Password policy (Draft)

Jump to: navigation, search

This document is an attempt to write draft replacement for Password length & complexity page.

What Is Password Policy


Threat Model

There are three main threats against to user passwords:

  • Online attacks
  • Offline attacks
  • Password leaks

Online Attacks

In this mode attacker tries to guess users passwords by sending candidate passwords directly to attacking service.

The speed and feasibility of online attacks are defined by security mechanisms implemented by application such as rate limiting authentication requests per user, IP address, etc. As well as by overall performance of network infrastructure and application.

Offline Attacks

If attacker have got a passwords file or a database dump or a captured traffic (e.g. Kerberos ticket or WiFi frames) and passwords are protected with some kind of crypto then attacker may mount so called offline attack.

The speed of offline attack is defined by resources available to attacker as well as robustness of methods used to protect user's passwords. In many cases the difference is speed between online and offline mode is order of magnitude in favour of offline mode.

Depth vs. Breadth

In context of password policy discussions it might be useful to distinguish targeted and untargeted attacks by attacker's primary goal:

Targeted (depth-first) 
Attacker needs to guess password of a specific user.
Untargeted (breadth-first) 
Attacker would be satisfied to find out any password of any account or want to collect as much valid credentials as possible.

Password Leaks

There are plenty of threats for passwords confidentiality that have no relation to guessing techniques at all. Examples are:

  • Phishing and social engineering attacks;
  • Malware installed on users devices;
  • Capturing passwords during transmissions over insecure channels;
  • Etc.

Password Policy as a Mitigation to Passwords Threats



  1. Password strength policy considerations. by Solar Designer
  2. An Administrator’s Guide to Internet Password Research. Dinei Florencio ˆ, Cormac Herley, and Paul C. van Oorschot. 2014
  3. Passwords and the Evolution of Imperfect Authentication. Joe Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2015