Password Complexity in the Enterprise?

andrewa asks: "What's the deal with passwords in a corporate environment these days? The company I work for has introduced layer upon layer of complexity on passwords over the years, and now it is simply ridiculous. We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters. What's next? A mixture of non-keyboard accessible characters and several varieties of DNA? It's not like we are even a government institute -- we are a software company that does telecom stuff, for goodness sake. Anyway ... you know what this makes me do? Write it down somewhere. How secure is that? The question is, I think my company is completely anal with the password requirements, what other security policies are in place in other companies that either completely exceed the banality of my company, or -- God forbid -- have a security system that makes sense?"

Simpleton passwords are my friends at work

[9mm+Censor]

I work at a call center. The password I was given, was "apple123". After 6 months I was prompted to change it. So now my password is "apple456". If I were to work here for another 6 months, I would change it back to "apple123" but I quit because I value my sanity.

That's not too strange

Those requirements don't sound too tough, though 16 charaters is a little long.

As for remembering strong passwords, my method is this: think of a phrase, take the first letter of every word, substitute in some h4x0r numbers for letters, and make a few letters uppercase. It takes an afternoon or so before I can type it without thinking.

Example:
Slashdot is full of bad grammer,misspellings and inaccuracy

=

s1F0bgMaI

The phrase is easy to remember; the number and uppercase substitutions come with repetition.

Re:That's not too strange

[pete6677]

Yes, but try getting an administrative assistant to do this. They won't; you can guarantee they will just do the easy thing and write it down. This is not always a bad thing, though, provided they don't stick it on their monitor or something.

So what's to keep you...

[Flimzy]

...from simply rotating the password?

Jan: 0123456789abcDE_
Feb: 123456789abcDE_0
Mar: 23456789abcDE_01

You get the idea

No digit will ever be the same as the same digit in any previous 15 passwords. It contains numbers, lower and upper case letters, and a non-alphanumeric character.

Never assume your company won't be targeted.

[Subacultcha]

Every company has some information that needs to be secure. With a network, you're only as secure as the weakest link--one machine is all it takes for someone to infiltrate it.

While your company's password policy is much more stringant than my company's, it doesn't sound too paranoid at all. As far as remembering the password, you should write it down and carry it with you if you're having trouble remembering it. It should only take a couple days of logging in before you have it down, so then make sure you destroy the paper it's written on.

The thing is, you really need to worry about someone hacking your password remotely and a simple password of only lower-case letters and maybe some digits is a heck of a lot quicker to hack than mixed upper/lowercase, digits, and symbols. If someone got the piece of paper in your wallet, they probably would also get your keycard into your office, too. Once they had physical entry into your office, the password wouldn't be that big a deal. They could just steal your data drive and take all the time in the world to hack into it.

Re:Never assume your company won't be targeted.

[vldragon]

In all reality the long password idea is great. However once you have a 16 digit password it no longer really matters if you mix it with numbers and special charaters. This is from an article on password myths: "Now consider this password: SeandialVickyandhorusbloomkendallWyoming. It is not complex by any measure. It contains only two character types and all of the components are words. They are, in fact, words picked from the Microsoft password strength checker's dictionary, which includes 2,254 words. There are 40 characters in this password. The character set those characters are chosen from consist of uppercase and lowercase English characters, or 52 characters in total. That means there are a total of 4.45×1068 1 to 40-character passwords possible from that character set. If you use a brute force attack and you can guess 600 passwords per second, it will take you 1.63×1058 years to guess this password. But you may have captured a connection to a server and have the challenge-response sequence to crack it. In this case it will take you only 1.30×1054 years, assuming you are a nation-state and have access to nearly unlimited computing power." Also having to change the password every month is a terrible idea as others have described and is completley uneeded. With proper audit tools administrators should be able to tell if a user is logging in at odd times or in odd ways. If this is seen then someone most likely has this persons account information; however if this is not the case then making this person change their password every month only makes him change a secure password.

Re:Never assume your company won't be targeted.

[Lemmeoutada+Collecti]

Every time I see someone go over rules like your suggestion, I wonder why everyone suggests to limit the keyspace and provide a clear logic for attack? Correct me if I'm wrong, but it seems that those rules (easily learned through minimal social engineering) would make it easier to crack, despite the length minimums. For example:

Given a 6 character password from that scheme, I know the following always holds true:
Minimum of 1/3 of the password is uppercase, dictionary attacks are weak, limiting to non dictionary words means that users will most not use a symbol.

