...
- Exponential back-off for failed password authentication attempts.
- All passwords must be at least 8 characters.
- No special characters requirements.
- No forced password rotation.
- No password strength meters.
- Common passwords are blocked
- All PHI is identified an and only accessible with Multi-factor authentication.
- Eventually, completely replace Synapse managed passwords authentication with Google & ORCID authentication (see PLFM-5311).
...
If users are required to use special characters, they will simply change their password from "password" to "p@$$word". If users are required to add digits they are likely to add them to the end so "password" becomes "password123". If they are required to use capital letters they will put the capitals at the beginning of each word, so "fromtimetotime" becomes "FromTimeToTime". Each of these patters patterns are easily exploitable by attackers so password entropy is not actually increased with the increased complexity requirement [4].
...
As one group of researches points even weak passwords are secure when there is a limit on the number of failed attempts 10. This is why bank card PIN numbers are secure even though they might only have 13 bits of entropy. With an enforced exponential backoff for failed attempts an attacker will have less than a dozen attempts per year. With so few attempts only the most common passwords would be hacked. A system that blocks users from selecting the most common passwords combined with exponential backoff would be secure even when users choose "weak" passwords.
...