Password Complexity in the Enterprise?

andrewa asks: "What's the deal with passwords in a corporate environment these days? The company I work for has introduced layer upon layer of complexity on passwords over the years, and now it is simply ridiculous. We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters. What's next? A mixture of non-keyboard accessible characters and several varieties of DNA? It's not like we are even a government institute -- we are a software company that does telecom stuff, for goodness sake. Anyway ... you know what this makes me do? Write it down somewhere. How secure is that? The question is, I think my company is completely anal with the password requirements, what other security policies are in place in other companies that either completely exceed the banality of my company, or -- God forbid -- have a security system that makes sense?"

Simpleton passwords are my friends at work

[9mm+Censor]

I work at a call center. The password I was given, was "apple123". After 6 months I was prompted to change it. So now my password is "apple456". If I were to work here for another 6 months, I would change it back to "apple123" but I quit because I value my sanity.

Re:Simpleton passwords are my friends at work

[rabiddeity]

You didn't happen to work for a company called "UNATCO", did you? I know a lot of their passwords were like that.

Skroob.

[Tackhead]

> We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters.

"0123456789aBcDeF"

That's amazing. I've got the same password on my 6-piece luggage set!

Re:Skroob.

[Captain+Splendid]

Dude, you need a new joke.

That's not too strange

Those requirements don't sound too tough, though 16 charaters is a little long.

As for remembering strong passwords, my method is this: think of a phrase, take the first letter of every word, substitute in some h4x0r numbers for letters, and make a few letters uppercase. It takes an afternoon or so before I can type it without thinking.

Example:
Slashdot is full of bad grammer,misspellings and inaccuracy

=

s1F0bgMaI

The phrase is easy to remember; the number and uppercase substitutions come with repetition.

Re:That's not too strange

[pete6677]

Yes, but try getting an administrative assistant to do this. They won't; you can guarantee they will just do the easy thing and write it down. This is not always a bad thing, though, provided they don't stick it on their monitor or something.

Re:That's not too strange

[renelicious]

Actaully I think the "first letter of the phrase" idea is too complex, why not just use a phrase. Most sane passwords allow up to 128 characters. You can easily type a whole sentence, which is much easier to remember. Use something like:

Jane's birthday is on October 12th. (with puncuation)

or

Do or do not, there is no try.

Re:That's not too strange

[alfs+boner]

Also:

Slashdot users are uneducated unemployed and overweight

=

SurU2a0

Slashdot users frequently complain about things, despite being overlooked and ignored because of their ignorance.

=

sUfcaTdb0a1b0t1

=

Goatees are stupid, especially on effeminate, pudgy computer nerds; they didn't even look good in the 1990s.

=

ga5e2pcntd31g1719905

Diabetes is god's way of telling you to lose weight, and that you look disgusting.

=

d1gW0tyT1w47yLd

Re:That's not too strange

[bigmouth_strikes]

> Goatees are stupid, especially on effeminate, pudgy computer nerds; they didn't even look good in the 1990s.

Hey, I resemble that remark!

So what's to keep you...

[Flimzy]

...from simply rotating the password?

Jan: 0123456789abcDE_
Feb: 123456789abcDE_0
Mar: 23456789abcDE_01

You get the idea

No digit will ever be the same as the same digit in any previous 15 passwords. It contains numbers, lower and upper case letters, and a non-alphanumeric character.

Re:So what's to keep you...

[Kadin2048]

I know people who do something similar to this, by typing geometric patterns on the keyboard. (They weren't using it actually to control access to anything, just as passwords to test accounts and the like.)

You start off with "1qaz2wsx3edc" and then when it expires, you change it to "qaz2wsx3edc4", etc. Depending on how intelligent the password system is -- in this particular case, not very -- you could get away with it. I think more secure systems probably pick up on the lack of difference between the two and would prohibit it.

