Slashdot Mirror
Password Complexity in the Enterprise?
andrewa asks: "What's the deal with passwords in a corporate environment these days? The company I work for has introduced layer upon layer of complexity on passwords over the years, and now it is simply ridiculous. We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters. What's next? A mixture of non-keyboard accessible characters and several varieties of DNA? It's not like we are even a government institute -- we are a software company that does telecom stuff, for goodness sake. Anyway ... you know what this makes me do? Write it down somewhere. How secure is that? The question is, I think my company is completely anal with the password requirements, what other security policies are in place in other companies that either completely exceed the banality of my company, or -- God forbid -- have a security system that makes sense?"
Those requirements don't sound too tough, though 16 charaters is a little long.
As for remembering strong passwords, my method is this: think of a phrase, take the first letter of every word, substitute in some h4x0r numbers for letters, and make a few letters uppercase. It takes an afternoon or so before I can type it without thinking.
Example:
Slashdot is full of bad grammer,misspellings and inaccuracy
=
s1F0bgMaI
The phrase is easy to remember; the number and uppercase substitutions come with repetition.
Jan: 0123456789abcDE_
Feb: 123456789abcDE_0
Mar: 23456789abcDE_01
You get the idea
No digit will ever be the same as the same digit in any previous 15 passwords. It contains numbers, lower and upper case letters, and a non-alphanumeric character.
One of the best I'd seen was to take first letters (or last, or second, etc.) from words in a song that you know the lyrics well. They have a decent amount of randomness and each album you buy will supply a couple of years' worth of passwords.
Writing them down in a safe location is a helpful aide-memoir. You could just have a lyrics file saved to a thumb drive or scrawled in a diary.
I know a few...
"Theta alpha two seven three seven blue"
"One one A"
"One one A two B"
"One B two B 3"
"Zero zero zero destruct zero"
But usually, voice identification is enough.
Make the passwords to hard to remember and people write them down because thay have to.
Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.
Myself, I use muscle memory to store mine. I make up an entierley random password and spend 20 minutes typing it over and over again until my hands remember how to make that sequence of twitches. Works great; and no risk of me acidentally telling someone my password because I don't know what it is.
~~~~~ BigLig2? You mean there's another one of me?
The key is not how complex you can make a password.
... 288 a day ... 864 over a 3 day weekend. Round that up to a thousand and it's still a "one chance in a million" to guess the password over 3 days of trying.
The key is how will an attacker defeat it.
So, a simple password is sufficient if the attacker will not have enough chances (statistically) to defeat it. This is easy to accomplish by having a time delay between authentication attempts or a lock-out period. But this is only sufficient if you have a person actively monitoring the authentication logs.
Example: Suppose you have a list of 10,000 common words. You take a random word, a digit (0-9) and another word, that will give you 10,000 x 10 x 10,000 possible combinations (1,000,000,000 or "one billion"). So, if you get 3 guesses before you're locked out for 15 minutes, then you can guess 12 passwords an hour
As long as there is someone reviewing the logs, the attempts will be noticed and actions can be taken before there is any real chance of your password being cracked.
And WordNumberWord is not that difficult to remember.
Now, this is NOT a good practice for passwords for encrypted files or anything else that can be cracked off-line.
In my job, I talk to network administrators very frequently while supporting our software. Generally the problem is, our product's default password doesn't meet their complexity requirements. The solution is simple, I ask them what their requirements are and make one up that meets them.
Those requirements are absolutely not unlikely. I run into requirements at least as idiotic about once a month. Some of the stuff I've heard, I didn't even think it was possible to create a password that met them, and they had to be changed once a month. I've also run into stuff that probably reduces the keyspace (requiring 2 numbers, 2 special characters, 2 upper, 2 lower tells you a lot about every password when minimum length is 8). That one also had to be changed monthly.
These requirements are for ... well, I'm not going to even say what type of company that last particular one was in order to protect my job, but trust me, you'd be very surprised, and probably upset. The fact is, the type of critical thinker that can actually come up with a good password policy is somehow a rare person, even in IT. Since the people doing the hiring generally have no idea how to interview, you'll find that person with almost perfect random distribution at small and large companies, government offices, schools, banks, consultants, mom-n-pop stores, you name it. It's a sad, sad situation.
<xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
Dude, you need a new joke.
Linux, you magnificent bastard, I read the fucking manual!