Give up on complex passwords, says Microsoft

The Internet is full of advice on how users should go about choosing strong passwords, and on what schemes web admins should implement to make them do so and what protection mechanisms should be used to protect those accounts, but according to a group of researchers from Microsoft and the Carleton University in Canada, there is little available guidance that is actually supported by clear, solid evidence.

Do password composition policies work? Does forced password expiration improve security? Do lockouts help protect a service? What do password meters accomplish? These are just some of the questions Dinei Florencio, Cormac Herley, and Paul van Oorschot wanted to find answers to.

“Despite long-known shortcomings in both security and usability, passwords are highly unlikely to disappear,” they pointed out in a recently released paper. So, they took it upon themselves to survey existing literature, and by using “ground-up, first-principles reasoning,” they have apparently discovered what works and what doesn’t.

According to the researchers, users usually put accounts in different categories, mostly based on the potential consequences of an account compromise.

On one end of the spectrum are the accounts that users consider unimportant and can choose weak passwords for. On the other are the critical accounts they want to protect as best they can because they contain information they don’t want to lose or have revealed, or are critically tied to other accounts, and for which they often choose complex passwords and additional protection options (such as multi-factor authentication).

For users, it’s important not to use the same password for accounts in different categories. And web admins should try to determine in which of theses categories their site falls into, and choose a password scheme and storage option accordingly.

“We should not be quick to express outrage on learning that password1 and 123456 are common on publicly-disclosed password lists from compromised sites, if these are don’t-care accounts in users’ eyes. Nor should it be surprising to find passwords stored cleartext on fantasy football sites,” the researchers say.

Among the things that the researchers discovered is that fact that password strength meters are practically useless, and so are the usual suggestions for making a longer and more complex password.

They pointed out that password that will withstand online and offline password guessing attacks are different, and that “attempts to get users to choose passwords that will resist offline guessing, e.g., by composition policies, advice and strength meters, must largely be judged failures.”

“Demanding passwords that will withstand offline attack is a defense-in-depth approach necessary only when a site has failed both to protect the password file, and to detect the leak and respond suitably,” they also noted.

Defending users’ passwords against online brute forcing is a responsibility that should rest mostly on websites’ administrators’ shoulders (users should only be required to choose very common passwords), as should the burden of protecting them against offline attacks (by hashing and salting passwords, or by using reversible encryption and keeping the decryption key safe from the hands of attackers).