Slashdot Mirror
Are Often-Changed Long Passwords Really Secure?
Zweistein_42 asks: "I work at a large, navy-coloured IT corporation. A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*, with standard checks for non-repetitiveness, dictionary, uniqueness, etc. Is there any research to support whether such requirements actually increase security?"
"I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times. I usually take the trouble to memorize random alphanumeric, un-guessable combinations; but even I won't bother memorizing an average of 2 random strings a week. Eventually, won't most people use their pets names (fuzzy1cat, fuzzy2cat, etc) and start writing passwords on a note on their screen?
Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"
Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"
things like SecurID were invented.. 2-factor authentification eliminates most of these special requirements.
As long as they don't check the post-it note under your desk - the password is secure!
But seriously, does a policy like this do anything but encourace people to write down their passwords?
Of course, it's kind of a single point of failure in terms of security, if you don't take into account the need to use a boot password and Windows login. Also, if your laptop dies... and you haven't backed up the password file...
verify me.
"Well Ranger Brad, I'm a scientist. I don't believe in anything." - Dr. Roger Fleming
I, like everyone else on the planet, work to make things easier for me and to hell with security. A new password every 90 days means people will design a password that passes the requirements but is easy to remember when you have to change it. For example, my last job required at least an 8 character password with at least two numbers and one case change, and you could not reuse passwords for at least 5 changes. So my first password was Th1s1smE. Anyone want to guess what my next password was after the first 90 days?
Anybody with half a mind (and you KNOW who you are) would run through the likely possibilities quickly enough.
My opinion: It would be better to provide a tool that would allow a user to rate a password which would let them come up with a password that passes a minimum quality requirement, a password that they could remember without writing it down, and then require it to be changed less frequently (like once per year). And, equally important, provide a second, different authentication mechanism to support the password security (a hardware token system would be one example, biometrics would be another, a prearranged "callback" mechanism would be a third, there are many others).
Beside, my experience with gaming a requirement like this is that users tend to mess up their password frequently and end up with their password set back to a known default (assuming the admins provide such a default, which in of itself is a very bad security decision). And so sometimes a policy like this will actually provide less security, because at any given time there will be a relatively high percentage of user accounts which are set to a known password. Years ago, I personally demonstrated this situation with one of the VP's of the company I worked for by going through the ID's of the senior managers until we found one using the default password.
So, long story short, changing passwords frequently does not automatically mean better security. But we all knew that, right?
The NSA: The only part of the US government that actually listens.
Is the problem not that your password has very strict complexity requirements but that there are too many of them?
/. last month I posted 10 times" this fulfils all requirements for complexity and is changeable and easy to remember.
I did read a paper (I think from Microsoft not sure) about how passwords were essentially redundant as you could pre compute the hashes of all alphnumeric combinations and then run a dictionary attack against a file pretty quickly. They suggested a pass phrase as the way forward. Perhaps something along the lines of "I love
The other solution I often tell people is make your passwords a personal acronym, who would guess "Il/mIp10t" as a password, yet it is easy for me to remember.
The only reason some people get lost in thought is because it's unfamiliar territory.
"A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*"
So? In the company I'm working for, we have a policy that the password has to be at least 10 characters long, alphanumeric mixed case and it will change *every 30 days*. And the new password can't be the same as 10 last ones.
I have solved the problem of memorizing these passwords by using source code as a password. For example: "printf("Hello, World!");" should be complex enough and it is relatively easy to remember.
To your question: No, I don't know if the longer, more complex passwords are actually more secure / cost efficient than shorter ones, because of the side effects caused by difficult to remember passwords. But at least this kind of policy prevents the most trivial dictionary attacks. It's a completely different story, how else the security is taken care of (ie. educating the personnel, so there will not be any post-it notes laying around and other forms of security, because it's all about layers).
Longer harder to remember passwords require more human intervention (IT helpdesk reset passwords to 'monday' when you forget it).
