Passwords: what minimum length?

Recently there has been a fair amount of discussion about what the minimum acceptable length of passwords should be. NIST SP 800-63B sets a minimum of 8 characters. Some people think the minimum should be considerably more than that, perhaps 16 characters. The following is some rationale for why 8 is a reasonable minimum.

A 2014 research paper[1] was a significant factor in informing this guideline. As discussed in Section 3.2, guessing attacks on passwords can be categorized into online and offline attacks. Online attacks are limited by available bandwidth, response time of the verifier, and hopefully by active throttling of the number of guesses allowed (as specified in SP 800-63B section 5.2.2). Offline attacks, where the attacker has been able to obtain a password database (hopefully salted and iteratively hashed), can make many more guesses, with guessing rates in excess of 1 billion guesses per second depending on the attacker’s hardware capabilities. There isn’t anything in between: either the attacker has a password database to use and mounts an offline attack, or they don’t and mount an online attack.

As a result, there is a significant range in password lengths, shown in Figure 2 of the paper (reproduced above), where passwords are long enough to be resistant to online guessing attacks, but are not long enough to be resistant to offline attacks. Within this range, increasing the minimum password length adds to the burden on users, but does not significantly increase security. While SP 800-63B does not attempt to estimate entropy (or the estimated number of guesses required) for a given password length, the current guideline of 8 characters exceeds the length needed to protect against online attacks, particularly since the paper doesn’t assume intentional rate limiting by the verifier.  However, a considerably longer minimum password length, probably at least 16 characters, would be needed to protect against offline attacks, and that would increase with computing speed.

Users do predictable things when subjected to onerous authentication requirements, such as the common behavior to append an exclamation point to their password when required to use a special character. Rather than impose an onerous length requirement (which might cause them, for example, to just use their shorter password twice), the decision was made to set the minimum password length to be resistant to online but not offline attacks. Instead, the burden was placed on the verifier: SP 800-63 section 5.1.1.2 calls for verifiers to store memorized secrets in a form that is resistant to offline attacks, including use of a salted key derivation function and also suggests an additional keyed hash with a secret key that is stored separately.

SP 800-63-3, which contains guidelines on selection of the Authenticator Assurance Level (AAL), calls for two-factor authentication in a number of situations where it has not typically been used. In particular, Executive Order 13681 requires federal agencies to use two-factor authentication whenever a user’s personal data is being released. This is largely in recognition of the limited security that passwords can provide due to not only the guessing attacks discussed above but also other threats such as key loggers. Given the modest security that can be achieved, increasing the minimum password length would be an inconvenient and incomplete solution to authentication security.

Note: While I am a co-author of NIST SP 800-63-3 and SP 800-63B, I am an independent consultant and the above discussion is my opinion only and does not necessarily represent the position of the National Institute of Standards and Technology.

Illustration above is from reference [1].

[1] Florêncio, Dinei, Cormac Herley, and Paul C. van Oorschot. “An Administrator’s Guide to Internet Password Research.” Usenix LISA, November 2014. http://research.microsoft.com/apps/pubs/default.aspx?id=227130.