Slashdot Mirror
Are Often-Changed Long Passwords Really Secure?
Zweistein_42 asks: "I work at a large, navy-coloured IT corporation. A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*, with standard checks for non-repetitiveness, dictionary, uniqueness, etc. Is there any research to support whether such requirements actually increase security?"
"I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times. I usually take the trouble to memorize random alphanumeric, un-guessable combinations; but even I won't bother memorizing an average of 2 random strings a week. Eventually, won't most people use their pets names (fuzzy1cat, fuzzy2cat, etc) and start writing passwords on a note on their screen?
Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"
Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"
My password is password. (keep it quiet!)
things like SecurID were invented.. 2-factor authentification eliminates most of these special requirements.
As long as they don't check the post-it note under your desk - the password is secure!
But seriously, does a policy like this do anything but encourace people to write down their passwords?
Of course, it's kind of a single point of failure in terms of security, if you don't take into account the need to use a boot password and Windows login. Also, if your laptop dies... and you haven't backed up the password file...
verify me.
"Well Ranger Brad, I'm a scientist. I don't believe in anything." - Dr. Roger Fleming
I, like everyone else on the planet, work to make things easier for me and to hell with security. A new password every 90 days means people will design a password that passes the requirements but is easy to remember when you have to change it. For example, my last job required at least an 8 character password with at least two numbers and one case change, and you could not reuse passwords for at least 5 changes. So my first password was Th1s1smE. Anyone want to guess what my next password was after the first 90 days?
Anybody with half a mind (and you KNOW who you are) would run through the likely possibilities quickly enough.
My opinion: It would be better to provide a tool that would allow a user to rate a password which would let them come up with a password that passes a minimum quality requirement, a password that they could remember without writing it down, and then require it to be changed less frequently (like once per year). And, equally important, provide a second, different authentication mechanism to support the password security (a hardware token system would be one example, biometrics would be another, a prearranged "callback" mechanism would be a third, there are many others).
Beside, my experience with gaming a requirement like this is that users tend to mess up their password frequently and end up with their password set back to a known default (assuming the admins provide such a default, which in of itself is a very bad security decision). And so sometimes a policy like this will actually provide less security, because at any given time there will be a relatively high percentage of user accounts which are set to a known password. Years ago, I personally demonstrated this situation with one of the VP's of the company I worked for by going through the ID's of the senior managers until we found one using the default password.
So, long story short, changing passwords frequently does not automatically mean better security. But we all knew that, right?
The NSA: The only part of the US government that actually listens.
Is the problem not that your password has very strict complexity requirements but that there are too many of them?
/. last month I posted 10 times" this fulfils all requirements for complexity and is changeable and easy to remember.
I did read a paper (I think from Microsoft not sure) about how passwords were essentially redundant as you could pre compute the hashes of all alphnumeric combinations and then run a dictionary attack against a file pretty quickly. They suggested a pass phrase as the way forward. Perhaps something along the lines of "I love
The other solution I often tell people is make your passwords a personal acronym, who would guess "Il/mIp10t" as a password, yet it is easy for me to remember.
The only reason some people get lost in thought is because it's unfamiliar territory.
"A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*"
So? In the company I'm working for, we have a policy that the password has to be at least 10 characters long, alphanumeric mixed case and it will change *every 30 days*. And the new password can't be the same as 10 last ones.
I have solved the problem of memorizing these passwords by using source code as a password. For example: "printf("Hello, World!");" should be complex enough and it is relatively easy to remember.
To your question: No, I don't know if the longer, more complex passwords are actually more secure / cost efficient than shorter ones, because of the side effects caused by difficult to remember passwords. But at least this kind of policy prevents the most trivial dictionary attacks. It's a completely different story, how else the security is taken care of (ie. educating the personnel, so there will not be any post-it notes laying around and other forms of security, because it's all about layers).
Longer harder to remember passwords require more human intervention (IT helpdesk reset passwords to 'monday' when you forget it).
:-)
You also are tempted to write them down, or use consequtive patterns as passwords:
qwer789456123
0ok9ij8uh
Things like that. A simple phrase password, with a one time algorithm (give me the 4th, 5th, 7th and 10th letters) take longer to work out in your head, but eavesdroppers (video, shoulder surfing, finger prints (national treasure) and electronic) have a harder time.
Of course, if you store all your new 8 digita alpha numeric passwords in an access file which is shared in a public folder, that woud make any attempt of l33t passwords a bit redundant.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Is silly, if you stop brute force... with intrusion detection systems, if a password does get lost, why give yourself a 45 day (average) allowance? so it is ok for someone to have a password for 45 days, but not longer.
