[Owasp-leaders] Password complexity guidance

Boris Hemkemeier boris at owasp.org
Mon Dec 16 19:10:21 UTC 2013


thanks for starting the discussion and the opportunity to add a "disagree"

Please let me mention another aspect to this discussion. OWASP's main goal
is building more secure (web) applications. IMHO enforcing "better"
password policies is an another approach. It  moves the work load and the
responsility to run a secure web app from the web app owner to the user.

Example: there are a lot of press publications about "weak" passwords on
the occasion of the <insert here the name of one of OWASP's corporate
members> breach. Actually loosing the password hash database was the
vendor's and not the customers' fault. A lot of customers considers such an
account is a necessity only to run the software of this vendor and the
account has no (feeled) important value. From the customers point of "risk
management" it is rational to choose a password which is easy to remember.

In fact it is in the responsibilty of the web app owner to

- take care of the password verification data (i.e. hashes) and to protect
their confidentiality. OWASP contributes a lot of best practices to achieve

- to protect the web app against brute force password guessing via the web
UI. Can we give some advice to this problem?

IMHO enforcing the user to increase password entropy by is not the right
way you are looking for. A typical user has 40 - 80 different accounts
based on passwords they shouldn't share (and they shouldn't share as we can
see in the example above). In real life security depends on the usability.

However I agree that there are also very common passwords in the wild which
should be avoided. A proactive password checking against very very weak
password can be helpfully.  If a web app is rejecting reject common
password then there is some need for comprehensible error messages ("Your
password contains an English word.").

There are some research publications about password security from the last
years. A good overview can be found in Peter Gutmann's "Engineering
Security" avaible for free at
http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf (draft copy) .


2013/12/11 Michael Coates <michael.coates at owasp.org>

> We have two references (and probably more - please send if you see more)
> for password complexity.
> https://www.owasp.org/index.php/Password_length_%26_complexity
> https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls
> First - I agree passwords alone need to die. It's not sufficient. But that
> said, passwords will be around until the next solution is ready. So, in the
> interim we should provide the best guidance on selecting good passwords.
> I no longer agree with the approach of forcing users to select gibberish
> passwords. I believe that passphrases are much better. They achieve great
> entropy and are far easier for users to remember. My initial position is we
> should shift our guidance away from the old complex recommendation to a
> passphrase recommendation.
> Agree? Disagree? Interested in your thoughts.
> Whatever we do select, we should make sure we cross link so we don't have
> multiple sources of information that could be out of date.
> --
> Michael Coates
> @_mwc
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131216/77611c8f/attachment.html>

More information about the OWASP-Leaders mailing list