[Owasp-leaders] Password complexity guidance

Josh Sokol josh.sokol at owasp.org
Wed Dec 11 20:11:42 UTC 2013

Just to put another thought out there on this, assume that everyone moves
to passphrases instead of passwords and that becomes the new standard.
Have we really solved any problems?  The same types of dictionary attacks
that exist today will be just as applicable to passphrases.  You're just
brute forcing words instead of characters.  And if you're going down the
path of guidance, you might as well do it right and specify a minimum
length of the passphrase because if it's too short, it's the same as brute
forcing characters ("I am too short") with a smaller character set.  Also,
add in the multi-factor piece because that goes so much further than
passphrases ever will.  I'm fine with providing guidance, but it's far more
complicated than "Use a passhprase."  That's all I'm saying.


On Wed, Dec 11, 2013 at 1:51 PM, Michael Coates <michael.coates at owasp.org>wrote:

> Good feedback.
> One comment:
> " I wouldn't issue any sort of guidance on that until validation
> technologies exist to actually enforce secure passphrases just like they
> already exist to enforce secure passwords.  Make sense?"
> I disagree here. If we don't promote the right way we'll be waiting around
> indefinitely. I think we should issue best practice advice and then include
> a section that states alternative approaches in situations where this
> configuration is not possible. This way we are thought leaders driving
> change where possible and providing practical guidance for people with
> limitations in configuration.
> --
> Michael Coates
> Chair, Global Board
> @_mwc
> On Wed, Dec 11, 2013 at 11:14 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> We've been discussing this quite a bit lately at work due to the
>> federation of internal identities to cloud-based applications.  Obviously,
>> best practice is to use some sort of multi-factor authentication so that a
>> password alone isn't the only defense.  That said, where time, money, or
>> other issues prevent you from doing more than just "something you know"
>> authentication, I agree that passphrases are probably better, but the devil
>> is in the details.
>> Take Microsoft Active Directory for example.  Your options for passwords
>> basically boils down to two things: 1) Length and 2) Complexity.  In terms
>> of complexity, it's a check box.  You either have it enabled as a policy or
>> you do not.  When enabled, you can't guarantee random, but at least you can
>> guarantee a larger character set because you have to have at least three of
>> the four of upper, lower, digits, and special characters.  When disabled,
>> however, like you'd probably want to do for passphrases like "correct horse
>> battery staple" (all lower case words plus space character, no upper, no
>> digits), you no longer have the policy in place to prevent stupid passwords
>> like "password" or "passwordpassword" or "password12345678...."
>> So, while I agree with what you're saying, that passphrases are easier to
>> remember and ideally just as secure, I wouldn't issue any sort of guidance
>> on that until validation technologies exist to actually enforce secure
>> passphrases just like they already exist to enforce secure passwords.  Make
>> sense?
>> ~josh
>> On Wed, Dec 11, 2013 at 12:43 PM, Michael Coates <
>> michael.coates at owasp.org> wrote:
>>> We have two references (and probably more - please send if you see more)
>>> for password complexity.
>>> https://www.owasp.org/index.php/Password_length_%26_complexity
>>> https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls
>>> First - I agree passwords alone need to die. It's not sufficient. But
>>> that said, passwords will be around until the next solution is ready. So,
>>> in the interim we should provide the best guidance on selecting good
>>> passwords.
>>> I no longer agree with the approach of forcing users to select gibberish
>>> passwords. I believe that passphrases are much better. They achieve great
>>> entropy and are far easier for users to remember. My initial position is we
>>> should shift our guidance away from the old complex recommendation to a
>>> passphrase recommendation.
>>> Agree? Disagree? Interested in your thoughts.
>>> Whatever we do select, we should make sure we cross link so we don't
>>> have multiple sources of information that could be out of date.
>>> --
>>> Michael Coates
>>> @_mwc
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131211/c8757926/attachment.html>

More information about the OWASP-Leaders mailing list