:-)
You also are tempted to write them down, or use consequtive patterns as passwords:
qwer789456123
0ok9ij8uh
Things like that. A simple phrase password, with a one time algorithm (give me the 4th, 5th, 7th and 10th letters) take longer to work out in your head, but eavesdroppers (video, shoulder surfing, finger prints (national treasure) and electronic) have a harder time.
Of course, if you store all your new 8 digita alpha numeric passwords in an access file which is shared in a public folder, that woud make any attempt of l33t passwords a bit redundant.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Is silly, if you stop brute force... with intrusion detection systems, if a password does get lost, why give yourself a 45 day (average) allowance? so it is ok for someone to have a password for 45 days, but not longer.
;-)
Also, the root password for my laptop is 'swordfish' (oh halle... I love your baps, but when the line 'it isn't just a multi-monitor system' comes up, I really have to kill nearby carbon based lifeforms.) but noone has hacked it yet for 3 reasons:
1: It is linux, therefore unhackable, even with r00t password
2: It has no networking capability
3: It no longer actually works, and after the drop I gave it, I suspect even the parked heads might not have stopped platter axle damage...
So have some auditing and heuristic behaviour analysis. Use one time passwords, rigorously check all intrusions based on internal/external. Follow up a failed pssword attempt with a human call (SOMETIMES computers can be the weak link in security)
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
1.
Changing passwords is ofcourse to reduce impact when a password is stolen/cracked. 90 days sounds a bit long -- is this policy based on evaluating what's *needed* or just based on vague assumptions ?
If it is expected that keyloggers, bruteforcing or some other form of password-theft is likely, 30 days might be more apropriate.
2.
According to various textbooks on computer security, forming a password from 1st (or some'th) letter in a sentence forms passwords which in general terms are as hard to brute-force as "truly" random passwords:
madly typing at keyboard: 32nfia.-!
I once saw four naked girls dancing in the moonlight: I1s4ngditm!
The latter form *may* be slightly more open to guessing the frequency of letters -- but bruteforcing a password with 12 alpha-numeric characters takes a *lot* of effort.
The main point is that passwords "generated" like that is *much* easier to remember. They may also be more "random" than just typing at the keyboard...
Some punctation and variations in capitalization should be encouraged/enforced.
3.
If you are authenticating against Active Directory -- just use pass phrases. Harder to bruteforce -- and prevents the ntlm-hash (16 chars, one case) being accepted by some braindead system.
4.
I personally think single-sign on is an important part of a good security strategy because it allows for more frequently changing of passwords -- admins would typically still need 2-3 accounts (normal user, admin role, testing role), but more managble than 10+
5.
Just because a password is written down does *not* mean it's compromised! If security really is so important that everyone needs 5 or more 8 letter "random" and uniqe passwords, I would *strongly* recommend that arangements be made for all passwords to be kept in escrow in a safe.
That way employees won't have an excuse to keep the password somewhere insecure. Everyone should be able to get their password during work-hours easily (for instance the receptionist that either knows everyone, or is instructed to _demand_ id, could have access to the safe).
The downside with any kind of escrow, is ofcourse, that one is forced to trust the few people with access to all passwords completly. This is a tradeoff -- but so are all security decisions.
6.
You mention bios boot passwords. Is that truly neccessary ? Bios configuration password sounds more reasonable to me. But either one is of rather limited use, unless you are using some form of fortified pc case.
If you do mean configuration passwords, that is a primary candidate for writing down, and locking in a safe IMHO. Normally all admins would have access to this, so that seems reasonable.
Policies like this typically result in more people breaking the rules and writing down their passwords, which in turn reduces security.
Bruce Tognazzini has covered this kind of stupidity before.
. Better yet, have the people who are implementing this policy read it. Point out it's by one of the leading usability experts in the world. Odds are it won't change anything, but hey at least you tried...
"I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.
(...)
My wife, the Doctor, was working over the summer at a local hospital. They are fiercely into security, requiring no fewer than four sets of passwords to navigate their system. And why not? There are confidential patient records on those systems! By golly, they ought to have eight sets of passwords, and really make things secure!"
