There's Nothing Complex About Passwords, Unless You're on the Web

Dealing with security is annoying, and that's an opinion coming from someone who makes much of my living helping others with their computer security. But you know what's even more annoying? Someone else forcing me to comply with their badly-conceived security requirements. Of all of the ridiculous security policies, complex passwords have to be the dumbest.

The other day, I logged onto my bank's website to pay a few bills, only to be barred by its logon system, which refused to get to my money unless I created a new password. It seems that my old password, "mysillieshoes," lacked "complexity." Clearly some security dweeb at the bank decided that the bank's customers must adorn and strengthen any all-lowercase password (because they feel that all lowercase passwords are easy to crack) with a mix of capitals, punctuation, and numbers. This irritated me, so I thought I'd be a smartass and try to create a new password of MarkMinasi1 and, to my astonishment, it took it. (Yes, I changed it to something else, but it took a phone call to get them to let me change my password twice in one day.)

So-called complex passwords drive me crazy. Look, we all understand the basic point: the average user will, left to himself, choose a password that is probably an English word or a name and that is probably six characters or fewer in length and yes, if I were a security officer at that bank and found that most of my customer's passwords were (for example) seven-character English words, my head would explode. Analysis like that makes sense because I'd estimate that there are only about 28,000 seven-letter words, and it just doesn't take a computer all that long to try 28,000 words. Adding a requirement for uppercase, numbers and/or punctuation will, in theory, cause users to have some sort of "password epiphany" leading to passwords like "y7t$-ZZ," a prospect that has to gladden the heart of the most curmudgeonly security officer.

The problem with this thinking is that such a policy won't produce significantly more complex passwords. Compel a user who likes the password "wallets" to "get complex," and you're going to get a password like "Wallets1," or, if the user's really tech-savvy, perhaps "Wa11ets," "Wallet$" or the like. In the end, you'll get a mildly more complex password, perhaps one 10 times harder to guess and 50 times harder to remember. In my experience, forcing complex passwords is just tantamount to passing what I call "The Help Desk Full Employment Act of 2010." (And even if you do get folks to use complex passwords, you end up with passwords that are typed much more slowly than all-lowercase passwords, making shoulder-surfing much easier.)

The better answer, and one that many security types (myself included) advocate, is to let users create all-lowercase passwords but to require them to be a bit longer. To make this work, we teach users to string a few words together as a nonsense "passphrase," like my old bank password. Things like "meatcorn," "rubbishnose," or "sharkbake" are sort of funny (well, at least goofy) and so easy to remember, but not likely to be guessed. So here's a few suggestions for websites that want to tell me whether my password is good or not.

1. Drop the complex stuff. People forget where they've put the one capital and one number that you forced them at gunpoint to insert, and then they've got to retrieve their password by typing in a "secret" like, "What's your mother's maiden name?" (let's hope that there are no websites with genealogy information) or, "What high school did you attend?" (hell-o, classmates.com!). Good passwords don't get forgotten, and can't be guessed, and complex fails on the first point.
2. Scan for English words and block passwords that would use them. The Oxford English Dictionary claims that there are about 411,000 English words out there; checking new would-be passwords against such a list would take milliseconds. And the Google guys have what may be the best "password picker interface" around. As you type a new Google password, it offers immediate feedback on how strong your password is—nice touch, Google.
3. Advocate passphrases. Let 'em do lowercase, but make the minimum password length eight or nine characters.
4. Explain what you want them to do. Offer examples. Explain what a passphrase is. Offer four goofy ones and, of course, make sure that no one uses them.
5. Wouldn't it be great if Windows could check passwords for all those things? Just a thought.

In sum, I beg all of you building secure websites, give this a thought and perhaps you'll make our cyber-lives just a bit less annoying. Pleeeze?