...
- Exponential back-off for failed password authentication attempts.
- All passwords must be at least 8 characters.
- No special characters requirements.
- No forced password rotation.
- No password strength meters.
- Common passwords are blocked
- All PHI is identified and only accessible with Multi-factor authentication.
- Eventually, completely replace Synapse managed passwords authentication with Google & ORCID authentication (see PLFM-5311).
Note: The above recommendations closely mirror the recommendations from Microsoft 8.
What is the current Synapse Password Policy?
...
The password "correcthorsebatterystaple" perfectly illustrates disconnect between how we model password strength and real users passwords. According to the entropy model "correcthoresbatterystaple" belongs to the domain with 117 bits of entropy (log2(26^25)). That level of entropy assumes each letter of each word contributes to the overall size of the distribution. This assumption works for a simple brute force attack. However, if the attacker knows this trick they can try word combinations instead of letter combinations. If the attacker uses the top 100 most common words in every possible combination with string of up to four words, then the actual size of the domain is actually 26 bits of entropy (log2(100^4)) instead of 117. Since it is difficult to memorize four random words in a string, but easy to memorize a real phrase, users are more likely to chose a real learning to choose phrase for a password 11. Now an attacker Simple attacks can try the most common phrases, so the password "fromtimetotime" can be guessed in under 8 tries even though it has 66 bits of entropy. More sophisticated attacks employ phrases from many sources including the Bible and Youtube 11.
If users are required to use special characters, they will often use simple leet substitutions such as changing "password" to "p@$$word". If users are required to add digits they are likely to add them to the end so "password" becomes "password123" [4]. If they are required to use capital letters they will put the capitals at the beginning of each word, so "fromtimetotime" becomes "FromTimeToTime". Each of these patterns are easily exploitable by attackers so password entropy is not actually increased with the increased complexity requirement [4].
...
- Carnavalet, Xavier et al "A Large-Scale Evaluation of High-Impact Password Strength Meters" madiba.encs.concordia.ca, 2015.
- Zhang, Yinqian et al "The Security of Modern Password Expiration: A n Algorithmic Framework and Empirical Analysis" cs.unc.edu, 2010.
- Schneier, Bruce "Real-World Passwords" schneier.com,
- Goodin, Dan "Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”" arstechnica.com, 2013.
- Schneier, Bruce "Choosing Secure Passwords" schneier.com, 2014.
- Bonneau, Joseph et al "Passwords and the Evolution of Imperfect Authentication" jbonneau.com
- Wheeler, Daniel "zxcvbn : Low-Budget Password Strength Estimation" usenix.org August 10–12, 2016
- Hicock, Robyn "Microsoft Password Guidance" microsoft.com
- Egelman, Serge et al "Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection" microsoft.com
- Florencio, Dinei et al "Do Strong Web Passwords Accomplish Anything?" microsoft.com
- Goodin, Dan "How the Bible and YouTube are fueling the next frontier of password cracking" arstechnica.com, 2013