Are Often-Changed Long Passwords Really Secure?

Zweistein_42 asks: "I work at a large, navy-coloured IT corporation. A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*, with standard checks for non-repetitiveness, dictionary, uniqueness, etc. Is there any research to support whether such requirements actually increase security?" "I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times. I usually take the trouble to memorize random alphanumeric, un-guessable combinations; but even I won't bother memorizing an average of 2 random strings a week. Eventually, won't most people use their pets names (fuzzy1cat, fuzzy2cat, etc) and start writing passwords on a note on their screen?

Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"

Desk

[maeka]

As long as they don't check the post-it note under your desk - the password is secure!

But seriously, does a policy like this do anything but encourace people to write down their passwords?

Re:Desk

[Mr.Ned]

"But seriously, does a policy like this do anything but encourace people to write down their passwords?"

It depends where you write it down. If you write it down in some sort of password safe that's encrypted, and keep that only on your hard disk and PDA, that's a heck of a lot safer than the post-it note, and I'd go so far as to call that secure - provided you make sure to keep the encrypted copies in your posession and keyed with a "good" password (longer than 8 characters, who is the story poster kidding).

Seriously, if you're in IT, don't you already have a bunch of passwords you need to keep track of? Do you really expect to keep those in memory? Why *don't* you have some sort of password vault by now?

Complexity or Quantity

[Fatchap]

Is the problem not that your password has very strict complexity requirements but that there are too many of them?

I did read a paper (I think from Microsoft not sure) about how passwords were essentially redundant as you could pre compute the hashes of all alphnumeric combinations and then run a dictionary attack against a file pretty quickly. They suggested a pass phrase as the way forward. Perhaps something along the lines of "I love /. last month I posted 10 times" this fulfils all requirements for complexity and is changeable and easy to remember.
The other solution I often tell people is make your passwords a personal acronym, who would guess "Il/mIp10t" as a password, yet it is easy for me to remember.

Re:Complexity or Quantity

[Fatchap]

Surely that depends on what you are securing and what you are securing it against?

I my house secure? Sure I have never been burgled.

Should we shut down fort knox and store all the bullion in my spare room? Probably not

If I want to protect my information against my flatmate or a friend from opening it then an 8 character password is probably ok. If I want to protect my bank's central records or the ID's of my intelligence agents in North Korea 20 characters will not cut the mustard either.

Perhaps I did not make my point very well, the posters problem was not that they had to keep changing their password frequently and could not alternate between "password1" and "password2" but that they had to have several different passwords for several different systems. I was saying that by using personalised passphrases or passphrase acronyms this could be accomplished quite easily until SSO is implemented properly

SSO working fully fits in somewhere betweeen a totally secure Windows, a working manageable PKI and a viable method of stopping spam, pop-ups, 419 fraud and link spamming!! ;)

Less secure

[tod_miller]

Longer harder to remember passwords require more human intervention (IT helpdesk reset passwords to 'monday' when you forget it).

You also are tempted to write them down, or use consequtive patterns as passwords:

qwer789456123
0ok9ij8uh

Things like that. A simple phrase password, with a one time algorithm (give me the 4th, 5th, 7th and 10th letters) take longer to work out in your head, but eavesdroppers (video, shoulder surfing, finger prints (national treasure) and electronic) have a harder time.

Of course, if you store all your new 8 digita alpha numeric passwords in an access file which is shared in a public folder, that woud make any attempt of l33t passwords a bit redundant. :-)

Changing passwords frequently does not help

[smahesh]

Never underestimate the power of human ingenuity. We had the same problem at one of my ex-employer - there was a policy to change passwords every month. Initially, you could not 'recycle' a used password until ten entirely new passwords were used. Later on this was increased to 24 unique passwords before you could reuse the original password. People started forgetting passwords (3 failed login attempts and you are locked out) and started to write them down on post-it notes, etc. Some folks came up with an easy to use "formula" to generate unique passwords - crack the "formula" and you can easily find out the password.

The whole exercise of frequently changing passwords for security got compromised because it became cumbersome and annoying for people to keep remembering unique passwords. The policy looks good on paper - but as long as the human element is not factored in, it will not be effective.

Re:This is the reason

[hey!]

Amen.

This whole password thing has got to the point where it's ridiculous. It was Ok when you were on a mini computer with a few hundred users, but it is so inadequate and there is so much at stake, it's absurd that we're still using this dark ages technology.

Two factor security with strong cryptographic keys on devices that don't have to give up their secrets to any host -- that's the way to go.

Ultimately

[dtfinch]

There is always a bigger risk. 8 character random alphanumeric is a around 40-48 bits of protection, depending on if you mix upper and lowercase (harder to remember). I've written a strong password generator here. While 8 character alphanumeric is breakable, especially at 40 bits, it's unlikely you'll encounter such perserverance. A 90 day rotation will ensure that password crackers need to re-sniff your network for login hashes every 90 days, and limit their time to take advantage of a broken password, but beyond that it's just going to ensure that more users will write down their passwords. There is no set amount of time needed to break a random password. They could break it in a day or never. A rotation isn't going to have the effect of making them start over or anything.

