Complex password requirements lead to post-its on monitors in cubicles with passwords written on them. That's a much worse result than a weak password for pretty much any system that relies on passwords to stop bad things from happening.
For regular websites, generating monitor post-its is inexcusable. Let your users choose the letter "a" as their password if they want, but warn them about the implications. The only acceptable password workflow for a website is this:
- Choose a password
- complexity check
- if failed, "Seriously? That seems like a bad password" popup.
- "Yes, seriously. I don't really care if this account gets hacked
enough to memorize a complex password."
- done.
I'd go as far as having banks do it this way. Anything to avoid having access to a $20k wire transfer be as simple as sitting down at somebody's desk when they're gone for the day and reading a post-it saying "BofA - wAffles$2".
This is horrible advice given the threat model for either normal home users (at risk due to mass attacks/brute force, or MAYBE losing a wallet/unlocked phone/laptop with keys saved locally) or most corporate environments.
The solution in both cases is a move toward single sign on, using a password manager or a key or 2fa or federated login system (Kerberos, FB connect).
Enforcing minimum complexity requirements (and policies like no username as password, etc) protects the user and site. If a site has 10% of users with trivial passwords, even if it is just a commenting section on a blog, the site itself is at risk. Combine this with the propensity of users to globally reuse passwords, and everyone is kind of doomed. Passwords must die, but requiring a minimum level of passwords, and encouraging people to use passwords as safely as possible as an interim measure, is the only reasonable course of action.
Then measure actual entropy. Don't make me make a password that fits some weird ass hard to remember standard you dug up. Let me use "This rabbit killed the horse in cold blood, then drank all the pies" as a password if I want, it has more entropy than C@tV0m!t does.
The problem is it's hard to measure actual entropy. You can make a reasonable approximation (vs. a dictionary, and looking at the total character set) -- then, if you can, display the strength in some graphical way (ideally with a list of suggested rules which get checkmarked as the passphrase satisfies them). Still. "one TWO 3 +our" has less entropy than this would suggest.
I generally set an absolute minimum of 6-8 characters, not equal to username, site name, or a set of common passwords (including "password"). Sometimes require one (or two or three) of uppercase, number, or symbol for short passwords (i.e. stop requiring it if it is longer than 12 characters).
However, when a standard (or company policy) requires something like DIACAP, I'll enforce it in the pw creator. The absolute worst thing is when policy changes, and an allowed password becomes disallowed -- if it just expires and needs to be changed, that's one thing, but I've had sites where my long, special-case-laden passphrase worked in some login routines but didn't work in things like the password update routine (!!!).
For anything internal, I consider passwords basically unacceptable as an authentication mechanism alone; there must be PK or some kind of two factor auth.
One must think who the most likely person would be that would a) want access and b) try to break in... is it an anonymous hacker across the internet or a co-worker trying to sabotage? This is why "post-it noting passwords" is bad. Most computers/systems don't really have information that hackers want, other than to zombie a machine. This isn't to say we shouldn't worry about exposing our computers with quickly cracked passwords, we should protect all vectors into our systems but realize forcing strong need to "post-it note passwords" drastically increases the likelihood of an internal rat/mole.
This guy has no idea what a dictionary attack is, or entropy in various forms of password or pass phrase. Probably not a great source of security policy advice.
A pass phrase with 4 words chosen from a large alphabet, assuming the words are randomly selected, gets a lot of entropy really fast compared to similarly memorable numeric PIN (6-8 digits, tops). "leetspeak" passwords derived using common rules from rules aren't a lot better than just words themselves, and are hard to remember (I've had to brute force a bunch of variations on my own or for other people when keyboard layouts changed, or when exact punctuation was not remembered).
20000 words in vocabulary, take 4, is 1.6e17 combinations. Dictionary attack that?
44 bits of entropy from XKCD comic is assuming dictionary attacks. So even without number substitutions dictionary attack would take VERY long.
Edit: JoeAltmaier beat me by 1 minute with this.
Right, the use of numbers is not necessary. For example, I could publicly advertise that my password for a particular site consisted of exactly six words chosen randomly from the word list at http://world.std.com/~reinhold/diceware.html .
People would be free to attack it at will, but it wouldn't do much good because that password contains approximately 78 bits of entropy. The attack would be slow enough offline (for example if they somehow possessed a bcrypt hash of my passphrase), but far slower online (if they had to send each guess across the internet one by one).
I could of course cleverly substitute some digits here and there, which would make my public declaration a lie. I suppose some "security through obscurity" can help, though I could have accomplished just as much if not more by simply using seven words instead of six.
Dictionary attacks were How xkcd came up with the entropy for CorrectHorseBatteryStaple, I think. Also adding digits in a couple of places for vowels adds just a bit or so to entropy, a fairly weak (entirely predictable) way of improving passwords.
Displaying password rules inform a hacker what rules to obey and follow, reducing the number of combinations they have to try. Rather than have rules, after a user creates/enters their password just let them know if it sucks or not, perhaps give some "stats" as to how long it would probably take to crack. Scare them into something stronger, but don't force them into "post-it noting their password".
For regular websites, generating monitor post-its is inexcusable. Let your users choose the letter "a" as their password if they want, but warn them about the implications. The only acceptable password workflow for a website is this:
I'd go as far as having banks do it this way. Anything to avoid having access to a $20k wire transfer be as simple as sitting down at somebody's desk when they're gone for the day and reading a post-it saying "BofA - wAffles$2".