Stanford University network engineers have unveiled a refreshingly enlightened password policy. By allowing extremely long passcodes and relaxing character complexity requirements as length increases, the new standards may make it easier to choose passwords that resist the most common types of cracking attacks.
Students, faculty, and staff can use passwords as short as eight characters, but only if they contain a mix of upper- and lower-case letters, numbers, and symbols, according to the policy, which was published last week on Stanford's IT Services website.
Even then, the short passwords must pass additional checks designed to flag common or weak passcodes (presumably choices such as "P@ssw0rd1", which can usually be cracked in a matter of seconds). The standards gradually reduce the character complexity requirements when lengths reach 12, 16, or 20 characters.
At the other end of the spectrum, passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case. Ars hasn't tested the new system to ensure commonly used phrases found in the Bible, on YouTube, or myriad other places are automatically rejected. As Ars reported in October, even when such passphrases contain 40 or more characters, they are becoming increasingly susceptible to "off-line" cracking. Such attacks scrape popular websites and books, carve up the text into different phrases or sentences, and use them as guesses when cracking cryptographic hashes found in compromised password databases.
Balancing security against usability
The potential passphrase proviso aside, the new Stanford password standards are noteworthy because they strike a meaningful balance between user convenience and security. Eight-character passwords—when randomly generated and containing a mix of numbers, symbols, and upper- and lower-case letters—can take months or years to crack.
That's because the only technique that works against such passwords is to try huge numbers candidates until the attacker finds the one that works. The vast number of possible combinations makes these brute force attacks extremely hard to carry out. There are only 268 possible combinations for a password made up of eight lower-case letters, a small enough "key space" for even inexperienced crackers to exhaust in a matter of minutes.
The base Stanford password, by contrast, contains a key space of 958 (52 lower- and upper-case letters, 10 digits, and 33 symbols raised to the power of the length number). The number of possible combinations can take weeks or months to crack, depending on the hardware doing the cracking and the hash algorithm used to protect the passwords.
What makes Stanford's policy noteworthy is that it makes accommodations for users with a strong aversion to randomly generated passwords with all kinds of special characters. As anyone using a mobile device with a limited keyboard knows, typing "#3ok;U)9" to connect to a network is time-consuming. Other people find such passwords hard to remember and prefer instead to use seven or eight randomly chosen words from a dictionary. Rather than exclude these users, Stanford engineers have devised a system that caters to people who want to use less complex passwords, as long as the length of their choices compensates for the reduced number of character types.
The elegance of Stanford's policy is that it eschews the one-size-fits-all approach most websites and networks take when attempting to ensure their users choose strong passwords. By offering increased flexibility, there's a better likelihood that people connecting to University services will remain secure. In an age when passwords have never been weaker and crackers have never been stronger, that's enlightenment indeed.