Complexity Sucks
Monday 24th July, 2006 09:22 Comments: 4
I was reading an email sent to the bugtraq mailinglist, which was a reply to a challenge to crack a Windows password (he gave the hash of a 15 character password). The challenger wanted to prove that all password hashes can easily be cracked with the right tool and dictionary. He also expected the first challenge to be cracked first. In the real world, the attacker would not have been given all the clues that he gave, but he wanted readers to understand how hard this would be to do even if you had all the clues a real cracker would need to begin the attack. It was a proof of concept of password length over complexity, if someone were to break the first one before the second or third he said he\'ll know he's wrong.
But most people replied immediately to agree that length is better than complexity! And I agree. If it's less complex, it often makes it easier to remember. I registered a new domain name last night that redirects to this site (I was impressed, it was registered and redirecting about 10 minutes after I\'d paid), but I had to get a password reminder emailed to me as I\'d totally forgotten the password for that account on that site (I used to save it in the browser, but on my new machine it wasn\'t saved). It turns out it was very complicated (random letters and numbers) and even now I can\'t remember it. Anyway, here's the reply:
I\'m saying if faced with increasing the strength of my passwords, I value length over complexity.
Case in point, a large city I consult for said they are moving their passwords from 5 character minimum to 8 characters and complex. (yeah, I had to stop coughing too...but 5 character minimums aren\'t that rare in very large environments).
I argued all day long that they should go to 12+ characters and forget the complexity. Mathematically and practically, I know I\'m right, but the world is all about complexity and less about length despite overwhelming evidence to the contrary that length is better overall.
For instance, I was creating a login account for my stock holdings today, and password requirements were six character minimum with 3 of 4 types of character complexity (normal for most complexity requirements). So even though my passphrase of idratherbetakingpicturesofsharks is much harder to crack, it will not be allowed. I have to choose a weaker, harder to remember, password to meet their password complexity requirements...and to tell you the truth, I\'m sick of it.
So, I\'m making my wake up call.
Do the math, do the cracking, length is a better defender than complexity.
Even when people are required to go complex, their complexity is pathetically predictable (32 characters cover 80% of all users), defeating the whole purpose for the complexity, no many how many characters can be used. So require increased length instead, forget complexity, and enjoy stronger protection.
Then all you have to do is convince your users not to give away their password to a complete stranger for a $2 chocolate bar.
That last line is the killer, so many people will hand over their details without thinking "why do they need to know that?".
I bet that dollar symbol will screw up the XHTML. I\'ll write/fix the special characters code someday.
But most people replied immediately to agree that length is better than complexity! And I agree. If it's less complex, it often makes it easier to remember. I registered a new domain name last night that redirects to this site (I was impressed, it was registered and redirecting about 10 minutes after I\'d paid), but I had to get a password reminder emailed to me as I\'d totally forgotten the password for that account on that site (I used to save it in the browser, but on my new machine it wasn\'t saved). It turns out it was very complicated (random letters and numbers) and even now I can\'t remember it. Anyway, here's the reply:
I\'m saying if faced with increasing the strength of my passwords, I value length over complexity.
Case in point, a large city I consult for said they are moving their passwords from 5 character minimum to 8 characters and complex. (yeah, I had to stop coughing too...but 5 character minimums aren\'t that rare in very large environments).
I argued all day long that they should go to 12+ characters and forget the complexity. Mathematically and practically, I know I\'m right, but the world is all about complexity and less about length despite overwhelming evidence to the contrary that length is better overall.
For instance, I was creating a login account for my stock holdings today, and password requirements were six character minimum with 3 of 4 types of character complexity (normal for most complexity requirements). So even though my passphrase of idratherbetakingpicturesofsharks is much harder to crack, it will not be allowed. I have to choose a weaker, harder to remember, password to meet their password complexity requirements...and to tell you the truth, I\'m sick of it.
So, I\'m making my wake up call.
Do the math, do the cracking, length is a better defender than complexity.
Even when people are required to go complex, their complexity is pathetically predictable (32 characters cover 80% of all users), defeating the whole purpose for the complexity, no many how many characters can be used. So require increased length instead, forget complexity, and enjoy stronger protection.
Then all you have to do is convince your users not to give away their password to a complete stranger for a $2 chocolate bar.
That last line is the killer, so many people will hand over their details without thinking "why do they need to know that?".
I bet that dollar symbol will screw up the XHTML. I\'ll write/fix the special characters code someday.
Robert - Monday 24th July, 2006 15:10 Wow, it appears that the dollar sign is fine!
After posting that comment I realised the page was displaying the old style comments. I hope that's fixed now!
Okay, now I think it's really fixed. My check was happening before the POST instead of after.