Alrighty, this will be a fairly light post (in terms of my own applied analysis)... and, apologies as it's a wee bit behind the curve on various news pieces in the past couple months (I'd intended to write this in early January - oops!;). Please note that this post applies only to user passwords, and it does not apply to system and database password maintained within various environments.
Main Thesis: All this password analysis on compromised user password databases is fairly absurd. The breaches themselves are not generally the result of user password being compromised. As such, the time spent analyzing these passwords is largely a waste of time because it does not appreciably represent much risk to businesses; especially not to those that were compromised.
If this sounds like a topic I've discussed before, then you're right. I wrote about in about 18 months ago in my post "Password Complexity Is Lame." What got me going on this topic (albeit, back in Dec/Jan) was analysis of the STRATFOR compromise. much adieu was made of the passwords some folks were using (e.g., see this piece), and yet it was just inane mainstream media bologna. As per usual, users were assailed for their password selections, and yet who cares? What harm was really caused?
Rather than fully rehash everything that's been said, let me start out by wading through several of the pieces written...
Raf Los summarized the problem for well in his piece "Are weak passwords to blame for your data breach?". It's a simple little diagram, but the fact of the matter is that it's the right fundamental question from a risk analysis perspective.
Rob Graham at Errata Security had a decent post talking about his 3-tier password reuse approach. In particular, in talking about choosing his "first tier" passwords, he puts an emphasis on complexity saying they "...should both be very complex, as well as wholly unrelated to any other accounts." Unfortunately, this is just lame. "Complexity" is a red herring. Ultimately, the two main factors that really matter are 1) requiring a long password (16 chars or greater), and 2) not limiting the character set of the password. Beyond that, everything else will inevitably lead to other problems.
Ultimately, Bill Brenner got to the heart of the matter in his CSO "Salted Hash" blog post, "Passwords are better off dead" when he points out the main problem: that passwords are still the primary form of authentication! Indeed, what all this user password analysis overlooks is the major problem that we lack a truly viable, mainstream(able) alternative to passwords. Until we solve this problem of finding an alternative, we'll continue to have these inane discussions on password strength/complexity.
The New School guys add, in a post titled "New School Approaches to Passwords", saying: "We need to agree that passwords suck when they're not properly cared for, and that caring for them is hard. So we need to assume that passwords will tend to be poor, reused, etc, and develop methods to deal with that. Most of our mechanisms today punish users." Why do we punish users when they're not responsible for the primary defense measures? For that matter, why are we punishing or maligning users for failing to treat information risk that isn't theirs to manage? It doesn't make sense.
The root labs rdist blog made an excellent point in their post "On the evolving security of password schemes", saying: "Password security is a difficult problem, especially with a varied user base. However, most admins focus too much on increasing entropy of user choices and not enough on decreasing the attacker's guess rate and implementing responses to limit their access when they do get a hit." Which is to say: the primary defense methods really have nought to do with "password strength/complexity."
In a different post, The New School folks found an interesting paper around the same time that called into question the related password-management practice of password expectation. In a nutshell, a real study concluded that enforcing password expiration isn't all that useful, and may actually reduce the security (or increase risk). That goes along with my post that reminds us that considering our primary defense mechanisms is probably more important than assessing the individual strength of the passwords themselves.
Lastly, in a separate study (and unrelated to the STRATFOR analysis reports), the Light Blue Touchpaper blog posted an interesting analysis of password brute-force attack patterns that they observed over a 2-week period. As with the paper on password expiration, this actual research was interesting because it observed common attack patterns, and once again highlights a number of key issues. One of the more interesting observations was that some guessing attempts used fairly complex, but specific, strings, with the theory that someone was using a sizable database for guessing (e.g., you can get a database of >2 million passwords that includes the "500,000 most popular passwords").
A few quick take-away points:
* Password strength/complexity is a red herring. Length and a large available character set are typically the only important attributes.
* The primary defensive measures against password brute-force attacks typically have little, if anything, to do with password strength/complexity.
* Analysis of user passwords is a red herring. Those passwords almost universally have nothing to do with the cause of the compromise.
* Even seemingly mundane and ok practices like password expiration can be detrimental.
* Password reuse may be problematic unless using a tiered approach aligned by your own personal risk tolerances.
I only expect the data to continue building that supports these conclusions. Now, if we could just find a viable, universal replacement for passwords...
Update (2/7/12): Someone posted this article from Nov 2011 on twitter, which talks about the "top 25 worst passwords"... this kind of reporting is just plain stupid as it lacks context and useful analysis. Just because a password is "weak" does not make it "bad" - it all depends on where it's being used, and the potential impact of it being guessed. It's the same point that several made about the STRATFOR passwords.