So I have a good chance using a list of names, months, and years against them and finding at least one match. More than likely several users are using the initial capital form of a family member's name and a month or year from a birthday as a password.

The thing I have a hard time grasping with all of this is why? No matter what the complexity rules, no matter how often the changes, it still relies on a single point of failure. And then there are all the shortsighted corporate rules, like not allowing connections to the company data source without a user password, which means someone somewhere has saved that password in a Microsoft Access or Excel file.

And the most fun thought is that no matter how secure your system is, no matter how well you lock everything from the wireless to the terminals down, some person is going to e-mail confidential data outside the company, and blow the whole door wide open. Even the military cannot 100% prevent that, and they are about as paranoid as possible about leaks.

unlikely

[hrbrmstr]

"16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string"

this is an exaggeration. I can believe 8-character password every 45 days that cannot be the same as any of the previous 6, but there's no way that the stated requirements are correct. every user would have sticky notes on the bottom of their keyboard or phone or on their laptops in order to remember their password.

no real enterprise security shop would condone such a moronic password policy.

if a company were that paranoid, they'd have invested in PKI or use SecurID.

tell us what the real requirements are and maybe we can offer some concrete suggestions.

My method

[Rysc]

I use two complementary password generation schemes:
(1) I pick a word or pair of words and convert them to 31337. Example: supersecure->sp3rs3cur3. This is 10 chars long, which is Good Enough for a commonly rotated password, easy to remember but hard to guess.
(2) I choose a phrase, such as a quote I like, and use the whole thing, For a while my root password was: myvoiceismypasswordverifyme. Now, technically that's not very secure because it's all lower case letters. But due to the length the amount of time it would take to crack is quite high. Again, good for a commonly rotated password.

For added security I use method 2 with method 1. Here's a secure password I no longer use: Iseemt0behavingtremend0usdifficultywithmylifestyle ! (Uppercase I intentional; exclemation point included.)

You get the idea.

Crackability is poorly understood by the clueless.

I think that people who work with this should work with a password cracker at least once. They generally work by taking in a wordlist (which may contain many things not quite like "words", such as keyboard runs-12345, !@#$%, asdf, etc.) and applying many rules to them (e.g. take two short words and add a number to the end). They also have "brute force" rules that can, say, try every password containing only lowercase letters & numbers. The brute force of lowercase letters + numbers took, for the DES passwords I cracked on an old Pentium 166 MHz (not even a Pentium Pro), about a few days, IIRC.

So you can see why they want you to have long passwords with a balanced diet from the "four food groups" for passwords (lowercase, UPPERCASE, 1234567890, and #$@$@%). They make you change them because your lazy ass is very likely to reuse the same passwords elsewhere (and yes, the shady porn site operator you registered with might very well have added your username & password for the site to their "word list" as per the above). And they don't let you reuse it because if they discovered it once and added it to their wordlist (this happens by default with crackers like JTR), their rules will certainly find a trivially modified one.

Of course, that still doesn't fix user-education problems like the lusers who write the password down under the keyboard/monitor/chair/tower/desk or in their desk drawer, etc. Nor the lusers who use unencrypted services and have it sniffed off the wire (or via the spyware they have installed).

And, naturally, they generally only get to brute force it to begin with if they steal the password's hash somehow. If they're storing unhashed passwords (they'd damn well better not be), the crackability of your password won't matter, save that it shouldn't be guessable.

So what I'm trying to say here is that, if you want to make your admin happier, generate a long, random phrase, condense it into 12 chars or so with a healthy mix from those food groups, and write it on a card in your wallet (the phrase, not the password). Most people take care of their wallets and the cash inside pretty well. You should do the same with your password instead of complaining.

Re:Easy Solution

[fish+waffle]

I have 4 or 5 user IDs across a multitude of systems in my company and can never remember the ones I use about once a month or so. Typically I end up having to request a password reset for those systems.

At my former employment i had at least as many, with the same problem, and much the same solution. Several of my coworkers kept the usual piece of paper in their desk with passwords, and many just kept text files on the system they used most often.

I complained at one point and was told i should just use the same password everywhere. Sadly, every system had different password requirements, expired at different times, and several had different allowable characters (one was case-insensitive, others had different non-alphanumeric symbols missing or required)---just keeping track of all the systems required a list. I used to get password expiration notices from systems i'd never even logged into.

