Passwords - 64 Characters, Changed Daily?

isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"

"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.

What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"

Just do what I do

[thammoud]

password1 password2 password3 password4 based on the month that you are in.

Re:Just do what I do

just checked, you don't do that.

Re:Just do what I do

[Abcd1234]

This should be modded insightful. These kind of forced password-change policies do one thing only: encourage people to choose easy-to-remember (and hence, likely easy-to-crack) passwords. Even worse, it encourages people to write their passwords down and store them in what is probably a very insecure location! So, in the end, you get only a marginal increase in security.

Frankly, I think the best bet is to encourage users to just select longish (>8 characters), complex password (no word substrings, more than just alphabetic characters, etc), but don't force them to change it. After all, brute-forcing a complex, 8-character password is still a fairly difficult process.

Re:Just do what I do

[Antique+Geekmeister]

What you are describing encourages universal passwords. Unfortunately, it's not merely password cracking that is a real risk. It's password sniffing, via keyboard monitoring or packet sniffing over unencrypted protocols like FTP, POP3 or IMAP or HTTP without SSL turned on, etc. People are terrible about changing them, and they do tend to rotate them among a very small number of passwords to deal with this.

Universal sign-on systems such as Kerberos can help this, by encorcing decent password selection and then making it available everywhere without permitting re-use of that small set of passwords. But it's a bear to set up in a small or mixed environment.

Also, for the original article's point: the difficulty of cracking passwords goes up nominally as the exponent of the password length, the complexity of verifying them or encrypting with keys goes up linearly or maybe as N*logN with the length of the key. Selecting a long enough password, and system keys, to defeat this kind of brute force cracking is quite trivial to do. But getting it adopted, especially in the face of federal policies that prohibit the export of encryption technologies as a "material of war", has crippled encryption techniques for years.

Get the federal government out of that line of regulation and hardware based encryption to protect your logins from man-in-the-middle password sniffing will be quite cheap, even possible to incorporate as a part of common motherboards and network cards. Until then, though, we're going to have a real risk of people using the same password for years and having it sniffed and used by crackers.

Re:Just do what I do

[Pharmboy]

What I never got was this: If I have a password, and no one else ever knows it, AND I check my logs so I know if someone is trying to hack my account, what good does changing it anyway?

As soon as I see at attempt to hack it, I would change it. Until then, I have a great password that my wife doesn't even know about. If someone tries to hack it on Wednesday, it doesn't matter that I changed it on Monday, or last year: It will still take more time to crack than will pass before I check the logs.

Re:Just do what I do

[Harald+Paulsen]

The problem isn't having a policy, or having a boss tell you to use safe password. The problem is that the boss somehow feels he should be exempt from the password policy. Ironically enough, the people in command that wears a suit usually has the simplest password. They also have access to most of the sensitive information.

Re:Just do what I do

[Pharmboy]

The point is that a moving target is harder to hit.

Stastically, that is false for a one time event. If someone today is trying to break your 14 character password, it doesn't matter when you changed it.

And vacation? I check my servers every day on vacation. Only takes a few minutes to ssh in. Yes, its vacation, but I would rather check the logs for 5 minutes a day, than spend 7 days recovering from a fatal problem that might have been averted.

Re:Just do what I do

[gotacap]

You know, I had a strong password generator on my website for a while, but then I realized that most people paranoid enough to use a generator would be paranoid that I would be logging all strong password requests and then trying the results to get into the machines I found in my server logs... It's still there, I use it myself, but I don't tell my users where it is anymore.

Re:Just do what I do

[arminw]

Some systems do not allow any more tries at logging in after a few unsuccessful attempts. After an hour or so, the systems resets and gives the user another chance to try to get in. If that also fails, the user must call the system admin. This process goes a long way toward thwarting multiple access atempts.

None of this helps of course if the user's system is breached and some sort of keyboard sniffer is active.

