Why password security rules don’t work
     
    Organisations need to do a lot more on password security rather than making the user remember strings of characters and numbers, write Hazel Murray and Prof David Malone, Department of Maths and Statistics

    Password rules are frustrating, but they are worth it, right? Well, maybe not. Security theatre is the idea that organisations and businesses will put strict security policies in place, but these often have little security benefit and sometimes can even reduce security. 
     

    We can look at two examples of this related to passwords, an area of security we are all familiar with. The first example of security theatre is forcing users to change their password every 90 days and a second is enforcing complicated requirements for the numbers and symbols that must be included in passwords.
     
    We've all been there
     
    To understand why these restrictions are ineffective, we must first look at the types of attacks they claim to be protecting against. These are guessing attacks and they take two forms.
     
    Online guessing: a computer program pretends to be a user and tries logging in over and over again using guessed usernames and passwords. Anyone or any computer can try this type of guessing.
     
    Offline guessing: this can only happen if the list of all user's passwords has been leaked from the organisation. In this case, strong cryptography should have been used to protect the passwords in the list. If so, the attacker needs to try to guess the passwords because they are still encrypted. Importantly, for this attack, the attacker can focus all the computing power at their disposal to guess the passwords on the list offline.
     
    To try to protect against these attacks, organisations force users to change their passwords regularly and force them to include specific character types in their passwords. But why are these rules ineffective?
     
    'You must change your password every 90 days'
     
    Password change rules such as "you must change your password every 90 days" aim to either reduce the attacker’s chances of guessing an account password, or to respond to it.
     
    Let's first look at its effectiveness against offline guessing. An attacker has successfully guessed a user’s password offline, but the hope is that the user’s password will have been changed by the time the hacker goes to use it.
     
    There are two problems with this as a security measure. First, the organisation should be aware when their password file has been leaked so that they can get all users to change their password if it happens. It should not be necessary to have a regular password change set up 'just in case’. 
     
    Second, there is a strong link between many user’s previous passwords and their newly chosen one. Once an attacker has a previous password, they can figure out what the current password is within a small number of guesses.
     
    Changing from 'P@sswordMay' to 'P@sswordJune'
     
    The benefit of changing passwords must therefore come from providing protection against online guessing. The security logic here is based on the idea that a user can change their password and then the attacker is forced to start their guessing over so that they can complete an exhaustive search (checking every option).
     
    But an attacker should always only be able to make a limited number of online guesses (eg 'you will be locked out if you enter the wrong password 10 times') so in reality an attacker will never do an exhaustive search. Over 1% of users will choose the password "123456" and less than 1% will choose the password "password". An attacker is looking to compromise as many accounts as possible with little effort, so an attacker will only try the most common guesses. Protecting against an exhaustive attack will bring little benefit. 
     
    Changing your password regularly is inconvenient and makes the password more difficult to remember. Most people who know they need to change their password every 90 days will choose weaker and more predictable passwords which further reduces security.
     
    Why we use '1' or '!' in our passwords
     
    When most people are asked to put a number in their password, they will put a 1 or their year of birth at the end. When asked to include a symbol, many will use an exclamation mark. As well as the predictability of the added characters, complex character requirements in passwords are also ineffective. They are not strong enough to protect against an offline guessing attack and are unnecessarily rigid for protecting against an online guessing attack. 
     
    An attacker who is online guessing should be limited to only a certain number of wrong guesses before they are locked out. Provided your password is not in the list of the top 10,000 worst passwords, you should be safe.
     
    For offline guessing, an attacker has time and resources on their side.  It only costs €1,500 to build a computer that can make 100,000,000,000,000 guesses in a month. Realistically to try to withstand this, you would need to ensure that there is nothing predictable in your password and this will make it very difficult to remember.
     
    Thus, a forced rule such as you must include letters, numbers and symbols in your password does little against either guessing type and yet is a major inconvenience.
     
    Security rules that work
     
    It is important that before introducing security rules we make sure they will actually be effective against the real attacks we are attempting to protect against. Password policies which are unusable to those who have to put up with them are useless. People need to get a job done and they will circumvent any policy that they find too cumbersome.
     
    But if research is repeatedly showing that these policies are not worthwhile, why are organisations and companies still happy to make their employees use them? Does it show that organisations care less about actual security and their users than they do about their security theatre? Security theatre is the double edged sword of providing a false sense of security while also majorly inconveniencing users. 
     
    What should organisations do?
     
    The important aspects of security should happen on the organisation's side, such as limiting the number of online guesses, protecting the password file and encrypting the passwords with strong cryptography. The problem is that you as a user can’t guarantee that any of these security policies are in place so a strong password is often the only thing we have control over. 
     
    Using a password manager will help you set different passwords for every site you use. This means that if one organisation incorrectly stores your password and it is compromised, then all your other accounts are at least safe.