Discuss: Are Complex Passwords Really Necessary?
by Roshen Chandran, CISSP
Enlightening article! I agree that complex passwords do not prevent most of the web application related attacks. But, here's a thing...as security experts, we've recommended the use of complex passwords for end users. This has resulted in a large number of end users adopting complex passwords. Now, If we were to say that complex passwords should be used on the internal LAN but not necessarily required for web applications, it doesn't make it easy for them.
End users like things to be made fairly simple to them. Its one or the other, either black or white, grays make it confusing and can otherwise prove detrimental. A standard should be set, if its complex, so be it for all applications, internal or Web. If its the use of passwords like "TheBeautifulLife" which is neither complex nor weak, so be it. We need to keep in mind, that end users are often overwhelmed with their work and then adapting to security best practices. The key idea is to make it easier for them to adopt best practices that work across all their functional areas rather than create distinctions. Complex passwords work across all kinds of applications, be it internal or web related.
Great concept though, keep the good stuff coming!
In work environmemt like ours complex passwords are a must .i believe complex passwords are better .If am using "@" instead of "a" makes a whole lot difference .When people like me are trying to improve secirity by choosing complex passwords security professionals like you are saying it is not essential .sorry i don't agree.
Sorry i have to agree with Roger Grimes ..."complex passwords does make a difference".I agree people tend to forget passwords ,some people write it down ...stil you can keep your passwords secret.You are choosing "M@L@YSI@" as your password.; you can write it down somewhere as "MALAYSIA" and keep in mind "a" is to be replaced by "@" plus an exclamation need to be added (for every passwords you use )or you can use easy to remember number which you don't have to write it down anywhere.
Leema/Joel, thank-you for the observations.
Yes, users are welcome to use complex passwords when they want to. And apps should not forbid that.
But isn't there a world of difference between giving users the option to use complex passwords versus enforcing complex passwords in the name of security?
I think that applications should not enforce complex passwords, but instead use other practices to enhance security of user accounts.
It's great that security conscious users voluntarily use complex passwords. And here's an interesting piece "Simple Formula for Strong Passwords" from the SANS Reading Room you might enjoy.
http://www.sans.org/reading_room/whitepapers/authentication/1636.php
There's also a counter view to this whole business of complex passwords. Last year Bruce Schneier and Microsoft's Jesper Johansson urged users to write down their complex passwords and save those bits of papers. It's easier to save those bits of paper, they argued.
http://www.schneier.com/blog/archives/2005/06/write_down_your.html
http://news.com.com/Microsoft+security+guru+Jot+down+your+passwords/2100-7355_3-5716590.html
Roshen
Nice article. I had never given much thought to password complexity for web applications before this.
The main difference between Windows LAN and web applications are that the latter are under our control and can be modified if required. Thus it does make a lot of sense to design in better controls instead of relying on password complexity only.
Only poorly designed web applications _enforce_ outrightly deny complex password, most web applications allow them and do not insist on complex password. I believe that is an acceptable approach.
Interesting thread on the same topic on the Web Application Security Mailing List:
"Why doesn't Amazon enforce a password policy?"
http://archives.neohapsis.com/archives/sf/www-mobile/2006-q4/thread.html#57