Should systems force the user to create a strong password?

Banks afford to allow you to use weak passwords for two reasons:

• They can lock your password with impunity without losing you as a user.

Not that it’s bad. After all, it’s your money they’re protecting.

If Google or Facebook blocked your password every time they thought something went wrong with your account, you’d probably be sick and tired of having to switch it all the time. You would eventually give up using your services and your social networks (and remember, for them you are a source of income, not a customer, so they want you using these things).

But if you can’t use your debit card, You’re so fucked up and so you will make the effort to go to the nearest agency to resolve this as soon as possible. This is strongly related to the next reason:

• They have how to validate very accurately that you are who you say you are.

If you need to create a new password for Xvideos because you forgot yours, you can’t go to the nearest Xvideos agency because it doesn’t exist. They have to use your email, which is a mechanism that may be compromised, to restore your access.

Already in a bank you have to present yourself with your documents. This is not impossible to cheat, but it is much more difficult, so the degree of confidence is greater.

That’s why banks give you the luxury of giving you weak passwords. They will lock your password if anything goes wrong. They will block you even in cases of false positive (already happened to me). As you can see, the choice between allowing weak passwords and allowing strong passwords by institutions and large companies that have a lot to lose/protect is a matter of balance between practicality and risk.

As to what makes a password strong or not: there is no unbreakable password, but what separates a good password from the password that its lay relatives usually use is the time that a hacker would take to break it.

Consider the following passwords:

• 0004071974
• sSashaGrey
• Tododia7a1
• $7@CK 0V3R

They all have the same size. However, to make a brute force attack on each one, we would need the following number of combinations:

• For the first password, which only uses numbers, 10¹⁰ attempts. High number, but nothing that a computer cluster with multiple GPU’s each couldn’t chew in a short time nowadays. 10,000,000,000 combinations.
• For the second password, we have only letters. The number of combinations is now 52¹⁰ (for our alphabet, considering that letters can vary between upper and lower case), a considerably larger sample space. This gives 144.555.105.949.057.024 combinations.
• For the third password, we have letters and numbers. There are 62¹⁰ combinations, or 839.299.365.868.340.224 attempts at worst. Compare with the combination just above.
• For the final password, assuming we limit only the ASCII table, we have ninety-four usable characters, so we have 94¹⁰ possible combinations, or 53,861,511,409,489,970,176.

Let me list just the amounts of possible combinations, one on top of the other, so you can feel the pressure:

• 10.000.000.000
• 144.555.105.949.057.024
• 839.299.365.868.340.224
• 53.861.511.409.489.970.176

And that’s if we’re cool with the hacker and limit all passwords to exactly ten characters. The legal is to leave the variable quantity, because then the number of possible combinations is the sum of the combinations of each possible size.

Here fits a but: the strength of passwords is not limited by the forms you allow, but by the forms you require. If you allow your users to use all of the above forms but do not make demands, in practice most people will use the first or second form. Because in general, the criminals of today are more interested in breaking a lot of passwords at once instead of hacking the accounts of some anonymous person out there, criminals would be content to try to guess by brute force only a fraction of the passwords in their database. It would be enough for them to use brute force to break only the passwords of the first and second types.

P s..:

Why use such complex passwords? This would not make it difficult for the user to remember this password in a possible return to the system?

Most people nowadays always navigate from the same device, and they keep the password for the person - removing the restriction of difficulty remembering the password for most cases.

As you have already responded very well from a technical point of view, I will reply from the UX point of view.

Why some systems require such strong passwords?

Because there’s a concern legitimate with the safety of users - and also with the business of the company. No matter what service you are offering (withdrawal of your own money or access to memes on Facebook, for example), if a user’s account is stolen that user will not be the only one having problems. The overall perception of the quality of the service will be affected in a short time, as the user will certainly share this occurrence with their peers. Moreover, while from the individual’s point of view the worst that can occur is the theft of your data/goods, from the company’s point of view the worst is the identity theft: by impersonating someone who is not, the meliante will have more facility to steal more users using social engineering (impersonating a Facebook friend, for example) and will help the problem grow exponentially.

The solution used then is to make unauthorized access as difficult as possible, even to the detriment of other qualities (further). As colleagues have already responded well, complex and larger passwords are statistically harder to guess and proven more difficult to break.

This would not make it difficult for the user to remember this password in a possible back in the system?

