Posted by Chenxi Wang on October 21, 2011
After a bit of xml display snafu, my report "Breaking Down Entropy And Passwords" is finally live on the Forrester website.
This report was inspired by a number of customer inquiries that I had recently on mobile password policies. It struck me that few IT organizations actually understood the fundamental rationale behind password policies - length and complexity of passwords, number of password retries, and password lifetime. This is perhaps because we take user passwords, one of the most basic security controls, for granted, and hence don't think about it too deeply. Because it is such a prevalent security control, and because many organizations don't have much beyond user passwords, it is high time we understand why we set a particular password policy and whether that works for our particular risk profile.
So I set out to write this report - trying to describe the theoretical underpinnings of password properties. For example, if you require that your mobile users use a 6-digit PIN to access their mobile phones, do you know how many PIN fail-retries you should permit but still achieve NIST level one authentication? What about a 6-character alphanumeric password?
If you are interested in learning more about password security, there are a few excellent research papers that might be of interest. I recommend that you read Microsoft Research's Dinei Florencio and Cormac Herley's "A Large-Scale Study of Web Password Habits" and "Where Do Security Policies Come From?" The first paper is an interesting empirical study, which found that typical web users (average consumers) choose weak passwords; they do not follow password complexity rules, such as using both upper- and lowercase letters and special letters. The second one talks about how one might set password policies, similar to some of the discussions in my report.
I've already received some good comments on the paper. If you have any suggestions, I'd love to hear what you think. I'm also interested in whether there are other security fundamentals that you might be interested in learning more about and whether you think Forrester should write about them.