Created: Thursday, 13 September 2018
Updated: Thursday, 13 September 2018

Designing a password policy for applications facing the internet has always been a hot issue. Basically, the decision to enforce a set of rules, revolves around how much you trust your users or how much freedom you are willing to concede, when selecting a password. In other words, there is an implicit trade off between ease of use and minimum acceptable security standards, a trade off for which a security engineer strives to be optimal.

A simple approach that does not compromise security guidelines of having complex passwords is to enforce only one rule, that is introducing a minimum number of characters, usually 12. Given this rule, you achieve good complexity, while you avoid frustrating users with additional requirements.

However, most applications have adopted the approach of having more requirements when a user creates his password, such as the use of symbols, numbers, lower and uppercase letter combinations, while lowering the minimum number of characters to 8.

In terms of complexity, loosely speaking, the latter policy results in 7.2 quadrillions of possible passwords for the attacker to test. This policy is inferior to the first approach even at the worst case scenario that is, using supposedly all lower case letters, it results in 95 quadrillions of passwords.

Reasonably, you might question why companies have not adopted the first approach. This proves hard to answer that's why I am asking you to vote below, what you consider to be the most possible explanation of why this happens. One thing is sure though, the habit of creating non sense passwords, instead of meaningful passwords aka passphrase has been deeply ingrained in the users' mindset.

If you are interested in reading more, I recommend to check this discussion thread on Securty.StackExchange which is enlightening and humorous as well.

What do you believe, why companies are not adopting the meaningful password policy for their internet facing applications?

© 2012 - 2018 Armen Arsakian updated atFriday 21 September 2018Contact: contact at arsakian.com

-506 . 2453