Why Final Passwords Are At Least 12 Characters

By: Kyle Rankin on 08 March 2016

Security is important at Final. Our company was founded in response to a security incident and one of the fundamental assumptions behind our product is that merchants sometimes get hacked. When that happens, we want to make it easy for you to limit that damage by disabling any affected numbers. Yet like merchants, user accounts also get hacked and while sometimes it’s due to security flaws on a particular site, more often it’s due to weak passwords or bad policies around password resets.

There are a number of ways that we secure our users’ accounts and we give a lot of thought on how best to use the latest security measures that keep your account safe while not making it cumbersome. Our password policy is one example that I feel strikes that proper balance and in this post I will talk about our current password policy and elaborate on some of the reasoning behind it.

Password Policy Problems

Before explaining our own password policy it’s worth spending some time talking about some of the problems with many password policies out there. Anyone who has worked in a modern office has had to conform to some kind of password policy and more likely than not one that was frustrating, confusing, and worst of all, ineffective. A typical password policy that corporate IT hands down might resemble something like this:

  • Passwords are rotated every three months
  • Must contain at least one upper case letter, one number, and one symbol
  • 8 character minimum

Password Rotation Policies

Of all of the different password rules, the password rotation policy is the best example of an ineffective, outdated password policy that leads to frustration and confusion. As someone who has worked in IT it’s also one of the most burdensome to IT teams–they end up wasting hours managing password resets and unlocking accounts for employees who hated dealing with password rotation so much they put it off until their account was locked.

The first problem with password rotation policies is that it is more likely to lead to weak passwords. The irony is that the more frequent the password rotation, the weaker the password is likely to be because of the effort it takes to think up and memorize a strong password. When a person is faced with a password policy like the above one they very well may spend a few minutes thinking about a strong but memorable password the first time. They dutifully memorize it and eventually muscle memory takes over and they don’t give it a second thought. Then that password expires. Each time they have to think of a different password is an opportunity to take the easy path instead and pick something short and easy to remember that still technically passes the policy.

The second problem with password rotation policies is that they try to protect you from an attacker who doesn’t exist: the attacker who waits months to use the account. If an attacker compromises an account, they typically will do their damage relatively quickly and then leave. In the case of compromising an email account the attacker will change the password to lock the user out, figure out what other accounts the user has, then try the same password to login to those accounts. If they can’t get into other accounts they will trigger the ‘I forgot my password’ feature which will send a convenient email to the account they now control. In the case of a desktop computer if the attacker wants to come back later they will just install a backdoor (like a Remote Access Trojan) that doesn’t rely on the username and password.

The final problem with password rotation policies is that they just don’t work. Studies have shown that many people tend to pick passwords similar to their previous ones so someone who figured out one of your passwords can likely guess the next one:

“Even our relatively modest study suggests that at least 41% of passwords can be broken offline from previous passwords for the same accounts in a matter of seconds, and five online password guesses in expectation suffices to break 17% of accounts. … Combined with the annoyance that expiration causes users, our evidence suggests it may be appropriate to do away with password expiration altogether, perhaps as a concession while requiring users to invest the effort to select a significantly stronger password than they would otherwise (e.g., a much longer passphrase).”

Password Complexity Requirements

The idea behind requiring mixed-case characters, numbers, and symbols in passwords is that when you increase the character set, you increase the number of overall password combinations an attacker may have to guess. This study of password recovery speeds shows the number of password combinations for different length passwords with different character sets. For instance, an 8-character password composed of only lower case characters has 200 billion combinations. Adding upper case characters increases the combinations to 53 trillion. Adding numbers increases it to 2.9 quadrillion and adding common symbols as well increases that to 7.2 quadrillion. Each time you increase the number of possible combinations you increase the amount of time it takes an attacker to crack the password, at least in theory.

Password complexity requirements on the surface aren’t bad at all and can be very effective if you generate the password randomly with a password manager. Unfortunately complexity requirements are often ineffective in practice–particularly when coupled with password rotation that inadvertently encourages simpler passwords. This is because while increasing the size of the character set increases the theoretical number of password attempts, in practice people pick a dictionary word and modify it to suit the complexity requirements.

Even worse, people often pick a “complex” password based on a pattern that I’ll call the password mullet: upper case in the front, numbers in the back. This turns ‘password’ into ‘Password’ or ‘Password1’. If you require the user to have two or four numbers, they will go at the end and typically refer to some meaningful date (birth, graduation, anniversary). If you require a symbol, it will probably be punctuation, likely an exclamation point, and probably at the very end of the password, or should I say ‘Password123!’. Some more technologically-savvy folks use ‘leet speak’ and make commonly-known switches between letters and numbers so their secure password is ‘Pa55w0rd!’ or ‘P455w0rd!’ if they are truly elite.

The problem here is that attackers are fully aware of all of these common patterns and so they are no more effective than picking a word out of a dictionary. A few years ago I wrote a series of articles on how to crack passwords with GPUs using the popular oclhashcat cracking software. Like all password cracking tools it can use large dictionaries of words but it also has plugins that make it easy to take each of those dictionary words and apply all of the above transformations including ‘leet speak’ to build an even larger dictionary. Then it tries all of those combinations before doing a pure brute force attempt thereby dramatically reducing the amount of time it takes to break an 8-character passwords.

Final’s Password Policy

We’ve decided to take a simpler approach when it comes to passwords but one that is more effective in the average case:

  • 12 character minimum
  • No complexity requirement
  • No password rotation

Increasing the minimum password length increases the number of overall password combinations just like if we increased password complexity but hopefully encourages you to pick an even longer, more memorable password based on a phrase. That study of password recovery speeds I referenced earlier also demonstrates the impact of increasing the length of the password. Even with only lower case letters, increasing the password from 8 characters to 12 increases the combinations from 200 billion to 95 quadrillion which is more than even an 8-character password with upper and lower case, numbers, and common symbols.

Like I mentioned earlier, increasing the overall combinations doesn’t always make a password harder to crack, but by removing the complexity requirement we hope that you can pick a password even longer than 12 characters made of random words or a phrase, yet still easy to remember. By removing password rotation we also hope to encourage you to choose more complex passwords possibly containing mixed case or punctuation where it makes sense.

Of course no password policy is perfect. Some people might think 12-character passwords are too long. Our password policy alone won’t completely stop someone from picking a weak password (password1234 after all meets the minimum requirements). Plus, even if you choose a passphrase, sophisticated attackers are using Wikipedia, the Bible, and Youtube comments to feed their dictionaries with common phrases. Like with any security measure, this password policy is just one layer in our many layers of account security. When you also add weak password warnings during password selection, two-factor authentication, and secure workflows around password resets you end up with strong account security that is also convenient.