Read it: http://asktog.com/columns/058SecurityD'ohlts.html
Is there any research to support whether such requirements actually increase security?
Translation: I can't be bothered changing my password and am too dumb to come up with arguments against this policy to give to my boss on my own.
And the master password to this file hasn't ever changed... heh
Avantslash: low-bandwidth mobile slashdot.
Never underestimate the power of human ingenuity. We had the same problem at one of my ex-employer - there was a policy to change passwords every month. Initially, you could not 'recycle' a used password until ten entirely new passwords were used. Later on this was increased to 24 unique passwords before you could reuse the original password. People started forgetting passwords (3 failed login attempts and you are locked out) and started to write them down on post-it notes, etc. Some folks came up with an easy to use "formula" to generate unique passwords - crack the "formula" and you can easily find out the password.
The whole exercise of frequently changing passwords for security got compromised because it became cumbersome and annoying for people to keep remembering unique passwords. The policy looks good on paper - but as long as the human element is not factored in, it will not be effective.
"I forgot my password! It changes too often."
You've gotta do what everyone else does and write it down. Stick a copy in your wallet, under your keyboard, on the side of your monitor, etc. Now I'll just use my admin login to reset your password and you'll be on your way.
I'm actually not allowed to use two consecutive letters in my password to one government system. Every letter must be followed by a number. It also must be 8 characters, no more, no less, and can't contain any punctuation or special symbols. It changes every 90 days. And you can't reuse old passwords, either. Ever.
So, my first password was A1A1A1A1. Guess what my next one was?
There is always a bigger risk. 8 character random alphanumeric is a around 40-48 bits of protection, depending on if you mix upper and lowercase (harder to remember). I've written a strong password generator here. While 8 character alphanumeric is breakable, especially at 40 bits, it's unlikely you'll encounter such perserverance. A 90 day rotation will ensure that password crackers need to re-sniff your network for login hashes every 90 days, and limit their time to take advantage of a broken password, but beyond that it's just going to ensure that more users will write down their passwords. There is no set amount of time needed to break a random password. They could break it in a day or never. A rotation isn't going to have the effect of making them start over or anything.
There are plenty of bigger risks to worry about than someone bruteforcing a password. They could get passwords by other means. They could walk up to a pc that's already logged in, and either use it immediately or install a trojan for later use. They could sniff your network. File sharing and email are usually unencrypted. They could hack your dns server so that requests go through them. An employee with priveledges could steal or alter data.
I work at a medium, mango-hued company and we had to implement the same policy for "security reasons." I get about three calls a week asking for passwords to be reset.
The 90-day, eight character line-noise password policy has nothing to do with security: it's required for our security certification by a security company who has a good reputation. Either we comply with whatever such a company tells us to do, or banks and merchants and credit companies will refuse to do business with us. Oh, and we have to pick the right company so that we don't have to pay another >$10,000 to get re-certified by another expensive name.
Sucks, but c'est l'entreprise.
The bank I worked for implemented a "change your password every 60 days" rule the same year they handed us one of those motivational desktop calendars that had a word of the month like "teamwork", "integrity", and so on. The password checker would not let you repeat your previous passwords, but it did NOT check for dictionary words! So whenever it nagged me to change words I would just reach up to the desk calendar, flip over to the next month, and type in the word of the month. Certainly solved the "where can I write it down" problem. Anybody walking into my office would just think that I did not keep the calendar up to date.
www.HearMySoulSpeak.com
Do you really want to attach value to things like your thumbs, fingers and eyes? I mean the kind of value that makes someone else want them; I like and value mine quite a bit. Also, if your fingerprint happens to get compromised(i.e. somebody manages a working fake), how do you plan on obtaining a new one?
Terrified of biometrics until somebody gives me compelling reasons not to be...
Nerd rage is the funniest rage.
many readers have pretty good live finger detection. If somebody wants something badly enough to cut off my finger, I will simply give it to them.
Lasers Controlled Games!
