Password Complexity in the Enterprise?

andrewa asks: "What's the deal with passwords in a corporate environment these days? The company I work for has introduced layer upon layer of complexity on passwords over the years, and now it is simply ridiculous. We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters. What's next? A mixture of non-keyboard accessible characters and several varieties of DNA? It's not like we are even a government institute -- we are a software company that does telecom stuff, for goodness sake. Anyway ... you know what this makes me do? Write it down somewhere. How secure is that? The question is, I think my company is completely anal with the password requirements, what other security policies are in place in other companies that either completely exceed the banality of my company, or -- God forbid -- have a security system that makes sense?"

Re:What I like

[localman]

Not quite... the format itself is something you need to know. I don't know how that effects the outcome, but if the cracker doesn't know whether they're using just letters, two english words, capitalizing any letters in the words, adding a symbol between the words... overall I think it's a decent password scheme if the words are chosen randomly (not hand picked) and if you vary them just a little with captalization, 1337 speak, or a concatination symbol. Oh, and my dictionary has over 200K words in it too.

Cheers.

Re:What I like

[localman]

Wait, if it is just a string of characters, a discreet enumerated set, as you say, then why is my password not considered 10 letters strong if it's two concatenated five letter words? To make that leap you're using information that the cracker won't have, namely that I use two english words. Of course, if I advertise that fact you'd be right, but I would never tell anyone ;)

I understand where you're coming from, from a cryptographic standpoint. But in practice you simply can't enforce passwords to be that good. No really, I've tried. Virtually nobody uses the full 96 character set for their passwords and they're certainly not randomly chosen. So if I use two randomly chosen words from even a simplified dictionary, I think it's better in practice (though not in theory) than what you're saying.

Furthermore, I'd say that, depending on the application, 40 billion can be far more than enough. In fact, 10,000 is enough for high security in certain applications. Don't believe me? Check out your ATM PIN number. The important bit is that it has a physical key that you lose after three tries.

Any login system should be set to lock out after a small number of failed attempts, such that the 40 billion possibilities are suitably secure. For things that can be cracked offline you can't rely on such things, so for sure, encryption keys need to be much much larger.

Cheers.