;-)
Also, the root password for my laptop is 'swordfish' (oh halle... I love your baps, but when the line 'it isn't just a multi-monitor system' comes up, I really have to kill nearby carbon based lifeforms.) but noone has hacked it yet for 3 reasons:
1: It is linux, therefore unhackable, even with r00t password
2: It has no networking capability
3: It no longer actually works, and after the drop I gave it, I suspect even the parked heads might not have stopped platter axle damage...
So have some auditing and heuristic behaviour analysis. Use one time passwords, rigorously check all intrusions based on internal/external. Follow up a failed pssword attempt with a human call (SOMETIMES computers can be the weak link in security)
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
1.
Changing passwords is ofcourse to reduce impact when a password is stolen/cracked. 90 days sounds a bit long -- is this policy based on evaluating what's *needed* or just based on vague assumptions ?
If it is expected that keyloggers, bruteforcing or some other form of password-theft is likely, 30 days might be more apropriate.
2.
According to various textbooks on computer security, forming a password from 1st (or some'th) letter in a sentence forms passwords which in general terms are as hard to brute-force as "truly" random passwords:
madly typing at keyboard: 32nfia.-!
I once saw four naked girls dancing in the moonlight: I1s4ngditm!
The latter form *may* be slightly more open to guessing the frequency of letters -- but bruteforcing a password with 12 alpha-numeric characters takes a *lot* of effort.
The main point is that passwords "generated" like that is *much* easier to remember. They may also be more "random" than just typing at the keyboard...
Some punctation and variations in capitalization should be encouraged/enforced.
3.
If you are authenticating against Active Directory -- just use pass phrases. Harder to bruteforce -- and prevents the ntlm-hash (16 chars, one case) being accepted by some braindead system.
4.
I personally think single-sign on is an important part of a good security strategy because it allows for more frequently changing of passwords -- admins would typically still need 2-3 accounts (normal user, admin role, testing role), but more managble than 10+
5.
Just because a password is written down does *not* mean it's compromised! If security really is so important that everyone needs 5 or more 8 letter "random" and uniqe passwords, I would *strongly* recommend that arangements be made for all passwords to be kept in escrow in a safe.
That way employees won't have an excuse to keep the password somewhere insecure. Everyone should be able to get their password during work-hours easily (for instance the receptionist that either knows everyone, or is instructed to _demand_ id, could have access to the safe).
The downside with any kind of escrow, is ofcourse, that one is forced to trust the few people with access to all passwords completly. This is a tradeoff -- but so are all security decisions.
6.
You mention bios boot passwords. Is that truly neccessary ? Bios configuration password sounds more reasonable to me. But either one is of rather limited use, unless you are using some form of fortified pc case.
If you do mean configuration passwords, that is a primary candidate for writing down, and locking in a safe IMHO. Normally all admins would have access to this, so that seems reasonable.
Isn't this the point of things like kerberos. ie to provide single sign on in you network. so you don't have to remember lists of passwords.
integrate it with pam, and then you'll get a ticket when you log in, that will be used to authenticate you when you access things like ftp or mail server.
Ofcourse this wont help with off site login, but at the point you use them you have access to the already mentioned password safes or security managers (eg mozilla's psm or kde's wallet)
as to the oringinal point, the more checks you can do for good password the better, but a 3 month life undermines any effort made to generate a good password.
I dont see the point of changing passwords, unless you can't keep it to your self. most methods of gaining your password are not effected by its age (eg sniff the wire, brute force, social engineering(is subsequent password going to be any less dependant on your frame of mind then the last?)). Then, once 'they' have it, they're likely to install another method of access asap and then no longer dependant on knowing your password.
Policies like this typically result in more people breaking the rules and writing down their passwords, which in turn reduces security.
Bruce Tognazzini has covered this kind of stupidity before.
. Better yet, have the people who are implementing this policy read it. Point out it's by one of the leading usability experts in the world. Odds are it won't change anything, but hey at least you tried...
"I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.
(...)
My wife, the Doctor, was working over the summer at a local hospital. They are fiercely into security, requiring no fewer than four sets of passwords to navigate their system. And why not? There are confidential patient records on those systems! By golly, they ought to have eight sets of passwords, and really make things secure!"
Read it: http://asktog.com/columns/058SecurityD'ohlts.html
My company just upped the ante for anyone trying to guess one of our passwords...min of 10 characters of which at least one each of UPPER CASE , special, numeric and lowercase are required...Its hard to produce a memorable password under these conditions. I have about a dozen passwords to remember between the various OSes, LAN security, Mail, and then there is my firewall and systems at home.
