Password Complexity in the Enterprise?

andrewa asks: "What's the deal with passwords in a corporate environment these days? The company I work for has introduced layer upon layer of complexity on passwords over the years, and now it is simply ridiculous. We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters. What's next? A mixture of non-keyboard accessible characters and several varieties of DNA? It's not like we are even a government institute -- we are a software company that does telecom stuff, for goodness sake. Anyway ... you know what this makes me do? Write it down somewhere. How secure is that? The question is, I think my company is completely anal with the password requirements, what other security policies are in place in other companies that either completely exceed the banality of my company, or -- God forbid -- have a security system that makes sense?"

Depending upon the system, that's sufficient.

[khasim]

The key is not how complex you can make a password.

The key is how will an attacker defeat it.

So, a simple password is sufficient if the attacker will not have enough chances (statistically) to defeat it. This is easy to accomplish by having a time delay between authentication attempts or a lock-out period. But this is only sufficient if you have a person actively monitoring the authentication logs.

Example: Suppose you have a list of 10,000 common words. You take a random word, a digit (0-9) and another word, that will give you 10,000 x 10 x 10,000 possible combinations (1,000,000,000 or "one billion"). So, if you get 3 guesses before you're locked out for 15 minutes, then you can guess 12 passwords an hour ... 288 a day ... 864 over a 3 day weekend. Round that up to a thousand and it's still a "one chance in a million" to guess the password over 3 days of trying.

As long as there is someone reviewing the logs, the attempts will be noticed and actions can be taken before there is any real chance of your password being cracked.

And WordNumberWord is not that difficult to remember.

Now, this is NOT a good practice for passwords for encrypted files or anything else that can be cracked off-line.

hidden vulnerabilities

[J.J.]

1. Are you in a Windows domain?
   
   • if yes, is the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\NoLMHash set to 1?
     
   • if no, then your password is:
     
     • converted to uppercase,
       
     • truncated to 14 characters
       
     • stored in two seven-character halves that may be bruted independently -- single 2GHz system can brute the entire keyspace in about 90 days.
       
     
     
   • if NoLMHash is set to 1, then your password is stored as a relatively secure MD4 hash. resources to crack in a reasonable timeframe are significant.
     
   • either way, the complexity of your hash is actually irrelevant:
     
     • in any domain that still supports NTLM authentication (vice pure kerberos) you can use smbproxy to authenticate with the hash, vice the password. w00t.
       
     • the hash is stored in the domain SAM and the local SAM, and may be dumped with pwdump, given administrator credentials
       
     • the password hash is also stored in a user's logon struct, down in ... winlogon.exe (?) -- that whole "single sign-on" thing. has to be somewhere.
       
     
     
   
   
2. not in a windows domain? I'm not qualified to answer.
   

so basically, passwords are irrelevant, but are a tangible element to everyone. so when the boss asks for better security, the IT admin implements greater password complexity, the boss notices because he has to type the damn password every day, and the IT admin get kudos. because of course, if user convenience decreased, security obviously increased. yay.

what is the value of having a complex password? it should be complex enough an attacker can not guess it. everything else relates to an attacker's ability to *crack* passwords, which is irrelevant in the world of windows these days. in a few years, NTLM will have died and kerberos will rule the day. then things might be different.

Forget passwords, use passphrases

[patio11]

They're easy to remember and extremely difficult to brute force. Just tell your users "Write a snippet of something which is meaningful to you". We can all type at 30+ words a minute so entering a 30 character password in natural English (perhaps without spaces) goes supringly fast. For example, supposing I liked classical literature, I could use socaesarmaythenlesthemayprevent (this is part of Brutus' soliliquy in Act 2 Scene 1 of Julius Caesar, which I had to memorize way back in high school). If you want to be reaaaaally anal you can obfuscate it a bit (l33tify, what have you). There is no convinient dictionary of "meaningful phrases in English" out there, although I suppose it would be somewhat less than secure if someone were able to find out you were, e.g., a Star Trek fan. And they're guaranteed to be easy to remember -- humans are a lot better remembering natural language they have an emotional connection to than remembering arbitrary alphanumeric strings. In fairness, I stole this tip from a Slashdot discussion about a year back sparked by advice from Microsoft, and have been using rediculously long passphrases since for all my "if that breaks, I'm "#$"#"#$%ed" logins (I still go with crazy insecure for trivial things like my slashdot login). I've got about 12 of them at the moment and have no problems with remembering them and changing with the security policy, whereas beforehand I had a discrete post-it.