Password Complexity in the Enterprise?

andrewa asks: "What's the deal with passwords in a corporate environment these days? The company I work for has introduced layer upon layer of complexity on passwords over the years, and now it is simply ridiculous. We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters. What's next? A mixture of non-keyboard accessible characters and several varieties of DNA? It's not like we are even a government institute -- we are a software company that does telecom stuff, for goodness sake. Anyway ... you know what this makes me do? Write it down somewhere. How secure is that? The question is, I think my company is completely anal with the password requirements, what other security policies are in place in other companies that either completely exceed the banality of my company, or -- God forbid -- have a security system that makes sense?"

Skroob.

[Tackhead]

> We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters.

"0123456789aBcDeF"

That's amazing. I've got the same password on my 6-piece luggage set!

Re:Skroob.

[Captain+Splendid]

Dude, you need a new joke.

That's not too strange

Those requirements don't sound too tough, though 16 charaters is a little long.

As for remembering strong passwords, my method is this: think of a phrase, take the first letter of every word, substitute in some h4x0r numbers for letters, and make a few letters uppercase. It takes an afternoon or so before I can type it without thinking.

Example:
Slashdot is full of bad grammer,misspellings and inaccuracy

=

s1F0bgMaI

The phrase is easy to remember; the number and uppercase substitutions come with repetition.

Re:That's not too strange

[renelicious]

Actaully I think the "first letter of the phrase" idea is too complex, why not just use a phrase. Most sane passwords allow up to 128 characters. You can easily type a whole sentence, which is much easier to remember. Use something like:

Jane's birthday is on October 12th. (with puncuation)

or

Do or do not, there is no try.

Re:That's not too strange

[alfs+boner]

Also:

Slashdot users are uneducated unemployed and overweight

=

SurU2a0

Slashdot users frequently complain about things, despite being overlooked and ignored because of their ignorance.

=

sUfcaTdb0a1b0t1

=

Goatees are stupid, especially on effeminate, pudgy computer nerds; they didn't even look good in the 1990s.

=

ga5e2pcntd31g1719905

Diabetes is god's way of telling you to lose weight, and that you look disgusting.

=

d1gW0tyT1w47yLd

Re:That's not too strange

[bigmouth_strikes]

> Goatees are stupid, especially on effeminate, pudgy computer nerds; they didn't even look good in the 1990s.

Hey, I resemble that remark!

So what's to keep you...

[Flimzy]

...from simply rotating the password?

Jan: 0123456789abcDE_
Feb: 123456789abcDE_0
Mar: 23456789abcDE_01

You get the idea

No digit will ever be the same as the same digit in any previous 15 passwords. It contains numbers, lower and upper case letters, and a non-alphanumeric character.

Re:So what's to keep you...

[Kadin2048]

I know people who do something similar to this, by typing geometric patterns on the keyboard. (They weren't using it actually to control access to anything, just as passwords to test accounts and the like.)

You start off with "1qaz2wsx3edc" and then when it expires, you change it to "qaz2wsx3edc4", etc. Depending on how intelligent the password system is -- in this particular case, not very -- you could get away with it. I think more secure systems probably pick up on the lack of difference between the two and would prohibit it.

It's easy to create very complex, seemingly-random passwords that include numerics and punctuation this way, but it's very prone to shoulder-surfing. If anyone sees you enter it even once, they'll know what you're doing.

Suggested to me:

[wild_berry]

One of the best I'd seen was to take first letters (or last, or second, etc.) from words in a song that you know the lyrics well. They have a decent amount of randomness and each album you buy will supply a couple of years' worth of passwords.

Writing them down in a safe location is a helpful aide-memoir. You could just have a lyrics file saved to a thumb drive or scrawled in a diary.

On the Enterprise?

[mph]

I know a few...

"Theta alpha two seven three seven blue"

"One one A"
"One one A two B"
"One B two B 3"
"Zero zero zero destruct zero"

But usually, voice identification is enough.

Re:On the Enterprise?

[poena.dare]

Yeah, I used to go for super duper password complexity on the Enterprise, but Data kept mimicking my voice, so what's the point? You can't win.

Well, this is a classic dilemma

[biglig2]

Make the passwords to hard to remember and people write them down because thay have to.

Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.

Myself, I use muscle memory to store mine. I make up an entierley random password and spend 20 minutes typing it over and over again until my hands remember how to make that sequence of twitches. Works great; and no risk of me acidentally telling someone my password because I don't know what it is.

Re:Well, this is a classic dilemma

[tomhudson]

Of course writing your password down and keeping it in your wallet or purse is better ... follow the MONEY!.

Just use the serial number off a piece of currency, and a few letters, and you're gold. Just don't spend your password,

Re:Well, this is a classic dilemma

[JaredOfEuropa]

Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.

Paper left in a wallet tends to become crumbly and perhaps ultimately unreadable. That's why people tend to keep such bits of paper in their desk drawer rather than their wallet. Or (especially if they have to remember multiple passwords) in a Word document protected by a silly password. Of course, passwords for "functional" accounts that are shared between users are recorded in a different favorite place: the office whiteboard.

