monica icon indicating copy to clipboard operation
monica copied to clipboard

Published 20 hours ago verified publisher icon monicahq

Update default password complexity restrictions

Open sclu1034 opened this issue 2 years ago • 2 comments

The current recommendation is to move away from complexity requirements (e.g. "at least one number/symbol/upper case") and instead encourage long, but easy to remember passphrases and utilize blacklisting, breach checking and pattern matching (e.g. dropbox/zxcvbn as proposed by #5040) to move the burden of passwords away from the user and onto the system.

As per NIST:

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

Similar recommendations exist elsewhere, e.g. by the Canadian Government or the European Union (ignore the weird 64 characters upper limit, though).

So in accordance with those recommendations, the default configuration for password complexity should be adjusted to

'password_rules' => env('APP_PASSWORD_RULES', 'uncompromised,strength'),
'password_strength_threshold' => 3,

where strength and password_strength_threshold enable a rule that implements dropbox/zxcvbn from #5040 (or similar approaches).

sclu1034 avatar Aug 05 '22 08:08 sclu1034

Which major web services uses such a technique? Only saw this in crypto services like Metamask

haidarzhy avatar Aug 11 '22 21:08 haidarzhy

Which major web services uses such a technique?

Since the linked documents are requirements for the respective government services, I'd guess those do implement that.

For private companies, I'd assume that Dropbox is using their own tool.

Google's only requirement is "8 characters or more" and their knowledge base suggests "make your password long & memorable".

Microsoft Live/Outlook Online requires "at least two of the following: uppercase letters, lowercase letters, numbers, and symbols" (seen when using an insufficient password during registration).

Facebook also suggests making long passphrases, and only mentions "mixing together uppercase and lowercase letters" conditionally when it's marked as weak.

sclu1034 avatar Aug 12 '22 07:08 sclu1034