news microsoft researchers rethink password requirements

Microsoft researchers rethink password requirements

Picking a solid password and remembering it can be a challenge for anyone—even alleged Russian spies, as it turns out. According to Technology Review, Microsoft Researchers have thought up a new, rather interesting scheme to balance usability and security.

One of the Microsoft studies quoted by Technology Review suggests services only tend to raise password complexity requirements when they have no competition, since users can’t take their business elsewhere. Government sites are cited as one example. Surprisingly, the study found no correlation between "the value of a consumer’s account, the amount of attacks that the website suffered, and the complexity of the passwords that the website operators forced on their users."

With that in mind, Microsoft researchers propose a simple middle ground: allow users to pick simple passwords, but limit how many users can have the same password. That system would impede hackers who prey on popular services with large numbers of subscribers. While those services typically lock down accounts after a few erroneous login attempts, hackers still manage to break through by trying a handful of very common passwords across many accounts at once.

Don’t look for revised password rules on Windows Live Mail anytime soon, though; Technology Review says Microsoft has "no plans to implement the new scheme in any Microsoft products yet." (The researchers are only looking for feedback at this point.)

I’m not a big fan of overly elaborate password requirements myself, but I’m surprised more folks don’t think of using passphrases. Take a simple sentence: "I don’t like long passwords." It’s 24 characters long, contains upper- and lower-case letters and two non-alphanumeric characters, and isn’t hard to type or remember. Microsoft’s own password checker gives it top marks, too. Surely, encouraging the use of passphrases beats letting folks use "password" and "1234."

0 responses to “Microsoft researchers rethink password requirements

  1. It can be worse than that. I’ve found sites that use different routines to validate a new password & a login attempt. Use special chars when creating the PW? No problem. Try to sign on with that new PW? Fail.


    the domain name:

    For gmail password should be

    This is ultra strong password.

    However once someone finds this out he will know virtually all of your passwords.

  3. I recall early web days when passwords had no requirements whatsoever you could use the exact same word as the username, or 4 characters. 1234, asdf, where my favorites lol

  4. I always recommend to people that they use a word that reminds them of the account/site they have the account on, but then translate it to l33t-speak.

    Example site:
    Example password – g3arshift

    You end up having a word you can remember, with the added security of numbers. For additional security, capitalize a letter.

    Another one that sometimes helps is the passphrase-first-letter option.

    Example phrase – I Have A Fish Named Eric

    Password – ihafne

  5. So now, instead of just getting the “Sorry, that username is taken…” error, you’ll also get the “Sorry, that password is taken…” error too.

  6. It appears to be “YTREWQ”. Unfortunately, someone got to your bank account before I did.

  7. 1234….that’s almost the combination to my luggage!

    Damn it….already beaten to the punch.

  8. ATi’s Cypress GPU far outperforms NVidia’s more expensive,hot,loud Fermi at password cracking. :))

  9. That is one… ultra… boring looking… global software leader headquarters building.

  10. Password policies that lead to a minimum standard of password complexity aren’t really a problem in my experience, frequency of change, or requiring lots of passwords is far worse.

    The worst policy I’ve ever seen forces users to change their BIOS encryption password every 3 months and doesn’t allow you to set it to a custom word or phrase. It has to be a randomly generated sequence of lower case letters, exactly 9 characters in length – if you get something completely unmemorable, all you can do is hit the button to generate another.

    Once past the BIOS encryption, you have a separate Windows password, which also has to be changed every 3 months and has to be different, as the password policy requires numbers and characters (not an option at BIOS level).

    A tactic I often use for systems where I can enter whatever password I like (within policy) is to mix characters and symbols, then in one or more places, have a number that increments every time you have to set a new password. A crude example: [email protected], [email protected], [email protected] For variation, count down instead of up, double or halve each time, etc. It’s an easy to remember rule.

  11. part of the problem is how freaking often I have to change various passwords.
    My voicemail password is changed once a month.
    My remote login, once every 60 days
    my password to our database is either 60 or 90 (can’t remember)

  12. I use passwordmaker, which I assume is a similar program. Generates a unique password for everysite based on url and master password

  13. I’d love to use mine on my Dell E6410, but the software to use it is insanely bloated. Windows needs to get this integrated better, or Dell needs to do a better job keeping their software from blowing up my system performance.

  14. Those fingerprint scanners on laptops work fairly well. Why don’t they bring those to the desktop, improve the software, build it into windows, etc…

  15. it isn’t about having a phrase be as strong as random chars of the *same* length, but just to have a certain strength.

    Same could be said about public/symmetric key encryption. a 256 symmetric key can easily be stronger than a 4096bit public key, but a public key is more convenient and *strong enough*

  16. back in high school I used QWERTY, but I’ve now come up with a amazing random standby that is quick to type(my requirement for a good password)

  17. As dorky as l337-sp34k !z, it sure can make some tough pass phrases. I use them almost exclusively for mine.

  18. Keepass/password manager. I don’t know 99% of the passwords I use. No password is used the same place twice.

    Just remember one long/complex password to get into keepass, and you’re setg{<.<}g

  19. ZQFMGB is easy even if you brute force sweep the a-z, A-Z space.

    Anything less than 8 characters can be cracked in seconds these days.

    I see your point but brute forcing combinations of words still takes forever so long as a user uses 5+ words.

  20. The problem with a passphrase is that, by its own structure, it is likely to contain real words, which, when known to be such, require less time to roll through than a truly random password of the same length.

    A basic p/w checker will be looking at things like length and proportions of letters to numbers to non-alphanumeric symbols. But a basic p/w cracker will try to operate on known principles of human behavior, and if segments of a password are likely to be known words from a particular language, then for complexity, each /[

  21. The most difficult thing is not remembering 1 password at a time, but remembering a “strong” password for every site with different password requirements.

    Dell, for example, doesn’t allow special characters in their passwords.

    I have like 5 at work alone.

  22. The problem with passwords such as “I don’t like long passwords.” is that the first time I would try that I’d get a dialog which says “Your password must be between 8 and 14 characters.” Then I would shorten it to “No like words.” and would be told “The following characters are not permitted <space> . , ? ! % # $ *.”

  23. Password complexity is probably one of the biggest complaints at my office. I’d tell you how strict it is, but it simply isn’t, but damn people complain! Before I got here they didn’t even have passwords. *facepalm*

  24. The thought of having a database of the most popular passwords scares the bajeebus out of me. At that point, you could have a top 100 list of passwords and an attack of simply trying all 100 until it finds an account it yields results on would be rather scary.

  25. Take a simple sentence: “I don’t like long passwords.”

    Ugh, now I have to go and change all my passwords. Thanks, TR. 🙁