials suggests a minimum of 12, unless there are other mitigations. So, no consensus, just a lot of ideas. – schroeder Sep 15 '23 at 08:05
  • 1
    @schroeder yes, I doubt that there will ever be a consensus. As NIST says, it depends on the threat model. But I think given the recommendations by NIST and others, U-M is on a good path with their passphrase-focused approach. – tim Sep 15 '23 at 08:10
  • Don't most logins allow only some maximum number of tries before locking you out? How does brute-force get around that? – user103496 Sep 15 '23 at 08:41
  • @user103496 yes, that's true. Workarounds would eg be: 1) password spraying. Try the top X passwords on all accounts (with X < max number of tries) 2) offline attacks (if you have the password hash, eg from database leaks, backups, etc) 3) slow attacks. Most lockouts aren't permanent, but temporary. Just stay under the threshold & iterate over usernames as well (see 1)) 4) if locks are not username- but IP-based (and they often are, to prevent an attacker from DOSing an account), use proxies 5) try to find a bug / bypass for the bruteforce protection. – tim Sep 15 '23 at 09:14
1

The 15 character passphrase is something I have seen other large organizations start to implement as well. I'm not sure where the number 15 came from but it seems to be a defacto standard of sorts.

The problem you had with the more traditional password system where it needed to be changed every 30 or 60 or 90 etc days is that it created the incrementing password. I have worked in many organizations which had the rolling passwords with the rule usually being it had to include 1x uppercase, 1x number and 1x special. So you wound up with everyone having a very similar password pattern:

[Special][Capital][Lowercase][2xNumber] eg %Password01

They would then just increment the number on the end. So for a brute force attack you are no longer working against an 8 character password with 96^8 possibilities. In the case of dictionary attacks it allows an attacker to create rules to modify their wordlist to fit the pattern.

The thinking now appears to be longer is better because wordlists usually target a single word or 2/3 short words concatenated. Having it be 15 characters minimum also makes it incredibly time consuming to brute force. The problem with the passphrase model is that the account holder will construct a sentence to help them remember the passphrase. Take into account human laziness and that sentence will be somewhere between 15 (because that is the minimum) and perhaps 20 characters long. Ultimately if I'm told it has to be 15 characters and I'm working in an environment where I have to type the thing in 30 times a day I'm not going to pick something 40 characters long.

The sentence structure is inherently the weakness of the passphrase. There are already wordlists floating around for passphrases. And some even come with rules for programs like Hashcat which allow for various permutations (for example if the user has spaces between the words or just concatenates them into a single word). I myself have been playing around with ChatGPT and building a passphrase list using based on the statistical probability of the next word in a sentence.

Ultimately the weakness of any sort of verification system is the end user. People are lazy and/or stupid. Whatever system you put in place the end user will come up with the simplest way to comply with it and not have to do anything more.

user2334659
  • 213
  • 6
0

I would say an 8 character minimum is definitely too short these days, because that can be hacked in seconds unless there is a limit on the frequency of attempts. See for example https://www.grc.com/haystack.htm

When are attempts not limited? Most commonly when someone has got hold of the "hash" of your password. There have been many huge breaches where billions of hashed passwords have been exposed. (Admittedly "salting" can ameliorate that risk a bit, but you can't rely on that.)

In that context, 15 characters is a reasonable minimum. You can reduce it a couple of characters by requiring mixed case and special characters, but that brings its own set of problems and is a sticking plaster at best.

The problem of course is that it's hard to remember a 15 character password, and even if you could, they are difficult to type accurately. In a way that's good though, because it encourages people to completely avoid memorable passwords and use a password manager instead, or better still passwordless solutions like Windows Hello, phone apps or hardware keys.

Personally, I don't have any memorable passwords at all now, only memorable PINs as a second factor. Passwords seemed like a good idea when they were first invented, but we now know they're hideously insecure and we're trying to stuff that genie back in the bottle.

Phil McKerracher
  • 291
  • 1
  • 3
-1

Is there any professional consensus on what the optimal password minimum length requirement should be?

There are two common opinions about this:

  • eight characters minimum
  • longer is better

NIST says minimum of 8 characters in a password. Microsoft says minimum of 8, and longer is not necessarily better. OWASP Cheatsheet says minimum of 8. OWASP ASVS says 8 in the most recent version.

All things equal, longer passwords are stronger than shorter passwords. However, doubling the minimum length of passwords does not necessarily result in double the security. People will just pad their password or type it twice to comply to the length minimum, instead of coming up with a stronger password. Thinking about the entropy of a password without considering user psychology is a common pitfall.

In particular, does a 15 character minimum make sense for most university users?

Even though not everyone agrees on whether the 8 character limit is sufficient, there is little reasoning about any other limit. What is the reasoning behind this 15 character minimum? Why not 14 or 16? If this was the result of a research project, it may make sense. If someone just picked a nice number, it may not.

Without any further information, I am not sure that a 15 character minimum is necessarily more secure than a 8 character minimum.

schroeder
  • 129,372
  • 55
  • 299
  • 340
Sjoerd
  • 30,589
  • 13
  • 80
  • 107
  • The only rule to passwords that is universally consistent is that they get stronger as they get longer because the number of combinations needed to check goes up exponentially. 9-char codes are roughly 36-94x stronger than 8-char codes. 10-char codes are 36-94x stronger than 9-char codes. 15-char codes are 78 billion to 65 trillion times (36⁷ to 94⁷ depending on [0-9a-z] vs all printable ASCII) stronger than 8-char codes. You can find crack-time calculations here and at Hive. – Adam Katz Sep 15 '23 at 15:12
  • @AdamKatz: So why not a 10000 character minimum? Why only 15? The reason is that there are costs to longer character minimums and so trade-offs, something that those in the information security community seem unable to imagine and so consider. – user103496 Sep 16 '23 at 01:30
  • The answer is fine in all respects, except for the last line. If "longer is stronger" then surely adding 7 characters to the standard minimum would add strength? Your argument for "longer is stronger" seems to fall apart with that last line. – schroeder Sep 16 '23 at 10:11
  • Yes, usability is a key aspect of security. In this scenario, somebody looked at a crack-time chart like those I linked and decided 15 chars is a good balance. Until we have broad adoption of something like passkeys, password managers are necessary to bridge the gap. Requiring a 15-char code is a strong nudge in that direction, though I'm personally more a fan of 12+ chars and MFA ... or even going passwordless and relying on an Authenticator app alone. – Adam Katz Sep 18 '23 at 19:46