Running from the truth
Robin Hanson has an interesting article, “Desert Errors:”
His findings stayed secret until 1947, when he was allowed to publish his pioneering Physiology of Man in the Desert. It went almost entirely unnoticed. In the late 1960s, marathon runners were still advised not to drink during races and until 1977, runners in international competitions were banned from taking water in the first 11 kilometres and after that were allowed water only every 5 kilometres.
So not only were authorities dead wrong, but they were so confidently wrong that, in the name of helping runners, they paternalistically forced runners to do the exact worst thing! How could authorities be so wrong for so long on something that was so easy to personally test, and with such huge consequences? And how could they remain wrong for three decades after careful study had proved them wrong?
In information security, it’s harder to test these sorts of things. And that’s why we need openness. Password complexity rules are the equivalent of the no water rules. Actually, I have no evidence of that. No one does. We don’t know how often passwords are discovered by brute force testing (live), by breaking into the site and stealing either cleartext or hashes, or by phishing or malware. Only two of those five cases are impacted by complexity rules. If we had more data, we could move from edict to engineering.
To tie it back to Robin Hanson’s post, I’m confident that I’m wrong, and I don’t like it.
This is interesting. I’ve often wondered about password complexity rules. Do we have any reason to impose them when there’s no offline attack? On probably the most basic thing in security if there’s a good reason to annoy users with complexity rules we haven’t done a good job of explaining it.