Password strength rules are too simple
Currently the system uses the classic set of requirements for passwords (some rules are optional):
- Must be at least N characters long
- Must have an uppercase letter
- Must have a digit
- Must have a special symbol
Practically, those rules are too simple to enforce any kind of security, while at the same time being onerous to users.
According to these rules, Qwerty1! is a sufficiently strong password, while in practice it is trivial
to guess, nevermind to crack. At the same time, passwords like correcthousebatandstaple, which are
impossible to guess and hard to impossible to crack, are considered unacceptable.
The above requirements for password, even though obsolete, are often enforced by organizations, and thus
can't be abandoned entirely. That said, we should provide better defaults for the users. Adding uppercase
letters and special symbols is, entropy-wise, about equivalent to 2 extra letters. But lowercase-only
passwords are easier to type, easier to remember, and don't suffer confusion issues like "was is a 0, o
or O ?".
-
The default requirements should be "at least 10 letters", with no requirements of uppercase, digits or special symbols. -
We should implement some kind of password strength check. -
We should check the passwords against the known databases of leaked passwords. Whatever the nominal complexity of a password, being in a database reduces it to a simple dictionary attack, and thus any such password is immediately insecure. -
We should provide an option to automatically generate passwords with the given requirements for the users.