Certainly. In the accepted reply it was commented that banks can allow themselves to provide short passwords because there are other (even physical) restrictions. Although that’s true, this is not motivation. This is another legitimate concern with users and business. A smaller password is potentially easier to remember, but the most important thing is that it’s faster to type it into the bank queue! Complex passwords require not only more complex (and expensive) equipment, but also more complex procedures. For example, the ATM numeric keypad occupies less physical space than an alphanumeric keypad; moreover, the user does not need to hold a SHIFT to enter a different character. That is, the bank’s concern is to make you wait less time in the queue because this is good for you and (mainly) for the bank, since it decreases the queues and allows the use by more customers.

In fact the ideal for a bank would not need any password, because any typo also generates delays (<ironia>ah, yes, of course, let’s not forget the user, who would no longer need to remember anything</ironia>). No wonder that even the Bank of Brazil now has Atms with fingerprint readers or palm...

Systems must force the user to create a strong password?

No, they shouldn’t. In fact my answer to that question is the suggestion to exchange a single word: Systems should auxiliary the user to create a strong password.

First of all, it is in the user’s interest that their profile, data and assets are kept safe, so that people naturally feel motivated to act to increase security. For example, you want more intrinsic motivation than being forced to change a password every 6 months, using a minimum size of 8 characters, at least 1 digit and 1 symbol, not being able to repeat the last 3 passwords used, and still continue using the service? (unfortunately it is a real case...). In other words, people tend to use the passwords that a company requires even if it makes their life hell. This makes me believe that if this process is facilitated, they will continue to have this interest (contrary to what may be believed there).

Secondly, it is already widely known that too complex passwords are bad not only for the user experience, but also for system security. If the user is forced to use a password difficult to remember (especially when the creation process is obscure for him), there are great chances of him annotate, reuse the same password in several different systems, and especially forget and need to change. Studies have shown, for example, that the forgetfulness of passwords does not result from age, as common sense may lead to believe, but to the amount of passwords used by the individual and the different contexts in which they are used (study reference: Passwords Usage and Human Memory Limitations: A Survey Across Age and Educational Background). In other words, the more passwords a person needs to remember, and the more out of context they use each of those passwords, the more people will forget the passwords and need to constantly change them.

So the ideal would be for designers to build the systems so that users are allowed to build passwords freely, but instructed to do so using real and meaningful sentences personally in the context of using the system. For example, users could be illustrated with a strong password for a literature website is not an excerpt from a Shakespeare book (which everyone can know), but a phrase of its own that translates as it sit down in relation to the service.

For example, consider the phrase, "The book I like best about George Orwell is 1984!". It is relatively easy to be remembered by the user because (1) it was he who chose it freely; (2) it is significant to the individual; and (3) it has a lot to do with the context of system use. One could argue that this reduces security because that information can be known by other people. But although this may be true, the phrase is sufficiently complex in the sense of the amount of permutations to make his divination enormously difficult exact. And in practice, this is what happens anyway: if the bookstore used the same tactics as the bank, the password of this user would probably be only "1984". :)

In my opinion, nay, I will explain why:

Overall, there are 2 main targets, the "Usuário" and the "Sistema".

However, most attacks targeted at a "Usuário" has as real objective to obtain information that will be used to attack a "Sistema".

In open systems the attacker doesn’t even need to attack a "Usuário" first, to attack the "Sistema", he himself can create a "Usuário" and from it explore possible faults. Unlike closed systems, where you will target a "Usuário" or the "Rede" to try to explore the "Sistema".

In both cases, the "Usuário" is not prepared to defend itself from an attack if it is the target. Most attacks made to "Usuários" common, are given through "Engenharia Social", then no matter how large or complex the password is if the attacker through the "Engenharia Social" be able to gift the "Usuário" with a trojan, the password has been broken at the level of "Usuário".

In relation to the comparison you made with the Bank, the system involves a number of other policies than the password itself, for example, as said the credit card are 4 digits, but in fact the credit transaction, depending on the medium, nor need the 4 digits, only the card data, however the "Sistema" is able to assess whether this purchase is within the standards of "Usuário" and take the necessary measures if the operation is suspected.

In short, in the case of "Usuário"(UX), I do not believe that forcing a complex password is essential security, in relation to "Sistema", this topic occupies extensive literature.