

Complexify - a jQuery Plugin to ACCURATELY Gauge Password Complexity - danpalmer
http://danpalmer.me/jquery-complexify

======
citricsquid
Someone humour me, why does password complexity _really_ matter?

Password complexity doesn't prevent phishing, password complexity doesn't
prevent social engineering which are in my experience the 2 biggest issues.
Password complexity only _really_ prevents brute forcing, but any system that
allows you to hammer it with 100, 1000 or 10000 requests isn't going to be
secure anyway. It also goes some way to preventing a password being cracked if
the hash is stolen, but that shouldn't be an issue if proper security
practices are followed. The only other possibility is that complex passwords
can't be read over the shoulder or memorised, if someone sees "p4ssw0rd" it's
easy to remember, "P$()\£\\(\FDDFA" isn't.

The only real value in complex passwords that I can see is that it makes users
think "my password is only 10% secure? I must try harder at security!" but do
many even think that? I pay no attention to the complexity meters sites
have...

So what am I missing? The way I see it the only _real_ security is a password
manager with unique passwords for every account. Surely encouraging that is
better than wasting time telling a user if you think their password is secure
or not?

~~~
carmaa
Your logic is flawed; just because password complexity doesn't mitigate some
of your carefully constructed scenarios, doesn't mean that it's useless. You
even mention up some of its merit yourself.

Password complexity (when done right) DOES makes it more difficult to:

-brute force passwords -crack hashes -perform rainbow table attacks -do password sweeps, e.g. do one password guess on every known user name (effectively avoiding account lockout) -do 'one off' guesses

It is not perfect alone, but it is one very important component of every
secure and reliable application.

~~~
citricsquid
I understand that complex passwords have merit because they prevent some
scenarios, my problem with the focus that is put on it. Having a complex
password does help protect you from brute forcing, but it doesn't protect you
from the problems that most people suffer: phishing and social engineering and
in a scenario like a system you use is breached you can safely suggest your
password _is_ stolen, in which case no matter how complex it is you're not
safe. How many stolen accounts are from brute forcing? In my own experience
with user support all stolen passwords have been a case of phishing or social
engineering (eg: "I am important you need to give me your password").

My "issue" (if you can call it that) is if you say to a user signing up to
your website "Your password is 50% secure!" they'll mistakenly assume that
means they're safe and can throw out all other security practices. It doesn't
matter how complex their password is a password is never secure when humans
are involved, a password can be considered secure _enough_ if it's unique to a
website but once a password is being used on multiple websites it doesn't
matter how complex it is, all it takes is for one site to be breached and it's
a worthless password.

Instead of telling users that if their password meets some arbitrary
requirements that it's suddenly more secure than another password that has 1
less character we should tell them that they need to assume their password can
be stolen and if it is using unique passwords per website will protect them.

Passwords aren't either "secure" or "insecure" based on the password itself,
they're secure until someone else knows it. If your password becomes insecure
(either through phishing or brute forcing) you need to be ready to limit the
damage, if every website you use has the same password (no matter how complex
it is) and your password becomes insecure you have a huge problem, if you use
a unique password per-website you're safe from most damage.

If you have an account on 100 websites it's better to have an "easy" password
(eg: "2809911234" (my birth date followed by 1234)) different on each website
than it is to have 1 password on every website that is super complex (eg: "£
_(U_ &(FDJHDIFHJDJHF& _DF &^_SDF&^S^&*").

Password security should work under the assumption that someone DOES know your
password or WILL know your password and you should be limiting the problem.
People sign up to websites all the time that they have no idea how secure they
are, I administrate a website with 1.3 million users, I could be a scary
russian hacker that is just stealing their details to hack their Paypal
accounts and empty their banks, but if they had unique passwords everywhere
that would not be an issue. It doesn't matter how complex a password is, the
moment you input it into a form on a website it becomes insecure.

To tl:dr; my waffle and address your main point:

> just because password complexity doesn't mitigate some of your carefully
> constructed scenarios, doesn't mean that it's useless.