Re:Just do what I do

[Drachemorder]

"On one occasion I chose 123456"

That's amazing! I have the same combination on my luggage!

Good news for hacker

[usefool]

Wasn't there a joke that if users are required to change password every second, hackers just need to keep on trying the same password until users themselves changed to match the hacker's password?

Re:Good news for hacker

[ryanvm]

Wasn't there a joke that if users are required to change password every second, hackers just need to keep on trying the same password until users themselves changed to match the hacker's password?

I doubt it - jokes are supposed to be funny.

One time use?

[slykens]

SecurID and its like are your friends.

While you maintain a reasonably secure password you're not logging in without the token.

Use a CueCat

[Safety+Cap]

, as each one has a unique serial number encoded into its output. When you're ready to log in, plug in your :Cat, and use it to scan that barcode that only you know is the right one.

Even if some one steals your :Cat, they can't get in, and if someone steals your copy of "Learning the VI Editor" that you've used for the barcode without stealing your :Cat, again they can't get in.

Length & Considerations

[Oculus+Habent]

I could see a password of substantial length made of a phrase. Say, 64+ characters, changed every two weeks might be fine. Especially if you have a well-read workforce, which might enjoy making note of significant passages.

You might want to [optionally] be able to use the first letter of each word as a "shorthand" password for re-verification moments, because typing in a 64+ character phrase everytime you lock your station could become tedious if you are away from your desk often.

Alternately, if you have a number of services at work that should have different password, some sort of secure password comparison tool could be employed to at least ensure that employees aren't using the same password for everything. Not sure about an architecture for that, though.

Pointless

[jolyonr]

The harder a password is to remember, and the more frequently it is changed, the more likely people are going to forget it, and resort to insecure tricks such as writing it on a post-it note stuck to their monitor.

I can't see any good reason to change passwords frequently, other than to limit the damage done from a succesful intrusion. And then, is one month any worse than three months? All your data is 0wned regardless.

Exponential growth problem

[Kufat]

Every time you add another character onto an alphanumeric, case-sensitive password, the total number of possibilities is multiplied by 62. CPU throughput takes a very long time to increase 62-fold. So going from 8 to 10 characters increases the passwordspace 3844 times, and that's assuming only uppercase, lowercase, and numbers.

There's nothing to worry about until quantum computers can handle problems like this AND are available by someone you don't want accessing your data.

Bad assumption

[Phexro]

You're assuming we won't have a better, harder-to-crack hashing mechanism by then.

This has been a process of incremental improvements - first crypt(), then shadow passwords, then MD5 hashes, and so on. We will certainly have something harder to crack in the future.

Re:Bad assumption

[grumbel]

Shadow passwords aren't a hashing mechanism, all they do is store the hashes in a file that the users can't read. Just Unix permissiosn, pretty trivial after all.

About crypt() vs MD5, I don't think that they make much different when it comes to cracking actual passwords, all MD5 does is allow you to use longer passwords, it doesn't enforce it by any means. If your password is in a dictonary, no matter what hashing algo you use, I can brute force it in a few seconds.

The only advantage a good hashing algorithm provides is that it ensures that you can't from a given hash calculate back the original password by other means than brute force. Brute force, however, will always work, no matter what algorithm you use. The only way to make a more secure password, is to use a better password, a better hash algo won't help a damn.

Re:Biometrics

[wkitchen]

Oh, that'll be just great. Chopping off fingers and plucking out eyeballs will be the new definition of "social engineering".

Normal users

[Skiron]

In my opinion as a Sysadmin, it doesn't matter what device[s] you bring in to try to 'secure' users and passwords.

They still write them down, still 'share' (if somebody hasn't got access to a file share the other has, but he/she wants them to look at something - (they don't even *think* about the option to copy it to a public share to do it!) - then they give out passwords.

Plus normal users forget them after a few days of work anyway - I reset usually around 5 passwords Monday mornings after people had two days off work - plus average 10 a week afterwards on a user base of 150.

