Tuesday, May 1, 2012
Apple Doubles Down on Bad Password Policy
Requirements: 1 capital letter, 1 lowercase letter, 1 number.
Honestly, this is just awful. The chances I will now forget this nonsense password are now very, very high, and I will have to rely on the horrid security questions I filled out just last week. Which, for the record, I got wrong today when I was prompted by iCloud. Proving my point rather well, I'd argue.
Also, for the record, I'd like to point out that, in particular, the uppercase lowercase distinction is extremely poor password policy. First off, it does not substantially add to the complexity of brute forcing a password. Testing a possible character set of 62 (a-z + A-Z + 0-9) against an 8 character password is not much more computationally burdensome than testing a possible character set of 36 (a-z + 0-9): (62^8)/(36^9) = 2.14†. This means, that for ALL the added security of requiring one capital letter in an 8 character password, that effect is almost negated by adding a single additional character to a password without capital requirements. Let's take this math further. If you add two characters to a password that is only alphabetic, without a numeric requirement, a 10 character password is almost exactly as secure as an 8 character password with these absurd requirements((62^8) / (26^10) = 1.55). Compound this with the fact that, truly, there is no consistent way to attach meaning to capitals, and you have a truly ridiculous requirement. What capitalization schema are people supposed to use so that they will remember what characters to capitalize? camelCaps? StrictCamelCaps? evEryThiRd? No one will ever remember this, and, additionally, if you are smart, rather than trying to brute force a password, you will run through these common capitalization schemes and reduce the time to guess a password. So, in other words, the only meaningful way to include capitalization in a password, in order to make brute force attacks harder, is for it to follow no pattern whatsoever. Good luck remembering that.
So, in conclusion, a message to Apple: a 10 character, plain english password is almost identically as secure as an 8 character password that meets your absurd requirements. So, do us a favor: up the minimum password length, rather than make us type L1k3tHIs.
†When rules are added to password requirements, they should introduce something like an order of magnitude more complexity, ideally, two. A single digit factor increase in computational complexity, especially in the neighborhood of 2, is just not worth it. The time frame (hours, days, months) to brute force a password won't be changed by a factor like this. So, if the goal is to make brute forcing not worthwhile, you need something that changes the time frame dramatically, i.e., from hours to weeks or from days to months. A factor of ~2 will simply not accomplish this.