You're correct, password complexity isn't useless but it isn't important
enough to warrant being the only thing users are told. Password complexity is
a small part of having good online security; making it the focus of security
by using it in forms is misleading to users. Anecdotally I know someone
(supposedly smart) who berated me for having a password that was only 10
characters long because a website said a 10 character password can be hacked
in 3 days, he didn't understand that the 3 days is how long it would take a
computer to compute my password, not that someone could "target" me and have
my password on their computer in 3 days. Even smart people don't have a clue
about security and password complexity on forms just misleads them further.

Passwords are secure until someone else knows it, they're not secure based on
how complex they are. A password that is 16 characters is only more "secure"
than a 10 character password if you live in a vacuum where the only issue is
brute forcing (or similar computational attacks).

------
hsmyers
Not a perfect metric as he admits, but a great deal better than nothing. One
thing that has bothered me from the beginning is the problem of the user's
retention of the information. How do we do a min/max of sufficient complexity
to deter cracking but allow the user to remember the password in question?
This last is one reason that I've kept up interest in bio-metric efforts for
security.

~~~
danpalmer
I always find alternatives to password security interesting, but I don't think
any are actually feasible at the moment. We need to realise that passwords are
here to stay for a long time, and we need to promote the use of strong
passwords that will last a long time.

"8 characters with a number" - the criteria many normal users consider a good
password, is just not good enough any more in this ago of $2.50 an hour for an
EC2 instance with a few graphics cards.

------
ThePinion
This is better than pretty much all similar projects I've seen. Might
implement it somewhere. My usual password for sites gets 46%, which I guess
I'm fine with.. The password I use for my TrueCrypt password easily gets to
100%, so I'm cool with that.

~~~
danpalmer
I was annoyed that my password (which would take ~1x10^30 years to brute
force) gets a low score on every site with one of these because it doesn't
contain a number.

This is my answer. Passwords are judged on their complexity properly rather
than a naïve interpretation of complexity.

If you do implement it somewhere, let me know where. Also fork and contribute
if you want.

------
kgen
A fifteen letter password that is a mixture of letters, numbers and symbols is
only 56% complex? That's bonkers. What's the point of measuring complexity if
you aren't going to be able to remember the password?

~~~
byoung2
It depends on what the password is for. I think the more complex passwords are
appropriate for root passwords or databases, but for user passwords, you would
have to educate users that anything above a certain threshold (say 30%) is
good enough. My attempt fJ6 _& $h12@ was 40% and $Y8th&t_%k^! was 48% and
these are way more complex than most people need to secure email or log in to
a web app. Above a certain level, and they'll write it on a sticky note.

~~~
danpalmer
Those two passwords aren't too bad, but they aren't amazing. They are only 9
characters and length matters far more than the character sets you include.
This is the big misconception many users have, and it's promoted by all the
password strength meters that get this wrong. Complexify is my attempt at
providing a better metric.

------
ElliotH
Only real issue I can see is that a length 10 string of random lower case
letters is given the same rating as a 10 letter long dictionary word (whereas
ofc the dictionary word would be cracked first).

~~~
danpalmer
Yep, and I did actually put at the bottom that this does not have any
indication of how crackable it would be with a dictionary attack.
Unfortunately I don't think that's feasible.

~~~
mmastrac
You could potentially 'compress' the dictionary into a bloom filter. You'd
have a chance of false positives (ie: a word looks like a dictionary word),
but that's probably acceptable in this case.

------
ericax
Try 52 "1"s. You get a password with 100% complexity.

~~~
danpalmer
That is also a 52 character password. I'm betting no one wants to try brute
forcing 20+ character passwords at the moment. While it is a very contrived
example, it's also not as bad as it seems for security.

------
jrgnsd
I started typing in a password, and then thought that this is an easy way to
harvest passwords that people think is hard to crack.

~~~
danpalmer
Feel free to have a look at the javascript, see what's going on in the page,
or watch network traffic.