It's easy to create very complex, seemingly-random passwords that include numerics and punctuation this way, but it's very prone to shoulder-surfing. If anyone sees you enter it even once, they'll know what you're doing.

Suggested to me:

[wild_berry]

One of the best I'd seen was to take first letters (or last, or second, etc.) from words in a song that you know the lyrics well. They have a decent amount of randomness and each album you buy will supply a couple of years' worth of passwords.

Writing them down in a safe location is a helpful aide-memoir. You could just have a lyrics file saved to a thumb drive or scrawled in a diary.

Re:Suggested to me:

[the+phantom]

That can't be Celtic -- too many vowels.

On the Enterprise?

[mph]

I know a few...

"Theta alpha two seven three seven blue"

"One one A"
"One one A two B"
"One B two B 3"
"Zero zero zero destruct zero"

But usually, voice identification is enough.

Re:On the Enterprise?

[poena.dare]

Yeah, I used to go for super duper password complexity on the Enterprise, but Data kept mimicking my voice, so what's the point? You can't win.

Well, this is a classic dilemma

[biglig2]

Make the passwords to hard to remember and people write them down because thay have to.

Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.

Myself, I use muscle memory to store mine. I make up an entierley random password and spend 20 minutes typing it over and over again until my hands remember how to make that sequence of twitches. Works great; and no risk of me acidentally telling someone my password because I don't know what it is.

Re:Well, this is a classic dilemma

[tomhudson]

Of course writing your password down and keeping it in your wallet or purse is better ... follow the MONEY!.

Just use the serial number off a piece of currency, and a few letters, and you're gold. Just don't spend your password,

Re:Well, this is a classic dilemma

[JaredOfEuropa]

Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.

Paper left in a wallet tends to become crumbly and perhaps ultimately unreadable. That's why people tend to keep such bits of paper in their desk drawer rather than their wallet. Or (especially if they have to remember multiple passwords) in a Word document protected by a silly password. Of course, passwords for "functional" accounts that are shared between users are recorded in a different favorite place: the office whiteboard.

To improve security and make the users happy at the same time, this is what we are currently doing:

1) Enforce "good" passwords but do not let them expire (do lock it out upon 3 incorrect passwords). Instead, notifying the user of his last login time and last workstation used.

2) Look for Single Sign-on solutions. Some applications can leave user authentication up to the OS: being logged in to Windows NT (for instance) is good enough for the application to trust that you are you. If you are writing an application that requires controlled access, consider implementing SSO.

3) If you cannot get around the fact that users will have to deal with multiple password, consider a Password Vaulting solution. Basically this is nothing more than a bit of client-side code that remembers passwords as they are entered once, and then enters them automatically the next time you come across the same login window. Sounds crummy, but there are a few secure enterprise-level password vault applications that store passwords centrally and encrypted.

4) Use sudo or kerberos or similar for functional accounts.

Re:Well, this is a classic dilemma

[Monster_Juice]

there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet.

This would probably work well for me even though I have about 20 passwords. My wife on the other hand has 1 password and 20 purses. I can see her going to work and claiming she has to go home and change purses.

Re:Well, this is a classic dilemma

[WuphonsReach]

I divide my passwords up by classification:

1) The ones I deal with on a daily basis. These number in the range of about 1 dozen, but are still easily rememberable. Length varies from 12-30 characters, includes digits, mixed-case and is comprised of multiple words. Memorable, typeable, and fairly secure. Some of the longer ones are 40-80 characters in length, but they are ones that I only use when booting up the laptop every few weeks. I use them all frequently enough that they're memorable (although I still back them up in a GPG-protected file).

2) The ones that I let the web browser remember. Such as forum passwords. Since I use a laptop that I keep secure, I'm not terribly worried about letting the web browser remember these. Those passwords are generated by a random algorithm and are usually 20-40 characters in length with random caps and symbols inserted into the middle / ends / beginning. I keep track of these by placing them in a text file prior to encrypting to contents of the text file with my GPG key. If I ever need to look them up, I open the text file, copy the contents to the clipboard and decrypt it.

