Are Strong Passwords All That Strong?

pondering-on-passwords asks: "I work at a company that is planning to implement strong passwords to increase network security. Personally, I think that this may be counter productive since the passwords will tend to be more cryptic than most people are used to and I believe that they will write them down and leave them very close to their computers. I think this will be a greater risk for our traveling people using laptops. A strict security policy that is enforced may help some, but I still believe that people will end up making their passwords more accessible in the end. I am trying to find some information for or against implementing strong passwords, statistics on security breaches, etc. to back up my beliefs. Of particular interest would be material specifically on strong passwords, types of security breaches (i.e. social engineering, exploiting system vulnerabilities, password cracking, password theft, etc.), and possible alternative security methods (i.e. hardware tokens)."

What's the exposure?

[coyote-san]

Maybe you just skipped it, but it sounds like the policy is missing an important issue.

What is the exposure to risk?

System-level root passwords need to be *hard*, if you use them at all. I generally create them with a recursive MD5 hash (with random salt mixed in) until I have a password with two uppercase, two lowercase, 2 punctuation, one digit, and one wildcard character. NOBODY will remember it, but nobody has to - these passwords are written onto a 3x5 card, sealed in an envelope, and locked up in a desk agaist truly dire circumstances.

Anyone with root access via sudo should be able to choose their own password intelligently. If their password is compromised, it's a mandatory written reprimand. This tends to make them careful about ensuring that they NEVER use unencrypted channels - no telnet, no ftp. This might seem harsh, but if a sysadmin is sloppy about choosing their password or tools then they're probably sloppy elsewhere, and repeated violations are grounds for serious concern.

As for everyone else - if an attacker can do much damage with these accounts then the finger still points at the sysadmins. The problem, in this case, isn't the bad password, it's the bad file permissions, unapplied security patches, etc.

For other reasons these users should still have reasonable passwords, but until you have shut off every single service that uses unencrypted or trivially encrypted traffic (telnet, ftp, pop3/imap, etc.) then you're just pissing in the wind if you're counting on them to protect your system. Check the password against cracklib to get users in the habit of choosing good passwords (e.g., no "bob2" passwords), but otherwise put your attention someplace where it will do some good.

Easy to remember, hard to crack passphrases

[gengee]

Users need not remember 12-character long strings of random digigs and characters. They just need a training course on how to pick a good password.

Pass phrases are probably the easiest remedy.

Just have your users pick a phrase from a current song that they like, and use the first letter from each word as a character in the password. Substitute numbers for certain characters, capitalize proper nouns etc. (e.g., She was a Sour Girl the day that she left me == SwaSGtdts1m)

Very easy to remember, but still pretty darn hard to crack. This way, they'll also be more forgiving about changing their password every few months. Leave Jack the Ripper running on a spare machine to audit weak passwords.


signature smigmature

Think process

[fm6]

As you always should with security issues, think about the whole process. (Yes, I'm parotting Bruce Schneier). The only reason to use a strong password is to thrwart a dictionary attack. So if your system is vulnerable to such an attack, then yes, strong passwords are a good idea. Otherwise they're silly, and you should move on to other issues. Is your network sniffable?

I have to object to the usual assumption that users should never write down their passwords. Yes, it's a bad idea to leave it on a PostIt affixed to your monitor. But a slip of paper isn't that hard to secure -- no harder than, say, your front door key. So the question of making the password memorizable is really moot.

__

Commercial systems that have worked

[satch89450]

One problem with many out-of-the-box password schemes is that they have too few characters. We are starting to see a trend to reasonable-length passwords (usually incorporating the use of a hash algorithm like MD5 to reduce the password to 64 bits) so that people can use a system of strong but easy-to-use passwords.

One scheme that seemed to work quite well was the system that Compuserve first started using, back when they were H&R Block: the password generator would select two words (each four to six characters long) and a punctuation mark, and combine them into a string. For example:

window/ran
boat=steep
ramble,cart

This scheme took advantage of the fact that the PDP-10 operating system H&R Block was using allowed for 12 characters in a password.

The key was that there were never two nouns, or two verbs, or two adjectives, or two pronouns. Sometimes the generated password would look like something from the original Adventure game, but it was still very hard to guess, and the dictionary attack required the attacker to try pairs of words coupled with selections from the punctuation mark string ".,/?+=*&$@!" and you have a fairly large universe of passwords to try -- around 640 million if you assume a total of 8000 words in the dictonaries. (Much of this is from memory; excuse me if I'm getting some of the details wrong.)

I never heard of a Compuserve password that was cracked in a pristine way. Every single crack I was aware of involved either social engineering or monitoring the user. Oh, I suppose that someone may have been able to do the job, but I never heard about it.

Now, if you have only eight characters to work with, you are out of luck. Sorry.

Differing opinion

[Rick+the+Red]

There's differing opinion on the issue. One arguement is that all systems should have strong passwords (at least one number, at least one letter, at least one punctuation, no fewer than eight characters, etc.) and those passwords should not be forced to change so users will remember them and not write them down.

The counter arguement (which prevails at most companies) is that frequent password changes increase security. I've never seen any imperical data to support this claim. The logic is that if someone gains access via a stolen/guessed password, then forcing users to change passwords will close the intruder's door. Yeah, after 90 days! Meanwhile, they've had full access and could have created countless new accounts for themselves.

I've never seen a situation where this policy was coupled with required strong passwords, for the simple reason that (as you said) people who must frequently change strong passwords tend to forget them or, worse, write them down. That doesn't mean some places don't do this, just that I haven't seen it. I'd hate to work at a place like that.

Passwords alone are not enough. Sure, strong passwords are better than letting Bob's father pick "Bobby" or "R0b3r7" as a password, but how secure is a system where an intruder can roam undetected until their stolen password is changed? If you argue that frequent password changes are necessary, then you're admiting that you can't detect an intruder.

If you're paranoid about security and willing to consider other options, you should look into a physical system, such as the iButton. There are others, but this is a link I can quickly find :-)