A lot of co-workers just rotate through all 8 or 12 iterations of passwords and then restore their original password.

That was also a solution i used a few times out of frustration. Problem was that around iteration 7 or so i'd lose track and forget some subtle detail of iteration 6, and end up locked out of the system, requiring a reset anyway.

The end result was:

• I had a paper list of several old, some current passwords in my desk drawer
• I gave up on choosing good passwords; abcdef01, increment number as required worked for many, some required rotating the abcdef through a few systematic, obvious and easy-to-guess variations (month names, colours, slightly mangled worked well)
• Most passwords would eventually require a reset, resulting in a new password to be sent to my manager, then to me, all in clear text through email

What they protecting so obsessively through password schemes i'll never know. Guess it worked though, i often couldn't get into the system i needed to get work done.

Write it down

[Wanker]

Write it down somewhere. How secure is that?

This is surprisingly secure, as long as you write it somewhere safe. Security pioneer Dorothy Denning does this, as do a number of other "security professionals". There are simply too many places a password is needed now to follow good security rules for all of them. The human-factor limitations lead to the obvious conclusions that people must either:

• write down a password
  
• store the password online
  
• use the same password lots of different places
  
• choose a really simple password
  

Writing down a password is safe if nobody can get hold of what it's written on. Storing it online is pretty much just like writing it down, except there are opportunities to make it safer. There's really no safe way to use the same password lots of different places or a really simple password.

Use a password generator to create some truly horrific 20-character monster and write it down. Keep that paper safe!

So lets ask a simple question...

[spagetti_code]

How many times have banks/people lost money due to weak passwords?
vs
How many times have backs/people lost money due to social engineering?

Forcing people to have crazy passwords may reduce the number of
times that password is cracked (from near zero to nearer zero).
But stopping social engineering will have a *far* greater impact -
because its actually pretty common for people to hand over their
passwords and account details to nigerians or email from pay pal.

So its not about the size of your password. For example: PIN codes
are pretty secure, but they are only 4 digits. The reason: You need the card
and you get 3 tries before the card is swallowed. 16 digit pins with
alpha numeric would *reduce* the security because many people will write
their pin on their card or keep it with their card.

For a bank - any simple 8 letter word will do for a password. A bank just needs
to be sure you can't have more than 3 tries before your account is locked
out.

And that holds true for any authentication system.
Lock your users out (so they have to come to you) after 3 tries.

Re:Well, this is a classic dilemma

[JaredOfEuropa]

Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.

Paper left in a wallet tends to become crumbly and perhaps ultimately unreadable. That's why people tend to keep such bits of paper in their desk drawer rather than their wallet. Or (especially if they have to remember multiple passwords) in a Word document protected by a silly password. Of course, passwords for "functional" accounts that are shared between users are recorded in a different favorite place: the office whiteboard.

To improve security and make the users happy at the same time, this is what we are currently doing:

1) Enforce "good" passwords but do not let them expire (do lock it out upon 3 incorrect passwords). Instead, notifying the user of his last login time and last workstation used.

2) Look for Single Sign-on solutions. Some applications can leave user authentication up to the OS: being logged in to Windows NT (for instance) is good enough for the application to trust that you are you. If you are writing an application that requires controlled access, consider implementing SSO.

3) If you cannot get around the fact that users will have to deal with multiple password, consider a Password Vaulting solution. Basically this is nothing more than a bit of client-side code that remembers passwords as they are entered once, and then enters them automatically the next time you come across the same login window. Sounds crummy, but there are a few secure enterprise-level password vault applications that store passwords centrally and encrypted.

4) Use sudo or kerberos or similar for functional accounts.

Re:Well, this is a classic dilemma

[Monster_Juice]

there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet.

This would probably work well for me even though I have about 20 passwords. My wife on the other hand has 1 password and 20 purses. I can see her going to work and claiming she has to go home and change purses.

Passwords suck

[RzUpAnmsCwrds]

Passwords suck. They always have, and they always will. Unlike smartcards, they don't protect against man-in-the-middle atttacks. They are easy to forget, easy to guess (in many cases), and, with a bit of social engineering, easy to steal. Many sites (Slashdot included) don't even bother to use SSL for logins. That's just sloppy.