To improve security and make the users happy at the same time, this is what we are currently doing:

1) Enforce "good" passwords but do not let them expire (do lock it out upon 3 incorrect passwords). Instead, notifying the user of his last login time and last workstation used.

2) Look for Single Sign-on solutions. Some applications can leave user authentication up to the OS: being logged in to Windows NT (for instance) is good enough for the application to trust that you are you. If you are writing an application that requires controlled access, consider implementing SSO.

3) If you cannot get around the fact that users will have to deal with multiple password, consider a Password Vaulting solution. Basically this is nothing more than a bit of client-side code that remembers passwords as they are entered once, and then enters them automatically the next time you come across the same login window. Sounds crummy, but there are a few secure enterprise-level password vault applications that store passwords centrally and encrypted.

4) Use sudo or kerberos or similar for functional accounts.

Re:Well, this is a classic dilemma

[WuphonsReach]

I divide my passwords up by classification:

1) The ones I deal with on a daily basis. These number in the range of about 1 dozen, but are still easily rememberable. Length varies from 12-30 characters, includes digits, mixed-case and is comprised of multiple words. Memorable, typeable, and fairly secure. Some of the longer ones are 40-80 characters in length, but they are ones that I only use when booting up the laptop every few weeks. I use them all frequently enough that they're memorable (although I still back them up in a GPG-protected file).

2) The ones that I let the web browser remember. Such as forum passwords. Since I use a laptop that I keep secure, I'm not terribly worried about letting the web browser remember these. Those passwords are generated by a random algorithm and are usually 20-40 characters in length with random caps and symbols inserted into the middle / ends / beginning. I keep track of these by placing them in a text file prior to encrypting to contents of the text file with my GPG key. If I ever need to look them up, I open the text file, copy the contents to the clipboard and decrypt it.

3) Other seldom used passwords. These are almost all randomly generated (30+ characters with random sybols, digits and caps). Again, I simply store them in plain text files where the contents of the file is a GPG encryption block. To get at the password, I copy the contents into the clipboard, decrypt and there I have it.

The plain text file with GPG encrypted contents works well for many reasons. It's backup-friendly (I could even put the contents into source code control), I can e-mail the blocks to myself on other machines without worries or I can make backups of all of my passwords by mailing them to a webmail account. I can setup the contents of the file to be readable by my co-workers for cases where multiple of us need access to the password.

Depending upon the system, that's sufficient.

[khasim]

The key is not how complex you can make a password.

The key is how will an attacker defeat it.

So, a simple password is sufficient if the attacker will not have enough chances (statistically) to defeat it. This is easy to accomplish by having a time delay between authentication attempts or a lock-out period. But this is only sufficient if you have a person actively monitoring the authentication logs.

Example: Suppose you have a list of 10,000 common words. You take a random word, a digit (0-9) and another word, that will give you 10,000 x 10 x 10,000 possible combinations (1,000,000,000 or "one billion"). So, if you get 3 guesses before you're locked out for 15 minutes, then you can guess 12 passwords an hour ... 288 a day ... 864 over a 3 day weekend. Round that up to a thousand and it's still a "one chance in a million" to guess the password over 3 days of trying.

As long as there is someone reviewing the logs, the attempts will be noticed and actions can be taken before there is any real chance of your password being cracked.

And WordNumberWord is not that difficult to remember.

Now, this is NOT a good practice for passwords for encrypted files or anything else that can be cracked off-line.

Re:unlikely

[19thNervousBreakdown]

In my job, I talk to network administrators very frequently while supporting our software. Generally the problem is, our product's default password doesn't meet their complexity requirements. The solution is simple, I ask them what their requirements are and make one up that meets them.

Those requirements are absolutely not unlikely. I run into requirements at least as idiotic about once a month. Some of the stuff I've heard, I didn't even think it was possible to create a password that met them, and they had to be changed once a month. I've also run into stuff that probably reduces the keyspace (requiring 2 numbers, 2 special characters, 2 upper, 2 lower tells you a lot about every password when minimum length is 8). That one also had to be changed monthly.

These requirements are for ... well, I'm not going to even say what type of company that last particular one was in order to protect my job, but trust me, you'd be very surprised, and probably upset. The fact is, the type of critical thinker that can actually come up with a good password policy is somehow a rare person, even in IT. Since the people doing the hiring generally have no idea how to interview, you'll find that person with almost perfect random distribution at small and large companies, government offices, schools, banks, consultants, mom-n-pop stores, you name it. It's a sad, sad situation.

Re:Never assume your company won't be targeted.