One way to handle it all is to write a script that can deterministically convert some string that you can remember into a password conforming to a parametrically sellected rule [e.g. 12 chars, mixed case and numerics, no specials] I wrote one of these generators in AWK since I have unix boxes at work and run a cygnus shell at home...it even takes account of the date [per GMT] so that I get a fresh PSWD every 3 months but can always reconstruct past passwords in a pinch with override date. I only have to remember my "open sesame" and nothing is ever written down or stored.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Is there any research to support whether such requirements actually increase security?
Translation: I can't be bothered changing my password and am too dumb to come up with arguments against this policy to give to my boss on my own.
Every 90 days has been the standard everywhere I've worked. For us Sysadmin types it's every 30 days. I can keep up with it, but many end users with the 90 day restriction do exactly as you describe. They write them down, they use the same repetitive patterns, whatever. One user I used to support had a page of passwords in a little notepad he kept in his desk.
All I can really do is tell them the truth: If anyone gets on the network with their credentials they will be held responsible for what happens. It's hard enough just getting people to lock their screens when they go to lunch. One user got reamed out pretty badly when someone used her email account to send a scathing note to the CEO. The only reason she didn't get fired is that she was at lunch with several people who could vouch for her whereabouts at the moment the email was sent.
"An unarmed man can only flee from evil, and evil is not overcome by fleeing from it." Col. Jeff Cooper
And the master password to this file hasn't ever changed... heh
Avantslash: low-bandwidth mobile slashdot.
Never underestimate the power of human ingenuity. We had the same problem at one of my ex-employer - there was a policy to change passwords every month. Initially, you could not 'recycle' a used password until ten entirely new passwords were used. Later on this was increased to 24 unique passwords before you could reuse the original password. People started forgetting passwords (3 failed login attempts and you are locked out) and started to write them down on post-it notes, etc. Some folks came up with an easy to use "formula" to generate unique passwords - crack the "formula" and you can easily find out the password.
The whole exercise of frequently changing passwords for security got compromised because it became cumbersome and annoying for people to keep remembering unique passwords. The policy looks good on paper - but as long as the human element is not factored in, it will not be effective.
Just. Like. That.
"I forgot my password! It changes too often."
You've gotta do what everyone else does and write it down. Stick a copy in your wallet, under your keyboard, on the side of your monitor, etc. Now I'll just use my admin login to reset your password and you'll be on your way.
I'm actually not allowed to use two consecutive letters in my password to one government system. Every letter must be followed by a number. It also must be 8 characters, no more, no less, and can't contain any punctuation or special symbols. It changes every 90 days. And you can't reuse old passwords, either. Ever.
So, my first password was A1A1A1A1. Guess what my next one was?
There is always a bigger risk. 8 character random alphanumeric is a around 40-48 bits of protection, depending on if you mix upper and lowercase (harder to remember). I've written a strong password generator here. While 8 character alphanumeric is breakable, especially at 40 bits, it's unlikely you'll encounter such perserverance. A 90 day rotation will ensure that password crackers need to re-sniff your network for login hashes every 90 days, and limit their time to take advantage of a broken password, but beyond that it's just going to ensure that more users will write down their passwords. There is no set amount of time needed to break a random password. They could break it in a day or never. A rotation isn't going to have the effect of making them start over or anything.
There are plenty of bigger risks to worry about than someone bruteforcing a password. They could get passwords by other means. They could walk up to a pc that's already logged in, and either use it immediately or install a trojan for later use. They could sniff your network. File sharing and email are usually unencrypted. They could hack your dns server so that requests go through them. An employee with priveledges could steal or alter data.
I work at a medium, mango-hued company and we had to implement the same policy for "security reasons." I get about three calls a week asking for passwords to be reset.
The 90-day, eight character line-noise password policy has nothing to do with security: it's required for our security certification by a security company who has a good reputation. Either we comply with whatever such a company tells us to do, or banks and merchants and credit companies will refuse to do business with us. Oh, and we have to pick the right company so that we don't have to pay another >$10,000 to get re-certified by another expensive name.
Sucks, but c'est l'entreprise.
