The use of special characters in passwords is not recommended.
AWS password policies can require the presence of special characters in IAM User passwords intended for accessing the AWS console. However, based on extensive experience and industry guidance, we do not utilise password policies that require special characters be present in passwords for two major reasons: special characters in passwords can lead to interpretation complications in programmatic environments and special character inclusion requirements have an adverse affect on secure user password generation.
Users are usually the source of generated passwords as users will need to use and ultimately remember their passwords. As such the ideal password would maximise security whilst also being memorable to users. Requiring special characters or digits in passwords results in passwords where a significant portion of user generated passwords have these requirements appended to the end of the password.
When requiring a digit 77.46% of passwords had digits appended to the end of the original password. In at least 11% of scenarios this digit was a single 1. The result of the policy is a trivial increase to password security that is easily undermined and incentivises users to compliance oriented actions rather than security oriented actions.
Whilst any character restriction can have this effect special characters have an additional operational issue which does not affect digits or other alphanumeric characters.
Special characters often serve as control characters in interpreted computational environments including string termination, character escaping, subprocess initialisation, variable references and other unwanted actions when parsing passwords. For example, semicolons are frequently used to terminate statements, which can create opportunities for SQL injection attacks and other manipulative behaviours. Other common special characters-such as quotes, exclamation marks, commas and periods-can also have various functions across different programming languages.
Whilst this shouldn’t be a concern for AWS Console access as IAM User Access Keys exist for programmatic usage, as a general rule we dislike passwords with special characters should those passwords need to be used in a programmatic context. Whilst a single interpretation is simple enough this compounds when multiple levels of interpretation are required.
Ideally AWS passwords should not require any required characters and should increase the minimum password length to achieve the desired security. If that’s not possible due to policy restrictions we recommend removing the requirement to include special characters first as this removes the most problematic group of characters which bring their own unique set of problems.
Our general password policy is detailed in our guidance article summarising our enterprise standard password policy.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