[vldragon]

In all reality the long password idea is great. However once you have a 16 digit password it no longer really matters if you mix it with numbers and special charaters. This is from an article on password myths: "Now consider this password: SeandialVickyandhorusbloomkendallWyoming. It is not complex by any measure. It contains only two character types and all of the components are words. They are, in fact, words picked from the Microsoft password strength checker's dictionary, which includes 2,254 words. There are 40 characters in this password. The character set those characters are chosen from consist of uppercase and lowercase English characters, or 52 characters in total. That means there are a total of 4.45×1068 1 to 40-character passwords possible from that character set. If you use a brute force attack and you can guess 600 passwords per second, it will take you 1.63×1058 years to guess this password. But you may have captured a connection to a server and have the challenge-response sequence to crack it. In this case it will take you only 1.30×1054 years, assuming you are a nation-state and have access to nearly unlimited computing power." Also having to change the password every month is a terrible idea as others have described and is completley uneeded. With proper audit tools administrators should be able to tell if a user is logging in at odd times or in odd ways. If this is seen then someone most likely has this persons account information; however if this is not the case then making this person change their password every month only makes him change a secure password.

My policy

[RemovableBait]

I've always found it a total pain to remember passwords for different resources, so I came up (probably stole the idea from someone, too long ago) with a method of using the keyboard as a sort of encoder/decoder. What I do is I have a memorable word or phrase, but I always type in the letters above or below the actual characters. This means I can turn a memorable phrase, say, "slashdot.org", into gibberish, like "woqwye95l94t". (No, that isn't my Slashdot login, so don't even think about it :).)

I've found that, while you need to think about it at the start, it doesn't take too long before you're used to using it. Of course you can (as I have) obfuscate it even more. For example, you could change the case (upper/lower) on alternate letters, type your memorable word/phrase in backwards, alternate above and below keys, etc.

Just an idea, real good for the corporate logins... you can easily remember a word or name, and quickly turn it into something the IT Dept. would approve of.

Write it down

[Wanker]

Write it down somewhere. How secure is that?

This is surprisingly secure, as long as you write it somewhere safe. Security pioneer Dorothy Denning does this, as do a number of other "security professionals". There are simply too many places a password is needed now to follow good security rules for all of them. The human-factor limitations lead to the obvious conclusions that people must either:

• write down a password
  
• store the password online
  
• use the same password lots of different places
  
• choose a really simple password
  

Writing down a password is safe if nobody can get hold of what it's written on. Storing it online is pretty much just like writing it down, except there are opportunities to make it safer. There's really no safe way to use the same password lots of different places or a really simple password.

Use a password generator to create some truly horrific 20-character monster and write it down. Keep that paper safe!

hidden vulnerabilities

[J.J.]

1. Are you in a Windows domain?
   
   • if yes, is the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\NoLMHash set to 1?
     
   • if no, then your password is:
     
     • converted to uppercase,
       
     • truncated to 14 characters
       
     • stored in two seven-character halves that may be bruted independently -- single 2GHz system can brute the entire keyspace in about 90 days.
       
     
     
   • if NoLMHash is set to 1, then your password is stored as a relatively secure MD4 hash. resources to crack in a reasonable timeframe are significant.
     
   • either way, the complexity of your hash is actually irrelevant:
     
     • in any domain that still supports NTLM authentication (vice pure kerberos) you can use smbproxy to authenticate with the hash, vice the password. w00t.
       
     • the hash is stored in the domain SAM and the local SAM, and may be dumped with pwdump, given administrator credentials
       
     • the password hash is also stored in a user's logon struct, down in ... winlogon.exe (?) -- that whole "single sign-on" thing. has to be somewhere.
       
     
     
   
   
2. not in a windows domain? I'm not qualified to answer.
   

so basically, passwords are irrelevant, but are a tangible element to everyone. so when the boss asks for better security, the IT admin implements greater password complexity, the boss notices because he has to type the damn password every day, and the IT admin get kudos. because of course, if user convenience decreased, security obviously increased. yay.

what is the value of having a complex password? it should be complex enough an attacker can not guess it. everything else relates to an attacker's ability to *crack* passwords, which is irrelevant in the world of windows these days. in a few years, NTLM will have died and kerberos will rule the day. then things might be different.

Forget passwords, use passphrases

[patio11]

They're easy to remember and extremely difficult to brute force. Just tell your users "Write a snippet of something which is meaningful to you". We can all type at 30+ words a minute so entering a 30 character password in natural English (perhaps without spaces) goes supringly fast. For example, supposing I liked classical literature, I could use socaesarmaythenlesthemayprevent (this is part of Brutus' soliliquy in Act 2 Scene 1 of Julius Caesar, which I had to memorize way back in high school). If you want to be reaaaaally anal you can obfuscate it a bit (l33tify, what have you). There is no convinient dictionary of "meaningful phrases in English" out there, although I suppose it would be somewhat less than secure if someone were able to find out you were, e.g., a Star Trek fan. And they're guaranteed to be easy to remember -- humans are a lot better remembering natural language they have an emotional connection to than remembering arbitrary alphanumeric strings. In fairness, I stole this tip from a Slashdot discussion about a year back sparked by advice from Microsoft, and have been using rediculously long passphrases since for all my "if that breaks, I'm "#$"#"#$%ed" logins (I still go with crazy insecure for trivial things like my slashdot login). I've got about 12 of them at the moment and have no problems with remembering them and changing with the security policy, whereas beforehand I had a discrete post-it.