Information Security in the Real World. Confidentiality, Availability, Integrity, Practicality.

Saturday, 17 October 2009

Password Length, from zero up?

How long should my password be?

In the authentication space, short of multiple-factor (more of which later) nothing seems to exercise the security community as much as the subject of password strength, in particular the question of how long a password should be, and if implementing password rules, what minimum length to set.

A common misconception is that there is a single correct answer. This discussion humorously illustrates that idea, with some participants simply asserting "6", others "12" and some invoking Douglas Adams.

But like all security controls, the decision must be a risk-based one. Fortunately at least one poster above demonstrates this concept thus: "Without context, it's an impossible question". I agree, is this an internet banking site? Your twitter account? An internal, corporate room-booking system?

A practical security control has to implement security without adversely affecting usability, or human nature says people will circumvent it to restore usability. In the case of password length and strength, forcing long and complex passwords on users will increase the likelihood of them using repeating patterns and guessable values or writing them down or storing them electronically, thus increasing the chance of compromise and defeating the control. Also it increases the likelihood they will forget and need a password reset, increasing helpdesk costs and further increasing risk by requiring more privileged users on the helpdesk.

As for the context, I say if it is a low-risk system, why have a password at all? That room-booking site is only available on the corporate intranet, so only authorised users can get at it anyway. And the risk posed by impersonation? Someone can book rooms under another's name. Big deal. So for this system why authenticate users? Let them identify themselves, but leave passwords out of it, trust the users to play fair. (Ideally the application should defer to already authenticated credentials e.g. via LDAP but usually that's too hard to implement - most systems just request user and password out of the box).

So the minimum password length should sometimes be, er, zero. Sometimes, identification and trust is enough. Sometimes you can risk not authenticating, strongly or otherwise. Remember, in an organisation with multiple disparate systems, users will share passwords across systems, thus their passwords are as safe as the weakest system. So forcing them to use a password on the room booking site might expose a privileged account password used elsewhere. If that corporate room booking system is externally hosted, you have little control over it, and right now someone might be reading your privileged account passwords and working out how to exploit them.

Set password strength rules appropriate to the risk, and don't think that longer and stronger is always better, remember human nature and don't risk frequent password resets or force users to write down passwords. Stay Practical.


  1. Just read this, some useful advice on password strength here.

  2. Couldn't agree more Alan - great post. In almost every case I've seen, assurance people don't consider the end-to-end risk (i.e. include realistic threat scenarios covering the business process and business-level controls etc.) this whole debate shows how incoherent and irrelevant the IT community can sometimes appear to businesspeople, which ultimately undermines our credibility when fighting for something that actually matters.

    If you haven't got a robust & comprehensive risk assessment process, try common sense instead. It will keep you secure and get you promoted.