Out of the Box Thinking on Password Policies

For all that authentication vendors may proclaim “the death of passwords,” the pesky things aren’t going away. In fact, I don’t think they should. However, I’ll be the first to acknowledge how broken password authentication is in current practice. Sardonically repeat after me: “A strong password is one that you can’t remember, but that you’re not supposed to write down.”

Password Policy Minutiae

Recently, I came across a proposed policy that looks something like this:

“Our [community] will define and support weak, medium and strong password policies.  

When a user’s password is persisted it MUST be stored salted and hashed by a one way hash algorithm.

All passwords must adhere to at least the standards of a Weak Password. Passwords that use stronger constraints can indicate so in authentication flows and potentially trigger higher levels of assurance.

Weak Password: Must be at least 6 characters and contain at least one letter and one number

Medium Password: Must be at least 8 characters, have at least 2 letters, 2 numbers and at least one special character, e.g. @, #, $ etc.

Strong Password: Must be at least 10 characters and have at least 3 letters, 3 numbers and at least one special character, e.g. @, #, $ etc. Expires every 60 days. New password can not be the same as any of the previous 3.”

This is a reasonable policy as far as it goes. You could quibble about the numbers of characters and such; there’s lots of research and math on password strength. One could spend a lot of time going through resources, such as NIST Special Publication 800-63-2 and Wikipedia’s article on password strength

A Simplifying Assumption
But why? In my view, account lockout policy trumps password strength. That is to say, any 6 character password that can’t be guessed is a strong password if the authentication service locks the account after a certain number of failed attempts. I would recommend giving the user 3 tries initially, then a message such as this one:
Yeah, I know, I don’t belong in the Human Factors Department. But display something like this and repeat a few more times if you think appropriate.  Give the user a chance to cool off and remember the password or find where she wrote it down (hopefully in a locked and hidden place).
The point here is that if you implement account lockout the actual composition and length of a non-guessable password may become irrelevant.
Account Lockout Requires Account Recovery
Many sites’ authentication services rely on account recovery, through whatever email account the user registered with them, to handle the problem of forgotten passwords. Combined with account lockout after a reasonable number of failed login attempts, this provides a help desk-less solution to the forgotten password problem. It also could offer some assurance the user’s account won’t be compromised by cyberattackers in the process but for one thing.
Just as account lockout trumps relatively weak passwords (in a good way) keyloggers, touchloggers or other malware trump account recovery through the primary email account (in a bad way). As I wrote in a prior post Account Recovery May be the Weakest Link, if the user’s computer is compromised, so is the account recovery backstop email account, and through it, perhaps his whole digital life online. Unless we:
Add a Secondary Authentication Factor

Shouting from the virtual rooftops now: Two Factor Authentication (2FA) May be your Best Hope. 2FA solutions are available from the major cloud providers where you or your users probably keep your primary email accounts. To trump the keyloggers, touchloggers and other malware you need to use a 2FA solution that actually employs a secondary device (your phone if you’re logging in through your PC, or vice versa) to obtain a one time token that’s valid for a short period of time.

Out of the Box Bottom Line
While there are many options for strong passwords, account lockout reduces your need for them. When you implement account lockout, however, you need a good account recovery process. Account recovery can be done many ways, including through secret questions and answers, and perhaps involving a help desk.
But my personal favorite is account recovery through email verification – if and only if the email account is itself protected through two factor authentication. 
As part of a service provider’s authentication and account recovery strategy, I strongly recommend educating users about the importance of protecting the core email recovery account through generally available 2FA options.
Subscribe to Blog Notifications...  HERE