[Owasp-leaders] Password complexity guidance

Jim Manico jim.manico at owasp.org
Wed Dec 11 20:40:21 UTC 2013

I think that password policy overall is a failure and we indeed need to update our guidance on this topic. Thanks for pointing this out, Michael. 

Password length is the most important mathematical aspect to password policy, so passphrases seem like a good idea. But if your passphrase is a known sentence from a book, or just a collection of dictionary words - then the benefit decreases significantly. Here are some interesting articles that discuss this problem to some degree from the perspective of offline password cracking.


Jeffrey Walton suggested to me what one of the most important aspects to a good password policy is to *not* allow users to use commonly used passwords; even passwords that fit your corporate password policy. For example, the password Password1! probably would be accepted by the password policy of most folks on this list, but it's a dangerously bad and commonly used password. Hackers conduct "reverse brute force attacks" where they take a commonly used but supposedly strong password, and make one attempt against a large list of accounts. This and other reasons have prompted some banks to enforce strong policies on usernames!

Abbas mentioned password managers; I think he is right on. I know of several mid-size companies who have or are starting to enforce their use. I really think this is the best advice we can give today.

Side note, there are a lot of different (good) opinions when it comes to password policy. I think it's ok if we have different conflicting opinions on this, but we should centralize that varied advice in some way.

Last, any password advice needs to push multi-factor. Poorly misquoting John Steven (as well as taking his quote out of context), "Using passwords to protect your account will help you as much as motorcycle helmets will protect you at high speed."

Good conversation. Thanks for bringing this up.


> We have two references (and probably more - please send if you see more)
> for password complexity.
> https://www.owasp.org/index.php/Password_length_%26_complexity
> https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls
> First - I agree passwords alone need to die. It's not sufficient. But that
> said, passwords will be around until the next solution is ready. So, in the
> interim we should provide the best guidance on selecting good passwords.
> I no longer agree with the approach of forcing users to select gibberish
> passwords. I believe that passphrases are much better. They achieve great
> entropy and are far easier for users to remember. My initial position is we
> should shift our guidance away from the old complex recommendation to a
> passphrase recommendation.
> Agree? Disagree? Interested in your thoughts.
> Whatever we do select, we should make sure we cross link so we don't have
> multiple sources of information that could be out of date.
> --
> Michael Coates
> @_mwc
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list