The security of long or complex passwords is overrated. Even for short passwords the probability of guessing a password randomly is low if only a few failed tries are allowed before the account is locked (source IP should be ignored for this). The guessing process becomes costly per account if a delay of several seconds is enforced after an unsuccessful attempt, especially if the few seconds occurs between the attempt and the failure notification and the notification provides no information to distinguish between failure to match an account at all and failure to give the correct password for an existing account. My previous employer required, at one time, 8 character passwords with a 62 character alphabet (UC, LC, Numeric, Special, two from each group), changed at least every 60 days. The account was locked on the third consecutive fail, requiring administrator intervention to unlock the account, and a new password was required at that time. The new password could not be any of the most recent 10 or have been valid during the previous 365 days and was failed if found in a password dictionary. By my reckoning, the probability of randomly guessing the password of a known account under these conditions is in the order of 1 in 10^13. The actual probability likely is several orders of magnitude larger, but still small enough to be ignored for many purposes.
The risk that concerns me is that the provider might store the password hashes insecurely or worse store them reversibly encrypted or not encrypted at all, and that the file would fall into the hands of someone with technical skills and nasty intentions. For plain text or reversibly encrypted passwords, password length has no benefit in this case. For hashed passwords, and only those, is length of significance, and should be enough to make finding any account/password combination economically unfeasible.
So I am leery of, and within reason avoid, services that
(1) can tell me my forgotten password (and think twice about those who can tell me my forgotten userid);
(2) respond in under several seconds if I make a mistake or respond to an error faster than a good login;
(3) allow more than a small number of failed attempts;
(4) do not require a new password after administrative action to unlock the account.
I am much less concerned with required length or complexity, but do use more of each for such critical accounts as those with banks or credit card issuers.
Am I wrong here?
Biting the hand that feeds IT