3) Other seldom used passwords. These are almost all randomly generated (30+ characters with random sybols, digits and caps). Again, I simply store them in plain text files where the contents of the file is a GPG encryption block. To get at the password, I copy the contents into the clipboard, decrypt and there I have it.

The plain text file with GPG encrypted contents works well for many reasons. It's backup-friendly (I could even put the contents into source code control), I can e-mail the blocks to myself on other machines without worries or I can make backups of all of my passwords by mailing them to a webmail account. I can setup the contents of the file to be readable by my co-workers for cases where multiple of us need access to the password.

Never assume your company won't be targeted.

[Subacultcha]

Every company has some information that needs to be secure. With a network, you're only as secure as the weakest link--one machine is all it takes for someone to infiltrate it.

While your company's password policy is much more stringant than my company's, it doesn't sound too paranoid at all. As far as remembering the password, you should write it down and carry it with you if you're having trouble remembering it. It should only take a couple days of logging in before you have it down, so then make sure you destroy the paper it's written on.

The thing is, you really need to worry about someone hacking your password remotely and a simple password of only lower-case letters and maybe some digits is a heck of a lot quicker to hack than mixed upper/lowercase, digits, and symbols. If someone got the piece of paper in your wallet, they probably would also get your keycard into your office, too. Once they had physical entry into your office, the password wouldn't be that big a deal. They could just steal your data drive and take all the time in the world to hack into it.

Re:Never assume your company won't be targeted.

[vldragon]

In all reality the long password idea is great. However once you have a 16 digit password it no longer really matters if you mix it with numbers and special charaters. This is from an article on password myths: "Now consider this password: SeandialVickyandhorusbloomkendallWyoming. It is not complex by any measure. It contains only two character types and all of the components are words. They are, in fact, words picked from the Microsoft password strength checker's dictionary, which includes 2,254 words. There are 40 characters in this password. The character set those characters are chosen from consist of uppercase and lowercase English characters, or 52 characters in total. That means there are a total of 4.45×1068 1 to 40-character passwords possible from that character set. If you use a brute force attack and you can guess 600 passwords per second, it will take you 1.63×1058 years to guess this password. But you may have captured a connection to a server and have the challenge-response sequence to crack it. In this case it will take you only 1.30×1054 years, assuming you are a nation-state and have access to nearly unlimited computing power." Also having to change the password every month is a terrible idea as others have described and is completley uneeded. With proper audit tools administrators should be able to tell if a user is logging in at odd times or in odd ways. If this is seen then someone most likely has this persons account information; however if this is not the case then making this person change their password every month only makes him change a secure password.

Re:Never assume your company won't be targeted.

[Lemmeoutada+Collecti]

Every time I see someone go over rules like your suggestion, I wonder why everyone suggests to limit the keyspace and provide a clear logic for attack? Correct me if I'm wrong, but it seems that those rules (easily learned through minimal social engineering) would make it easier to crack, despite the length minimums. For example:

Given a 6 character password from that scheme, I know the following always holds true:
Minimum of 1/3 of the password is uppercase, dictionary attacks are weak, limiting to non dictionary words means that users will most not use a symbol.

So I have a good chance using a list of names, months, and years against them and finding at least one match. More than likely several users are using the initial capital form of a family member's name and a month or year from a birthday as a password.

The thing I have a hard time grasping with all of this is why? No matter what the complexity rules, no matter how often the changes, it still relies on a single point of failure. And then there are all the shortsighted corporate rules, like not allowing connections to the company data source without a user password, which means someone somewhere has saved that password in a Microsoft Access or Excel file.

And the most fun thought is that no matter how secure your system is, no matter how well you lock everything from the wireless to the terminals down, some person is going to e-mail confidential data outside the company, and blow the whole door wide open. Even the military cannot 100% prevent that, and they are about as paranoid as possible about leaks.

