The problem with password policies

We all know that “password” or “jdoe” is not a great password! Today pretty much every website or web app will enforce password policies to guard against insecure choices. Password policies include various criteria including:

• Length
• Randomness
• Dictionary words
• Punctuation characters
• Reuse (on the same site)
• Reuse (across different sites)

But here’s the obvious problem. If a password is long enough, includes enough entropy (randomness), and puctuation characters, the user most likely won’t be able to remember it. Add to that the requirement that they change it every N days and use it only on one site and there is zero chance of it being remembered.

Phishing & reuse across sites

Preventing reuse across sites is especially hard to enforce. It’s not something website operators can actually enforce. We must rely on the user’s own judgement or hope they use a password manager. Unfortunately breached passwords on a third party site are one of the easiest attack vectors.

Phishing is a huge challenge because like all forms of social engineering, it uses on the most vulnerable dimension - the user. If I want to break into a users account on your site I don’t actually need to attack your site itself, so all your hard work is irrelevant.

All I need to do is persuade your user to create an account on a site I control and implement a complex password policy. The chances are, they’ll just reuse the secure password they use for your site.

Password managers

Password managers like Keychain and 1Password come to the rescue here but are a workaround, not a solution. The whole point of a password is something that is known only by the two parties (user and website). If the user doesn’t actually know the password but instead relies on an app to remember it for them we might as well ditch passwords altogether.

Why bother with passwords in 2023/24?

Once we accept that the users won’t actually remember their passwords we can look to better solutions. We could, for example amend the password policy to require a 500+ character password, after all the password manager can easily handle this. However going into 2024 there are much better solutions out there.

Passkeys

Passkeys are the natural successor to passwords. They’re supported (and promoted) by the major tech players including Apple, Google and Microsoft. Passkeys solve many of the problems inherent in the password model including:

1. Entropy - Passkeys use public key technology instead of the low entropy shared secret model. You’d need a quantum computer to crack modern private keys.
2. Biometrics - The private keys used by passkeys can be guarded by biometrics (facial recongnition or fingerprints).
3. Phishing - Even if the user believes they’re on the right site, it looks identical and they want to sign in, the browser will simply not allow them to a passkey for anything other than the intended site.