I got on a password-rant yesterday. My bank updated its online security which forced me to create an even more complex password than I had.
My issue with this is two-fold. First, it's my password; it's my risk. The bank should simply give me feedback on how secure it analyzes my password to be and make me agree to a risk-assessment statement. They need to secure access in other ways than my password anyway, but if someone "guesses" my password because I have a weak one, that should legally be on me, not the bank.
Second, my 401K is secured over the phone by 5 digit combination. For those not quick at math, that gives a one in one-hundred-thousand chance for random access. If brute force is used my hacking the account through a hi-jacked interface to trick the backend system to believe a phone was being used, then finding the code would take a standard PC roughly 25 microseconds (not a typo).
Why then is an institute which secures up to millions in a single portfolio (as opposed to maybe a few thousand at best for a checking account) not concerned about such a weak security for access? How can they avoid this liability?
In all fairness, people do not access their 401K as often as they do their checking account. So, monitoring statistics for brute force is easier. However, that's exactly the point. They place other mechanisms behind the passcode to help prevent access. They lock out access after too many retries and increment the duration between availability of the input after failures. Miss it once, one-second delay to retry. Miss it twice, four-second delay. Miss it three times, nine-second delay. Miss it four times, lock out!
I think banks could use a similar method. Go into the password recovery protocol after the sixth miss of the password. The recover password is available up front every time anyway. The bank isn't protecting the user from this feature anyway. A hacker could try it first without making a single attempt. Making those who can't remember their password go through a second authentication after six tries is no additional risk.
At the end of the day, there is this notion that the password itself defines the protection against cracking the code. This is a half-truth. Word lists and brute force are what passwords protect against. They do not protect against social-engineering or hiding your password on a sticky note under your keyboard. Lists and brute force attacks are all the banks are really protecting themselves against anyway. So let's take a look at what makes this idea only partially true.
The idea of adding numbers and special characters to a password means the security code has more unique combinations that must be tried before discovering it in a continuous or random re-try attempt to crack it. However, the misnomer here is not the uniqueness of the characters in the password itself but rather in the number of possible combinations allowed by the input. In other words, if only digits are used for a passcode, and the hacker knows only digits are used, then the hacker only needs to try number combinations. This means there are only 10 billion combinations in a 9-digit code...you know, like your social security number (or 10 thousand if it has been redacted).
If we add letters and numbers to the input options, then we get 36 possibilities for each position. This ups the total combinations for that 9-character password up to roughly 100 trillion. If you allow capitals then that's 56 possible combinations per position, upping the total sequences over 5 quadrillion. With all the combinations on a standard PC keyboard of special characters for input, a nine-character password hits a little of a quintillion possibilities...or roughly five years to brute force every combination.
Many people then ask, if it takes that long to try every combination, then why make me add special characters? Well, this is where the other side of the argument comes in. That's the time it would take to try every combination, not necessarily your combination. And hacking programs typically try simple first then add more complexity to its attempts after. Thus, if your password is "aaa" then it will probably be attempted in the first thousand attempts of the total quintillion tries. In fact, many hackers are only looking for weak passwords and don't even try harder ones. They just move on to the next "unlocked" door.
Doesn't that justify the banks special character requirement? Yes and no. From their perspective, that can stand on that argument no matter how inconvenient it is to the user. However, length of the password adds that complexity back in. I can show that if the password (passphrase) is long enough, its "simplicity" will not matter because the number of even "simple combination" are too great.
The password P@55w0rd meets nearly every banks super-secure combination requirements and is rated "Very Strong" by most password analyzers. However, it is only 8 characters long and uses common substitutions of symbols and numbers for letters, meaning a hacking app will place these human obfuscation methods earlier in their lists of attempts. Also, keep in mind that if the bank requires a 7 character minimum, the hacker is going to start with 7-character combinations. Your secure 8-character password hits fairly early in all the combinations it tries. Depending on the method used, this password can be obtained in as little as six hours of continuous deliberate brute force attempts.
On the flip side, the passphrase "My dog has Fleas" (without the quotes) is 16 characters long. Passwordmeter.com rates it only "Strong" because no numbers or special characters are used. In fact, the site rates it 20 points lower than the password in the above paragraph. However, it has 416 octillion total combinations using only "simple character" combinations. Meaning the same simple-first method of cracking starting with 7-character combinations would likely not find my passphrase until more than a billion years pass.
Even a no-spaces-no-numbers-no-capitals password which is 14 characters long ("incredibleness") has 64 quintillion alternate matches which may have to be tried first before guessing it. Although Passwordmeter.com rates this word as "Very Weak." Yet assuming the hacking app could try 4 billion password combinations per second, and even assuming the best of word lists and human commonalities for the hacking method to find it within the first 1% of the possible combinations, it would still require 5 years to crack it.
So, while numbers and special characters add to complexity of the password, and additionally likely increase the duration before it can be found in list of total attempts, it really isn't necessary once the password reaches a certain length. I do still recommend using at least a capital letter, space or underscore somewhere in your code. That said, even if your bank makes you put in these in-my-opinion silly requirements, the key to a secure password is how long it is. Size matters!