Picture, picture on the wall.

Picture Password: A visual login technique for mobile devices

unlikely

[hrbrmstr]

"16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string"

this is an exaggeration. I can believe 8-character password every 45 days that cannot be the same as any of the previous 6, but there's no way that the stated requirements are correct. every user would have sticky notes on the bottom of their keyboard or phone or on their laptops in order to remember their password.

no real enterprise security shop would condone such a moronic password policy.

if a company were that paranoid, they'd have invested in PKI or use SecurID.

tell us what the real requirements are and maybe we can offer some concrete suggestions.

Re:unlikely

[19thNervousBreakdown]

In my job, I talk to network administrators very frequently while supporting our software. Generally the problem is, our product's default password doesn't meet their complexity requirements. The solution is simple, I ask them what their requirements are and make one up that meets them.

Those requirements are absolutely not unlikely. I run into requirements at least as idiotic about once a month. Some of the stuff I've heard, I didn't even think it was possible to create a password that met them, and they had to be changed once a month. I've also run into stuff that probably reduces the keyspace (requiring 2 numbers, 2 special characters, 2 upper, 2 lower tells you a lot about every password when minimum length is 8). That one also had to be changed monthly.

These requirements are for ... well, I'm not going to even say what type of company that last particular one was in order to protect my job, but trust me, you'd be very surprised, and probably upset. The fact is, the type of critical thinker that can actually come up with a good password policy is somehow a rare person, even in IT. Since the people doing the hiring generally have no idea how to interview, you'll find that person with almost perfect random distribution at small and large companies, government offices, schools, banks, consultants, mom-n-pop stores, you name it. It's a sad, sad situation.

Depending upon the system, that's sufficient.

[khasim]

The key is not how complex you can make a password.

The key is how will an attacker defeat it.

So, a simple password is sufficient if the attacker will not have enough chances (statistically) to defeat it. This is easy to accomplish by having a time delay between authentication attempts or a lock-out period. But this is only sufficient if you have a person actively monitoring the authentication logs.

Example: Suppose you have a list of 10,000 common words. You take a random word, a digit (0-9) and another word, that will give you 10,000 x 10 x 10,000 possible combinations (1,000,000,000 or "one billion"). So, if you get 3 guesses before you're locked out for 15 minutes, then you can guess 12 passwords an hour ... 288 a day ... 864 over a 3 day weekend. Round that up to a thousand and it's still a "one chance in a million" to guess the password over 3 days of trying.

As long as there is someone reviewing the logs, the attempts will be noticed and actions can be taken before there is any real chance of your password being cracked.

And WordNumberWord is not that difficult to remember.

Now, this is NOT a good practice for passwords for encrypted files or anything else that can be cracked off-line.

My method

[Rysc]

I use two complementary password generation schemes:
(1) I pick a word or pair of words and convert them to 31337. Example: supersecure->sp3rs3cur3. This is 10 chars long, which is Good Enough for a commonly rotated password, easy to remember but hard to guess.
(2) I choose a phrase, such as a quote I like, and use the whole thing, For a while my root password was: myvoiceismypasswordverifyme. Now, technically that's not very secure because it's all lower case letters. But due to the length the amount of time it would take to crack is quite high. Again, good for a commonly rotated password.

For added security I use method 2 with method 1. Here's a secure password I no longer use: Iseemt0behavingtremend0usdifficultywithmylifestyle ! (Uppercase I intentional; exclemation point included.)

You get the idea.

What I like

[Reality+Master+101]

Unless there's some flaw that I don't know about, I've always liked the password method where it's two random English words (DoorAsphalt or MessHeave). It's easy to remember, and assuming, say, a 40,000 word dictionary, that gives 1.6 billion combinations.