The bank I worked for implemented a "change your password every 60 days" rule the same year they handed us one of those motivational desktop calendars that had a word of the month like "teamwork", "integrity", and so on. The password checker would not let you repeat your previous passwords, but it did NOT check for dictionary words! So whenever it nagged me to change words I would just reach up to the desk calendar, flip over to the next month, and type in the word of the month. Certainly solved the "where can I write it down" problem. Anybody walking into my office would just think that I did not keep the calendar up to date.
www.HearMySoulSpeak.com
I use a ROT-26 encrypted text file for that transparent security.
just use a paperback book, change the book occassionaly. All you have to remember is the page number, paragraph number and line number, those are your random digits that preface or follow the letters. They refer to the phrase or sentence in that location, where you get your letters. Interposing can be your choice of course, straight ahead or rotating backwards to forwards, etc. Example page *237(insert first word)*, paragraph *5(insert first word)*, line *4(insert first word)*. Ton of variations on that theme, and in this example you only need to remember *23754* in case you forget the entire passphrase sequence. The book can be an ebook for that matter on your PDA or any other stealthy/innocent written thing you have handy. Throw in some special characters and it gets even more difficult of course, or instead of inserting a word, do several words that you find there within the number and special characters. You can add an additional wildcard to help stop a dictionary attack on the word, add a 4th digit, that reminds you to remove every 4th letter from every word for example, or add a special character at that place. So then you would only have to remember in this example *237544(insert special character to remember this cycle)* for your hint. One more number added to the initial memorized number is an additional hint as to where to look if you forget the whole thing, example, 2375448 would be a hint to look at book 8 for the other hints on your shelf of tech books perhaps.
.45, a bag of cash in well used bills, several gold pieces, and a really fast motorcycle. Might as well have fun during your escape I always say;) Oh and don't forget the self destruct key for your cubicle....
One time pads especially when it's only you using them and not two or more people are a good thing. Of course it won't beat a boss injected keylogger someplace in the mix. In this example, even if joe bad guy has your book,and knows you are using it, those sorts of combinations are immense, especially with the special characters on the keyboard to use. And if it's gotten that far you are most likely cooked anyway, so time for plan B to avoid the rubber hoses, heh. I recommend a
Don't want to use a book, you can use something like the playlist and metadata for the song on your music player gadget. Example song 909, beatles, heyjude, something minutes and seconds or something KB in song length,etc. You only need to rember one song title per 90 day period then, along with the original placement number in the menu.
Ton of ways to do a one time pad variant easily, you just want it stealthy so no one realises that's where your passphrase hint is stored. Do you get any quarterly journals of the dead trees variety? You can use that, fits the 90 day rule too, and an excuse to have that journal kicking around already. You could do it optically with random "things" that are around your office. Look up, you might have a calendar, some houseplant, a picture in a frame, the color of the wall, how many tiles on the ceiling between x place and y place in the office, etc. Just rotate your junk around, then all you have to do is look at the placements, along with that quarters number sequence you remember. Example number 48910(wildcard character), this quarters passphrase might be january4*spiderplant8*mom9*cream10*
have fun
Do you really want to attach value to things like your thumbs, fingers and eyes? I mean the kind of value that makes someone else want them; I like and value mine quite a bit. Also, if your fingerprint happens to get compromised(i.e. somebody manages a working fake), how do you plan on obtaining a new one?
Terrified of biometrics until somebody gives me compelling reasons not to be...
Nerd rage is the funniest rage.
many readers have pretty good live finger detection. If somebody wants something badly enough to cut off my finger, I will simply give it to them.
Lasers Controlled Games!
are very handy. I have about 45 passwords stored in mine.
;-)
My password app includes a utility to generate random but pronounceable passwords (which I don't generally use). My coworker told me one of these a year ago. I haven't used it in 9 months, and I still remember it. Oh $%^*, the system probably expired it.
I get *SO* pissed at these password fascists, particularly when their
3 27&cid =11054456 for
rules reduce my password security.
I use secure, easy to type, and easy remember passwords (see
http://ask.slashdot.org/comments.pl?sid=132
details on that).
I never reuse passwords except in a few rare circumstances (on
different Linux computers I personally control I reuse some
passwords).
To keep track of all those passwords I bought a (relatively
inexpensive) Palm Zire 31. On it I run Gnu Keyring
(gnukeyring.sourceforge.net). I have one significantly secure
password that I then use to encrypt all my other passwords. I backup
this Palm using an SD card. I also back up to via IR to my Linux
notebook where there is a client that can decrypt the data.
I also have a Palm-based phone (Samsung i330) that can run Gnu
Keyring--but I don't trust it. It makes mysterious 10-second data
calls that bother a paranoid such as me. Yes, I don't have any good
reason to trust the Zire 31 either, but I keep it nearly incommunicado, I
don't need to trust it so much.
I recommend Gnu Keyring.
