Complex passwords at the device level have been frequently used to protect sensitive business data on mobile devices.
Passwords were typically kept complex in ways that prevented users from reusing the same password multiple times. In addition, passwords would typically have to meet certain criteria, such as being a certain length.
However, with Android 12 Google will be ushering in a new framework for password policies by replacing the existing “Password Quality APIs” with “Password Complexity APIs”.
What Are the Benefits of Password Complexity APIs?
If passwords are very complex, users are more likely to forget them, resulting in the potential loss of their personal data. It may also force the user to reset the device back to its factory defaults. In addition, given developments in Android hardware, the password quality APIs have become outdated and no longer comply with current security recommendations.
With the new complexity APIs, so-called bucket-based password policies are set on the passwords at the device level. Bucket-based password policies are quasi-pre-defined units – high, medium or low – that facilitate a less complicated password configuration which still remains secure.
Enterprise security is not neglected. Google uses an example to explain why entering an extremely complex password should no longer be mandatory to unlock a device. By default, Android devices already have a feature at the hardware level which slows down the ability to enter passwords. The first five attempts may be typed in under one second. After that, 30 seconds must be waited between each attempt, and this waiting time is increased tenfold each time after the tenth attempt. As a result, guessing a simple password could take a malicious actor months or even years.
But even if companies prefer to enforce a more granular password policy on the device, this will still be possible in Android 12 for company-owned devices for the time being. And with the Work Security Challenge, companies can set a granular password which only applies to the Work Profile – the separate area where the user accesses managed apps for work. Therefore a standard password for the device and a more complex one for the work profile can be easily combined.
You can read more information about the update in this PDF article from Google.