My policy

[RemovableBait]

I've always found it a total pain to remember passwords for different resources, so I came up (probably stole the idea from someone, too long ago) with a method of using the keyboard as a sort of encoder/decoder. What I do is I have a memorable word or phrase, but I always type in the letters above or below the actual characters. This means I can turn a memorable phrase, say, "slashdot.org", into gibberish, like "woqwye95l94t". (No, that isn't my Slashdot login, so don't even think about it :).)

I've found that, while you need to think about it at the start, it doesn't take too long before you're used to using it. Of course you can (as I have) obfuscate it even more. For example, you could change the case (upper/lower) on alternate letters, type your memorable word/phrase in backwards, alternate above and below keys, etc.

Just an idea, real good for the corporate logins... you can easily remember a word or name, and quickly turn it into something the IT Dept. would approve of.

Re:Easy Solution

[fish+waffle]

I have 4 or 5 user IDs across a multitude of systems in my company and can never remember the ones I use about once a month or so. Typically I end up having to request a password reset for those systems.

At my former employment i had at least as many, with the same problem, and much the same solution. Several of my coworkers kept the usual piece of paper in their desk with passwords, and many just kept text files on the system they used most often.

I complained at one point and was told i should just use the same password everywhere. Sadly, every system had different password requirements, expired at different times, and several had different allowable characters (one was case-insensitive, others had different non-alphanumeric symbols missing or required)---just keeping track of all the systems required a list. I used to get password expiration notices from systems i'd never even logged into.

A lot of co-workers just rotate through all 8 or 12 iterations of passwords and then restore their original password.

That was also a solution i used a few times out of frustration. Problem was that around iteration 7 or so i'd lose track and forget some subtle detail of iteration 6, and end up locked out of the system, requiring a reset anyway.

The end result was:

• I had a paper list of several old, some current passwords in my desk drawer
• I gave up on choosing good passwords; abcdef01, increment number as required worked for many, some required rotating the abcdef through a few systematic, obvious and easy-to-guess variations (month names, colours, slightly mangled worked well)
• Most passwords would eventually require a reset, resulting in a new password to be sent to my manager, then to me, all in clear text through email

What they protecting so obsessively through password schemes i'll never know. Guess it worked though, i often couldn't get into the system i needed to get work done.

Write it down

[Wanker]

Write it down somewhere. How secure is that?

This is surprisingly secure, as long as you write it somewhere safe. Security pioneer Dorothy Denning does this, as do a number of other "security professionals". There are simply too many places a password is needed now to follow good security rules for all of them. The human-factor limitations lead to the obvious conclusions that people must either:

• write down a password
  
• store the password online
  
• use the same password lots of different places
  
• choose a really simple password
  

Writing down a password is safe if nobody can get hold of what it's written on. Storing it online is pretty much just like writing it down, except there are opportunities to make it safer. There's really no safe way to use the same password lots of different places or a really simple password.

Use a password generator to create some truly horrific 20-character monster and write it down. Keep that paper safe!

So lets ask a simple question...

[spagetti_code]

How many times have banks/people lost money due to weak passwords?
vs
How many times have backs/people lost money due to social engineering?

Forcing people to have crazy passwords may reduce the number of
times that password is cracked (from near zero to nearer zero).
But stopping social engineering will have a *far* greater impact -
because its actually pretty common for people to hand over their
passwords and account details to nigerians or email from pay pal.

So its not about the size of your password. For example: PIN codes
are pretty secure, but they are only 4 digits. The reason: You need the card
and you get 3 tries before the card is swallowed. 16 digit pins with
alpha numeric would *reduce* the security because many people will write
their pin on their card or keep it with their card.

For a bank - any simple 8 letter word will do for a password. A bank just needs
to be sure you can't have more than 3 tries before your account is locked
out.

And that holds true for any authentication system.
Lock your users out (so they have to come to you) after 3 tries.

Re:So lets ask a simple question...

