I've been giving a bunch of thought to passwords lately. Here we have this absolute cornerstone of security - a paradigm that every single person with an online account understands - yet we see fundamentally different approaches to how services handle them. Some have strict complexity rules. Some have low max lengths. Some won't let you paste a password. Some force you to regularly rotate it. It's all over the place.
Last year, I wrote about authentication guidance for the modern era and I talked about many of the aforementioned requirements. I particularly focused on how today's thinking is at odds with many of the traditional views of how passwords should be handled. That post has a lot of guidance from the NCSC in the UK and NIST in the US and it debunked many of those long-held beliefs; get rid of complexity rules, allow long passwords, let people paste them and move away from forced rotation. However, there was nothing on minimum required lengths, and that got me thinking - what's the correct number?
When I run my Hack Yourself First workshop, that's one of the first questions I ask - "what's the correct minimum password length?" I was thinking about that again just this weekend when preparing V2 of Pwned Passwords because I thought I might be able to use a minimum length threshold to reduce the size of the data set. So, rather than projecting my own views on minimum password length, I thought I'd go and check what the world's top sites are doing. Here's 15 of the biggest with a summary and some further commentary after that:
This is a bit misleading; it doesn't need to be longer than 6, it needs to be 6 or longer.
Amazingly, Wikipedia's minimum criteria is... you must have a character. That is all.
But hey, that's a step up from where they have been in the past:
At least Wikipedia bumped it up from 0 characters for security reasons. pic.twitter.com/vjN3wJZUoi— passwordistoostrong (@PWTooStrong) July 18, 2016
Whilst they don't explicitly state it, Yahoo requires you reach 8 characters before you pass the minimum length criteria:
Netflix is super short at only 4 chars. At a guess, the need to enter that password via TV remotes could be partly behind the decision to keep it so short.
Let's lay everyone out together in a single table:
Surprised? Many people will be in terms of 6 being the most prevalent because it feels short. 9 of the 15 sites allow 6 chars, 4 of them require a minimum of 8 chars then there's Netflix with only 4 and Wikipedia, well, let's not go there! Now, here's my great insight from all of this:
Every single minimum password length is an even number! How scientific do you think the process of determining the perfect minimum length is when all the big players just happened to land on 4, 6 or 8?
There's no 5 or 7 or 9, just nice, round, symmetrically even numbers. So that's the first insightful observation here - there's a definite lack of science involved.
But here's the other thing and this speaks to the point I made many times in the modern era password guidance blog post: authentication today is about much, much more than just comparing 2 strings. That's the way it was in the beginning - you have a username and a password and if the ones in the system match the ones the user provides then they're in - but these days, we're going well beyond that.
For example, we have 2FA. Yes, adoption rates are worryingly low, but it's now a mass-market security control we have access to on all sorts of services that didn't have it even just 5 years ago. We're also getting better at understanding user behaviour in terms of the way people choose passwords; that's the whole point of the Pwned Passwords initiative in that it recognises that humans make crap security decisions! Let's identify that early and help them make the right choices (i.e. "you really don't want to use that password...").
Then there are controls based around other user heuristics, for example challenging them for verification via the registered email address if they sign in from an unusual location (you may have seen Facebook do this before). Same again when someone is using a new browser - that may result in a drop in confidence which then requires further verification. In fact, the whole premise of "confidence" is becoming particularly important as we move away from this binary state of either allowing access or blocking it outright. Try going to many sites via Tor and you'll get a challenge to prove you're a human because as it turns out, bad guys are particularly fond of using anonymity tools.
The point of all this is that you can no longer just look at a minimum length and say "ah, 6 characters - or even just 4 - is way too few" because authentication schemes can be far more intelligent than simply matching those 2 strings. That's not to say those nice round, even numbers are always correct either - there are plenty of sites that don't have any intelligence beyond mere string matching - but hopefully it provides food for thought.
Oh, and if you do happen to find a site with an odd number for the minimum length, leave a comment below because I'm kinda curious now 😀