I get *SO* pissed at these password fascists, particularly when their
3 27&cid =11054456 for
rules reduce my password security.
I use secure, easy to type, and easy remember passwords (see
http://ask.slashdot.org/comments.pl?sid=132
details on that).
I never reuse passwords except in a few rare circumstances (on
different Linux computers I personally control I reuse some
passwords).
To keep track of all those passwords I bought a (relatively
inexpensive) Palm Zire 31. On it I run Gnu Keyring
(gnukeyring.sourceforge.net). I have one significantly secure
password that I then use to encrypt all my other passwords. I backup
this Palm using an SD card. I also back up to via IR to my Linux
notebook where there is a client that can decrypt the data.
I also have a Palm-based phone (Samsung i330) that can run Gnu
Keyring--but I don't trust it. It makes mysterious 10-second data
calls that bother a paranoid such as me. Yes, I don't have any good
reason to trust the Zire 31 either, but I keep it nearly incommunicado, I
don't need to trust it so much.
I recommend Gnu Keyring.
-kb
You can either spend a few months creating your own Rainbow Tables http://www.antsight.com/zsl/rainbowcrack/, or you can buy the 64GB tables for $640, http://www.antsight.com/zsl/rainbowcrack/rt_price. txt.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
While in theory this will work, the only thing I've ever known it to do is to cause a rainbow-colored explosion of sticky notes with user name and password information on them to be applied to the upper right corner. It makes the cube farm look like a paririe after a rain - all the little flowers blossoming....
2 cents,
Queen B
HDGary secures my bank
Honestly this whole password thing is idiotic. Companies are finally answering to the security risks of ten years ago. At this rate by 2010 they will be fixing sql queries based directly off user input. when it comes to cracking/stealing a persons password the best method now days is always to steal. It doesn't matter if your password is 3 pages long if you give it to me I will be able to log in as you. strong passwords are only as good as the minds of those who use them. Add to that the fact that the longer and more complex a single password is, the more likely the employee is to use that password in multiple places. Lets say I want access to a companies VPN, even if I don't know how strong the passwords are, connecting and trying a bunch of easy ones would be pretty dumb. Instead 5 minutes on google will tell me the name f Joe Blow who works there, what his email address is, and a whole bunch of things that he is interested in. So I email Boe Blow with targeted spam, tell him about this amazing new website that just happens to be a community of people with exactly the same interests as him. He goes there and finds out that he needs to set up an account to view the forum. So he has this 10 page password from work that he has already memorized anyway (he wouldn't want anyone breaking into his forum account) so he goes ahead and puts it in the password field. Turns out the forum kind of sucks so he promptly forgets about the site. TADA VPN access, and it only took 20 minutes. This works more than 50% of the time, and the average company has a few more than 2 employees. Watch 90% of the people who see this change their slashdot passwords. :)
Crawl This - http://darkry.net/test/test.php
First, when you Ask Slashdot for actual research or empirical evidence to support a widely-accepted hypothesis (such as changing passwords often improves security), you get a bunch of anecdotal drivel. I know this from experience...
f /index_fil es/sachas_transfer_report.pdf
l AuthSecuri ty.pdf
t tp://contra costa.edu/hpc/FaST/2003/Bonnie/passwd_sec.pdf
That being said, here's at least one academic paper on the subject:
http://www.cs.ucl.ac.uk/staff/S.Brostof
An interesting quote:
"forced password changing causes password problems. The result was highly significant." followed by actual statics demonstrating the significance.
Here's a white paper that seems to argue that complex passwords only provide real protection if you're able to reduce the number of passwords needed (this may just be a marketing pitch for a single-signon product)
http://www.protocom.com/whitepapers/Eva
Most opinions that complex passwords and often changed passwords are more secure are probably based on the presumption that such policies increase the time required to crack a password:
http://scholar.google.com/url?sa=U&q=h
However, as far as I can tell, no one has really gone out of their way to scientifically compare the effective security provided by various types of password policies in "real world" situations like you describe.