Are Often-Changed Long Passwords Really Secure?

Zweistein_42 asks: "I work at a large, navy-coloured IT corporation. A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*, with standard checks for non-repetitiveness, dictionary, uniqueness, etc. Is there any research to support whether such requirements actually increase security?" "I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times. I usually take the trouble to memorize random alphanumeric, un-guessable combinations; but even I won't bother memorizing an average of 2 random strings a week. Eventually, won't most people use their pets names (fuzzy1cat, fuzzy2cat, etc) and start writing passwords on a note on their screen?

Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"

Desk

[maeka]

As long as they don't check the post-it note under your desk - the password is secure!

But seriously, does a policy like this do anything but encourace people to write down their passwords?

Complexity or Quantity

[Fatchap]

Is the problem not that your password has very strict complexity requirements but that there are too many of them?

I did read a paper (I think from Microsoft not sure) about how passwords were essentially redundant as you could pre compute the hashes of all alphnumeric combinations and then run a dictionary attack against a file pretty quickly. They suggested a pass phrase as the way forward. Perhaps something along the lines of "I love /. last month I posted 10 times" this fulfils all requirements for complexity and is changeable and easy to remember.
The other solution I often tell people is make your passwords a personal acronym, who would guess "Il/mIp10t" as a password, yet it is easy for me to remember.

Less secure

[tod_miller]

Longer harder to remember passwords require more human intervention (IT helpdesk reset passwords to 'monday' when you forget it).

You also are tempted to write them down, or use consequtive patterns as passwords:

qwer789456123
0ok9ij8uh

Things like that. A simple phrase password, with a one time algorithm (give me the 4th, 5th, 7th and 10th letters) take longer to work out in your head, but eavesdroppers (video, shoulder surfing, finger prints (national treasure) and electronic) have a harder time.

Of course, if you store all your new 8 digita alpha numeric passwords in an access file which is shared in a public folder, that woud make any attempt of l33t passwords a bit redundant. :-)

Changing passwords frequently does not help

[smahesh]

Never underestimate the power of human ingenuity. We had the same problem at one of my ex-employer - there was a policy to change passwords every month. Initially, you could not 'recycle' a used password until ten entirely new passwords were used. Later on this was increased to 24 unique passwords before you could reuse the original password. People started forgetting passwords (3 failed login attempts and you are locked out) and started to write them down on post-it notes, etc. Some folks came up with an easy to use "formula" to generate unique passwords - crack the "formula" and you can easily find out the password.

The whole exercise of frequently changing passwords for security got compromised because it became cumbersome and annoying for people to keep remembering unique passwords. The policy looks good on paper - but as long as the human element is not factored in, it will not be effective.

Re:This is the reason

[hey!]

Amen.

This whole password thing has got to the point where it's ridiculous. It was Ok when you were on a mini computer with a few hundred users, but it is so inadequate and there is so much at stake, it's absurd that we're still using this dark ages technology.

Two factor security with strong cryptographic keys on devices that don't have to give up their secrets to any host -- that's the way to go.

Ultimately

[dtfinch]

There is always a bigger risk. 8 character random alphanumeric is a around 40-48 bits of protection, depending on if you mix upper and lowercase (harder to remember). I've written a strong password generator here. While 8 character alphanumeric is breakable, especially at 40 bits, it's unlikely you'll encounter such perserverance. A 90 day rotation will ensure that password crackers need to re-sniff your network for login hashes every 90 days, and limit their time to take advantage of a broken password, but beyond that it's just going to ensure that more users will write down their passwords. There is no set amount of time needed to break a random password. They could break it in a day or never. A rotation isn't going to have the effect of making them start over or anything.

There are plenty of bigger risks to worry about than someone bruteforcing a password. They could get passwords by other means. They could walk up to a pc that's already logged in, and either use it immediately or install a trojan for later use. They could sniff your network. File sharing and email are usually unencrypted. They could hack your dns server so that requests go through them. An employee with priveledges could steal or alter data.

Re:Not happy about it either

[John+Harrison]

many readers have pretty good live finger detection. If somebody wants something badly enough to cut off my finger, I will simply give it to them.

Re:This is the reason

[yuri+benjamin]

Actually, what's wrong with a peice of paper in your shirt pocket?
A hacker can't remotely access my shirtpocket.
A pickpocket would have access to trouser pockets and coat pockets, but would be noticed lunging for your chest.
If someone does get access to your shirt pocket you have bigger problems than someone getting your password.

Increased Usage of Sticky Notes

[queenb**ch]

While in theory this will work, the only thing I've ever known it to do is to cause a rainbow-colored explosion of sticky notes with user name and password information on them to be applied to the upper right corner. It makes the cube farm look like a paririe after a rain - all the little flowers blossoming....

2 cents,

Queen B

passwords....

[DarKry]

Honestly this whole password thing is idiotic. Companies are finally answering to the security risks of ten years ago. At this rate by 2010 they will be fixing sql queries based directly off user input. when it comes to cracking/stealing a persons password the best method now days is always to steal. It doesn't matter if your password is 3 pages long if you give it to me I will be able to log in as you. strong passwords are only as good as the minds of those who use them. Add to that the fact that the longer and more complex a single password is, the more likely the employee is to use that password in multiple places. Lets say I want access to a companies VPN, even if I don't know how strong the passwords are, connecting and trying a bunch of easy ones would be pretty dumb. Instead 5 minutes on google will tell me the name f Joe Blow who works there, what his email address is, and a whole bunch of things that he is interested in. So I email Boe Blow with targeted spam, tell him about this amazing new website that just happens to be a community of people with exactly the same interests as him. He goes there and finds out that he needs to set up an account to view the forum. So he has this 10 page password from work that he has already memorized anyway (he wouldn't want anyone breaking into his forum account) so he goes ahead and puts it in the password field. Turns out the forum kind of sucks so he promptly forgets about the site. TADA VPN access, and it only took 20 minutes. This works more than 50% of the time, and the average company has a few more than 2 employees. Watch 90% of the people who see this change their slashdot passwords. :)