[m-wielgo]

Most atm machines I've used actually take your card (for shredding) if you have 5 invalid attempts. I had it happen to me when I typed in the wrong PIN (confused with another card) and the machine didn't give it back to me..

hidden vulnerabilities

[J.J.]

1. Are you in a Windows domain?
   
   • if yes, is the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\NoLMHash set to 1?
     
   • if no, then your password is:
     
     • converted to uppercase,
       
     • truncated to 14 characters
       
     • stored in two seven-character halves that may be bruted independently -- single 2GHz system can brute the entire keyspace in about 90 days.
       
     
     
   • if NoLMHash is set to 1, then your password is stored as a relatively secure MD4 hash. resources to crack in a reasonable timeframe are significant.
     
   • either way, the complexity of your hash is actually irrelevant:
     
     • in any domain that still supports NTLM authentication (vice pure kerberos) you can use smbproxy to authenticate with the hash, vice the password. w00t.
       
     • the hash is stored in the domain SAM and the local SAM, and may be dumped with pwdump, given administrator credentials
       
     • the password hash is also stored in a user's logon struct, down in ... winlogon.exe (?) -- that whole "single sign-on" thing. has to be somewhere.
       
     
     
   
   
2. not in a windows domain? I'm not qualified to answer.
   

so basically, passwords are irrelevant, but are a tangible element to everyone. so when the boss asks for better security, the IT admin implements greater password complexity, the boss notices because he has to type the damn password every day, and the IT admin get kudos. because of course, if user convenience decreased, security obviously increased. yay.

what is the value of having a complex password? it should be complex enough an attacker can not guess it. everything else relates to an attacker's ability to *crack* passwords, which is irrelevant in the world of windows these days. in a few years, NTLM will have died and kerberos will rule the day. then things might be different.

Hashapass!

[the_mice]

I've started using what I think is a great was to create what appear to be rather secure passwords that are easy to remember and recoverable (that's a highly qualified statement as I am in no way a security expert). Go to:

http://www.hashapass.com/

and enter your "parameter" (e.g. "march2006") and "master password" (e.g. "mysecretpassword") and you get a password (e.g. "K0u4CUXG") generated from the two. Of course you still have to remember the password, but at least if you forget it you can recover it from wherever you are, without having to write it down. It's all local JavaScript on the browser, so there's no network exposure...

t.

Forget passwords, use passphrases

[patio11]

They're easy to remember and extremely difficult to brute force. Just tell your users "Write a snippet of something which is meaningful to you". We can all type at 30+ words a minute so entering a 30 character password in natural English (perhaps without spaces) goes supringly fast. For example, supposing I liked classical literature, I could use socaesarmaythenlesthemayprevent (this is part of Brutus' soliliquy in Act 2 Scene 1 of Julius Caesar, which I had to memorize way back in high school). If you want to be reaaaaally anal you can obfuscate it a bit (l33tify, what have you). There is no convinient dictionary of "meaningful phrases in English" out there, although I suppose it would be somewhat less than secure if someone were able to find out you were, e.g., a Star Trek fan. And they're guaranteed to be easy to remember -- humans are a lot better remembering natural language they have an emotional connection to than remembering arbitrary alphanumeric strings. In fairness, I stole this tip from a Slashdot discussion about a year back sparked by advice from Microsoft, and have been using rediculously long passphrases since for all my "if that breaks, I'm "#$"#"#$%ed" logins (I still go with crazy insecure for trivial things like my slashdot login). I've got about 12 of them at the moment and have no problems with remembering them and changing with the security policy, whereas beforehand I had a discrete post-it.

Passwords suck

[RzUpAnmsCwrds]

Passwords suck. They always have, and they always will. Unlike smartcards, they don't protect against man-in-the-middle atttacks. They are easy to forget, easy to guess (in many cases), and, with a bit of social engineering, easy to steal. Many sites (Slashdot included) don't even bother to use SSL for logins. That's just sloppy.