There are plenty of bigger risks to worry about than someone bruteforcing a password. They could get passwords by other means. They could walk up to a pc that's already logged in, and either use it immediately or install a trojan for later use. They could sniff your network. File sharing and email are usually unencrypted. They could hack your dns server so that requests go through them. An employee with priveledges could steal or alter data.

Security is irrelevant

[Mozai]

I work at a medium, mango-hued company and we had to implement the same policy for "security reasons." I get about three calls a week asking for passwords to be reset.

The 90-day, eight character line-noise password policy has nothing to do with security: it's required for our security certification by a security company who has a good reputation. Either we comply with whatever such a company tells us to do, or banks and merchants and credit companies will refuse to do business with us. Oh, and we have to pick the right company so that we don't have to pay another >$10,000 to get re-certified by another expensive name.

Sucks, but c'est l'entreprise.

Re:Not happy about it either

[maxume]

Do you really want to attach value to things like your thumbs, fingers and eyes? I mean the kind of value that makes someone else want them; I like and value mine quite a bit. Also, if your fingerprint happens to get compromised(i.e. somebody manages a working fake), how do you plan on obtaining a new one?

Terrified of biometrics until somebody gives me compelling reasons not to be...

Re:Not happy about it either

[John+Harrison]

many readers have pretty good live finger detection. If somebody wants something badly enough to cut off my finger, I will simply give it to them.

Gnu Keyring

[kentborg]

I get *SO* pissed at these password fascists, particularly when their
rules reduce my password security.

I use secure, easy to type, and easy remember passwords (see
http://ask.slashdot.org/comments.pl?sid=1323 27&cid =11054456 for
details on that).

I never reuse passwords except in a few rare circumstances (on
different Linux computers I personally control I reuse some
passwords).

To keep track of all those passwords I bought a (relatively
inexpensive) Palm Zire 31. On it I run Gnu Keyring
(gnukeyring.sourceforge.net). I have one significantly secure
password that I then use to encrypt all my other passwords. I backup
this Palm using an SD card. I also back up to via IR to my Linux
notebook where there is a client that can decrypt the data.

I also have a Palm-based phone (Samsung i330) that can run Gnu
Keyring--but I don't trust it. It makes mysterious 10-second data
calls that bother a paranoid such as me. Yes, I don't have any good
reason to trust the Zire 31 either, but I keep it nearly incommunicado, I
don't need to trust it so much.

I recommend Gnu Keyring.

-kb

Re:Rainbow Tables

[hankwang]

It only takes 64GBs to hold every possible combination of password up to 14 characters using the following (include the space as part of the character set):

The website you refer to is about Windows password hashes. :) Here on /. we all know that Windows is full of bad implementations. The paper explains that in that particular hashing algoritm, the 14 characters are converted to uppercase and treated as two separate passwords of 7 characters, reducing the problem to 2^37 possible passwords rather than 2^82 as you would think from the password length (e.g. if a 128-bit MD5 sum is calculated)

Re:This is the reason

[yuri+benjamin]

Actually, what's wrong with a peice of paper in your shirt pocket?
A hacker can't remotely access my shirtpocket.
A pickpocket would have access to trouser pockets and coat pockets, but would be noticed lunging for your chest.
If someone does get access to your shirt pocket you have bigger problems than someone getting your password.

Increased Usage of Sticky Notes

[queenb**ch]

While in theory this will work, the only thing I've ever known it to do is to cause a rainbow-colored explosion of sticky notes with user name and password information on them to be applied to the upper right corner. It makes the cube farm look like a paririe after a rain - all the little flowers blossoming....

2 cents,

Queen B

passwords....

[DarKry]

Honestly this whole password thing is idiotic. Companies are finally answering to the security risks of ten years ago. At this rate by 2010 they will be fixing sql queries based directly off user input. when it comes to cracking/stealing a persons password the best method now days is always to steal. It doesn't matter if your password is 3 pages long if you give it to me I will be able to log in as you. strong passwords are only as good as the minds of those who use them. Add to that the fact that the longer and more complex a single password is, the more likely the employee is to use that password in multiple places. Lets say I want access to a companies VPN, even if I don't know how strong the passwords are, connecting and trying a bunch of easy ones would be pretty dumb. Instead 5 minutes on google will tell me the name f Joe Blow who works there, what his email address is, and a whole bunch of things that he is interested in. So I email Boe Blow with targeted spam, tell him about this amazing new website that just happens to be a community of people with exactly the same interests as him. He goes there and finds out that he needs to set up an account to view the forum. So he has this 10 page password from work that he has already memorized anyway (he wouldn't want anyone breaking into his forum account) so he goes ahead and puts it in the password field. Turns out the forum kind of sucks so he promptly forgets about the site. TADA VPN access, and it only took 20 minutes. This works more than 50% of the time, and the average company has a few more than 2 employees. Watch 90% of the people who see this change their slashdot passwords. :)

Grammar bots?

[ZeroExistenZ]

I really wonder, when crackers are trying to hack passphrases, wherever generators with language-rulesets will arrise trying to construct valid "likely used" sentences.

Once you get that, you'll have the same problem once again... (but perhaps some nice grammar-tech out of it coded up by kiddies)

(Or ofcourse databases with silly but catchy punchlines.)