Anderson's formula.

How long does it take? Use Anderson's formula to figure it out.

T = N/(PG)

In this:

1. T: The time units needed to guess the password
2. G: The guess rate, or the number of attempts to guess the password in a single time unit
3. P: The probability you want that the password is guessed. (Or use '1-P' to go the other direction.
4. N: The number of possible passwords, usually A^l, where
   1. A: Alphabet used for passwords. E.g., There are 96 printable ascii characters often used in passwords. Or maybe its case insensitive, so subtract 26.
   2. l: The number of characters in the minimum password.

So, let's say you want only a 10% chance your password is guessed. And you estimate an attacker can perform 2,000,000 guesses per second with his drone army. The passwords are from an alphabet of 26 characters, and are a minimum of 4 characters long. That means... (tappity, tappity on the TI calculator)... Um, that means you'll be hacked instantly. :)

Read more on Anderson's formula by googling. :)

Re:Biometrics

[Blastrogath]

If you use biometric data for your passwords then you can never change your passwords. The first time you use a cracked login terminal you've lost security forever, unless you have surgery.

Re:Simple...

[gl4ss]

it's restricted on most/all systems already that way and besides the throughput limitations on bruteforcing a live system would prove quite troublesome.

generally you would sniff the datastream and try to crack that I imagine(because that's the only thing you could do).

(insecure software with flaws proves the biggest security problem for the foreseeable future anyways, there's always possibility of using single use passwords which are _already_ in use on sensitive/important systems)

makemeapassword.com

[mgkimsal2]

Not a perfect system, but is something which can help people come up with something more secure than 'password' while incorporating numbers and punctuation marks.

makemeapassword.com

Perhaps make it more user friendly..

[t_allardyce]

Windows XPs new password policy manager: "Im sorry, that password has already been taken by user john, please choose another"

I don't see the problem at all!

[termos]

Luckily I have Gator for remembering all my passwords!

Something you know, you have, and you are

[jncook]

To quote Bruce Perens, if security really matters, you should base it on three things:

* Something you know (password or PIN)
* Something you have (badge or bank card)
* Something you are (thumbprint, hand scan, voice check)

This is how CounterPane security locks up its own colo facility. (Of course, they also tape everybody coming in, and there's a live guard who knows your face.)

Each of these components can be relatively weak, but in combination they are quite strong. For instance, you could probably let people choose any password they wanted as long as you required, say, their badge and a thumbprint to log on.

For backwards compatibility, write a macro that generates random strings of characters the maximum length accepted by the legacy system to which you must log on. Encrypt the list of passwords, and use the method above to decrypt the password archive as needed.

James

Re:Yes and No...Better solution:Assign the passwor

[slash.dt]

There is a MUCH better way to do this. First off, instead of letting users choose their own passwords, assign them for each person. This lets you, the administrator to be entirely in control of all passwords on the system. With this control, you can maintain a master list of all users and passwords securely in either encrypted/secure files (with no permissions to anyone but root). This also allows you to force good passwords onto users. They do not need to be impossible, but something like 2 three letter words or partial words (chosen at random) with 2 other ASCII characters are usually not too hard for people to remember, but are still tough enough to make it hard to guess with password word lists.

There is so many things wrong with this that it is hard to know where to start. I'll just chose a couple.

First, forcing passwords on users is dumb. What might be an easy combination of words and number s for you to remember might be completely impossible for me to remember if the word means nothing to me. And if I can't remember I am going to write it down. It is much better to allow people to chose their own passwords to that they can make a combination that they can remember.

Second, accountability for your password goes out the window when someone else knows and controls the password. If the adminstrator knows all the passwords, they can logon as the user without the user knowing. Alternatively, the user can suggest that the administrator did the action which the user is being accused of.

More intelligent password checking rules is a much simpler and more effective solution.