In a paper presented at the 6th Symposium on Usable Privacy and Security, DINEI Florencio and CORMAC Herley, Microsoft Research, examined the policy ruling the passwords of 75 Internet sites. The type of websites ranged from very popular sites/services such as Facebook or Paypal to more confidential ones such as governmental agencies.
They evaluated the strength of the enforced policy with the equation N.log2(C) where N is the minimum size of the password and C is the cardinality of the allowed character set. Obviously, this equation is not a perfect evaluation of the constraints because it does not take into account constraints such as mandatory use of digits or special characters. Nevertheless, the result is simple (and perhaps not too surprising)
The size of the site, the number of user accounts, the value of the resources protected, and the frequency of non-strength related attacks all correlate very poorly with the strength required by the site.
In other words, the sites with the most constraining policies are not necessarily the sites which are at most at risks. For instance, Gmail or Paypal do not have strong constraints. Most often, the sites with most constraining policies do have no incentives to have numerous visits or have a captive “audience”. The constraints were more driven by the need to attract visitors than by security itself.
It is the usual trade-off between security and usability. Facebook that is paid by advertising needs frequent visitors. A too complex password policy may rebuke many users and thus make the site less attractive.
The authors advocate that there is most probably no need of strong password policy because strategy to defeat online brute force attack should be deterrent enough. They cite Twitter that recently banned the 370 most common passwords. According to them, strong passwords are most probably only useful in case of an access to the hashed password files. (Remember the use use of rainbow tables)
Their view on the trade-off between usability and security is interesting.
When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive.
I let you savor this statement. Any reactions?
The paper is available here.