Source URL: https://www.schneier.com/blog/archives/2024/11/good-essay-on-the-history-of-bad-password-policies.html
Source: Schneier on Security
Title: Good Essay on the History of Bad Password Policies
Feedly Summary: Stuart Schechter makes some good points on the history of bad password policies:
Morris and Thompson’s work brought much-needed data to highlight a problem that lots of people suspected was bad, but that had not been studied scientifically. Their work was a big step forward, if not for two mistakes that would impede future progress in improving passwords for decades.
First, was Morris and Thompson’s confidence that their solution, a password policy, would fix the underlying problem of weak passwords. They incorrectly assumed that if they prevented the specific categories of weakness that they had noted, that the result would be something strong. After implementing a requirement that password have multiple characters sets or more total characters, they wrote:…
AI Summary and Description: Yes
Summary: The text discusses the shortcomings of historical password policies proposed by Morris and Thompson, highlighting their flawed assumptions about password security and the impact of password hashing on evaluating password strength. It serves as a reminder for security professionals to critically evaluate password policies and emphasize user behavior in improving security.
Detailed Description: The text analyzes the historical context and implications of password policies suggested by Morris and Thompson. It underscores several key points:
– **Historical Context**: The work of Morris and Thompson was pivotal in bringing attention to the issues with password security at a time when password weaknesses were widely acknowledged but not thoroughly studied.
– **Failures of Assumptions**:
– Morris and Thompson believed that implementing a password policy would inherently lead to stronger passwords.
– They did not account for user behavior and how compliance with arbitrary rules could still lead to insecure choices, such as using common substitutions (e.g., “p@ssword”).
– **Lack of Effectiveness Testing**:
– Their approach lacked empirical testing to validate its effectiveness or measure users’ password strength beyond their rules.
– The absence of defined metrics made it difficult for other experts to challenge their conclusions or improve upon them.
– **Impact of Hashing**:
– The arguments emphasize the unintended consequences of password hashing, which obscured the actual security strength of users’ passwords.
– It wasn’t until breaches occurred, leading to the exposure of passwords, that the extent of user password weaknesses became clear.
– **Behavioral Insights**: The text highlights the critical need for security professionals to focus on user behavior and password choice rather than solely relying on policies that do not consider how people generate passwords.
This discussion is particularly relevant for information security professionals as it informs best practices around password policies, user education, and security measurements that hinge on real-world efficacy rather than theoretical solutions. Security policies must be continually reassessed to ensure they align with user behavior and actual security outcomes.