-kb
I use secstore, I don't have to remember my passwords and they can be as long and as random as I like.
All I need is the password to secstore, which, in my case, is on the LAN.
secstore client - man page - for non-plan9 systems is now available as part of the Plan 9 from User Space project.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
You can either spend a few months creating your own Rainbow Tables http://www.antsight.com/zsl/rainbowcrack/, or you can buy the 64GB tables for $640, http://www.antsight.com/zsl/rainbowcrack/rt_price. txt.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
While in theory this will work, the only thing I've ever known it to do is to cause a rainbow-colored explosion of sticky notes with user name and password information on them to be applied to the upper right corner. It makes the cube farm look like a paririe after a rain - all the little flowers blossoming....
2 cents,
Queen B
HDGary secures my bank
Honestly this whole password thing is idiotic. Companies are finally answering to the security risks of ten years ago. At this rate by 2010 they will be fixing sql queries based directly off user input. when it comes to cracking/stealing a persons password the best method now days is always to steal. It doesn't matter if your password is 3 pages long if you give it to me I will be able to log in as you. strong passwords are only as good as the minds of those who use them. Add to that the fact that the longer and more complex a single password is, the more likely the employee is to use that password in multiple places. Lets say I want access to a companies VPN, even if I don't know how strong the passwords are, connecting and trying a bunch of easy ones would be pretty dumb. Instead 5 minutes on google will tell me the name f Joe Blow who works there, what his email address is, and a whole bunch of things that he is interested in. So I email Boe Blow with targeted spam, tell him about this amazing new website that just happens to be a community of people with exactly the same interests as him. He goes there and finds out that he needs to set up an account to view the forum. So he has this 10 page password from work that he has already memorized anyway (he wouldn't want anyone breaking into his forum account) so he goes ahead and puts it in the password field. Turns out the forum kind of sucks so he promptly forgets about the site. TADA VPN access, and it only took 20 minutes. This works more than 50% of the time, and the average company has a few more than 2 employees. Watch 90% of the people who see this change their slashdot passwords. :)
Crawl This - http://darkry.net/test/test.php
First, when you Ask Slashdot for actual research or empirical evidence to support a widely-accepted hypothesis (such as changing passwords often improves security), you get a bunch of anecdotal drivel. I know this from experience...
f /index_fil es/sachas_transfer_report.pdf
l AuthSecuri ty.pdf
t tp://contra costa.edu/hpc/FaST/2003/Bonnie/passwd_sec.pdf
That being said, here's at least one academic paper on the subject:
http://www.cs.ucl.ac.uk/staff/S.Brostof
An interesting quote:
"forced password changing causes password problems. The result was highly significant." followed by actual statics demonstrating the significance.
Here's a white paper that seems to argue that complex passwords only provide real protection if you're able to reduce the number of passwords needed (this may just be a marketing pitch for a single-signon product)
http://www.protocom.com/whitepapers/Eva
Most opinions that complex passwords and often changed passwords are more secure are probably based on the presumption that such policies increase the time required to crack a password:
http://scholar.google.com/url?sa=U&q=h
However, as far as I can tell, no one has really gone out of their way to scientifically compare the effective security provided by various types of password policies in "real world" situations like you describe.
BZZZZZT! Wrong!
What you meant was "Don't mod this if you've never seen the movie Sneakers"
Uplink copied this from Sneakers, which you have apparently never seen.
I think that the project was begun by Bruce Schneier, of "Applied Cryptography", "Secrets and Lies" and "Cryptgram" fame. But now the utility is open-source and multi-platform.
Note to ACs: I won't mod you up, even if you are being funny or insightful. So take a chance! It's not real life!
Using passwords which are correct English sentences isn't much better.
Correct English sentences have about 1.2 bits per character. That means that for 10 words of 5 characters each, you have 50 characters which are 60 entropic bits (~7.5 entropic bytes).
That is as strong as a 10-character password, or so, but much much longer.
Not sure this is the solution.
I think that whatever is easy to remember, is easy to remember because it has low entropy and is easy to attack.
The solution might be to use non-human memory? USB disk-on-keys containing crypto keys?
I really wonder, when crackers are trying to hack passphrases, wherever generators with language-rulesets will arrise trying to construct valid "likely used" sentences.
Once you get that, you'll have the same problem once again... (but perhaps some nice grammar-tech out of it coded up by kiddies)
(Or ofcourse databases with silly but catchy punchlines.)
I think we can keep recursing like this until someone returns 1
are retrieved on presentation of a thumb
Do you get the thumb back, at least?
paintball