Slashdot Mirror
Frequent Password Changes Are the Enemy Of Security, FTC Technologist Says (arstechnica.com)
Though changing passwords often might seem like a good security practice, in reality, that isn't the case, says Carnegie Mellon University professor Lorrie Cranor. Earlier this year, when the Federal Trade Commission tweeted that people should "encourage" their loved ones to "change passwords often," Cranor wasted no time challenging it. From ArsTechnica's story: The reasoning behind the advice [of changing password often] is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days. "I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'" she said during a keynote speech at the BSides security conference in Las Vegas. "I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days." Cranor eventually approached the chief information officer and the chief information security officer for the FTC and told them what a growing number of security experts have come to believe. Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking. The CIO asked for research that supported this contrarian view, and Cranor was happy to provide it. The most on-point data comes from a study published in 2010 by researchers from the University of North Carolina at Chapel Hill.
The current discussion is a password change for our DMZ servers every 30 days. The mid zone servers are currently every 60 days. And corporate accounts are set to 90 days.
[John]
Shit better not happen!
I've always felt that was a "best practices" bullet point mindlessly copied from the previous conferences' slide deck, that nobody every asks the rationale for.
Meanwhile hours or sometimes days of productivity are lost as people get locked out from mail and other corporate servers they need to get their work done.
"Frequent password changes lock them out. "
I was under the understanding the static passwords were an issue because they are far easier to brute force in a long term campaign, as well as a couple other reasons...
Policies that require frequent password changes lead me to:
- pick easy to remember (and therefor easy to guess) passwords
- restrict the character space I use in passwords, e.g. when special characters are required I pick from only 2 special chars.
- Reuse passwords. I have about 20 different password-protected accounts for work, all are changed every 90 days, except the one system where the requirement is 60 days. That's over 80 passwords per year. As a result I use 1 password internal systems and 1 for external, so at any time there are only 2 passwords I need to remember.
- Write down passwords. Sometimes it seems as if just as I'm getting to the point where a password is really ingrained, where I can get it on the first try even before caffeine, it's time to replace it with a new password. So you better believe I write them down.
Frequently changing passwords exclude adherence to most other security good practices.
The best practice lies somewhere in the middle. Change them too frequently or infrequently and security may be decreased for different reasons.
(This also depends on your definition of "frequently")
I *believe* that a password change policy is necessary. However, I don't think you need to change your password every couple of months. I think once a year is good as long as you are not using that password elsewhere and that it is 12 or more characters (don't worry about the numbers, symbols, etc. Just the length is important... again, with caveats pertaining to how the password is entered, stored, transmitted, etc)
My eyes reflect the stars and a smile lights up my face.
last password: Spring01
new password: Spring02
mora than 2 password to change now and then, advice from seniors, put them on a txt-file on the desktop
Use an offline password manager that generate random strong passwords, like keepass.
Be or ben't
Making your own passwords is the bane of computer security; as I said on the most recent LastPass vulnerability article on Slashdot, it leads to very weak passwords, password re-use, written down passwords, forgotten passwords (inevitably reset through an insecure, unauthenticated email verification), and lots of other nasty things.
If you use a good password manager (or some similar tool like a hasher), then how often you have to change your passwords is entirely irrelevant, because generating a new one is trivial and you'll never have to remember it.
I recommend KeePassX because it's cross-platform and does not connect to the Internet in any way.
Some of these questionable policies are driven by business regulations and auditors. If you're going through a PCI or Sarbanes-Oxley certification process you're going to have to get all of those checkboxes marked on the auditors' spreadsheets, whether or not they make sense.
Good luck trying to get the auditor to explain why you need to change your passwords every 90 days, in my experience they can't defend their requirements and simply say things like it's "best practice".
If a good password takes 3 months to learn, requiring it to be changed every three months will ensure that people stop using hard to learn, hard to guess passwords.
Bruce Schneier says to write passwords down and keep them with other small pieces of paper with value: In your wallet. But guess what else people have been told for years, along with change your passwords often... Never write your passwords down.
The result: Summer2016, Autumn2016, Winter2016, Spring2017
Must change monthly, must have at least one number, capital and punctuation mark and can't be at all like a previous password.
Mine is noted on the back page of my calendar.
...for one main reason. Can anyone tell me how the insider threat risk has changed in the last 6 years?
Take a look at the last few major hacks within corporations and social media networks. These haven't been minor breaches where a little bit of data was taken. No, we're hearing about millions of accounts leaked, and terabytes of data stolen, with Sony being a prime example of an inside job.
The entire point here is frequent password changes DOES have a purpose; to mitigate the risk and damage of internal attacks, as outlined in TFS. If the insider threat risk has changed significantly in the last half decade, then the advice to change passwords often IS the more valid one.
And as the Ashley Madison analysis revealed, it really doesn't fucking matter how often we tell users to change their passwords when they continue to pick horrible ones that require little more than a guess to "crack". Sadly, this trend has not changed in the last few decades of humans typing in passwords into computers. This is probably the strongest argument to remove the concept of human-generated passwords altogether, and go with some form of biometric-enhanced authentication.
My employer requires a password change every 60 days, enforced by AD. In addition to that, your password cannot be the same as any one of the previous 20 passwords. Ugh. The result, I wrote a small python script the fires up every 59 days and rapidly changes my password 21 times (using a list of passwords), and then resets it to the original. I mostly do that because there are so many disparate systems that authenticate off the same password but don't use any sort of single-sign-on so I would spend a week just updating the passwords / cached passwords in browsers and applications that use them.
I've always felt that was a "best practices" bullet point mindlessly copied from the previous conferences' slide deck, that nobody every asks the rationale for.
And yet oddly enough, few question the Microsoft default setting of 42 days, and instead go with 60 or 90 days. You know, for a corporation we love to hate because of their shitty security practices, they sure seem to be far more strict when it comes to password change policies.
Meanwhile hours or sometimes days of productivity are lost as people get locked out from mail and other corporate servers they need to get their work done.
If you're suggesting that changing passwords is such a burden that we shouldn't even bother, let me remind you that users are going to be "locked out" for FAR longer than a few hours or days when the entire company is hacked due to stagnant security practices.
It's the human factor that often exposes us to security flaws in passwords. In my experience frequently changed passwords will push users to take shortcuts in changing passwords making them less secure despite "Best Practices".
"Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking."
Fail position on passwords! A poor password is poor whether it is a year old or 60 days! Half-wit.
In a perfect world where everyone has a photographic memory, we would change all of our passwords ever 30 days and be better for it. In the real world, people are often tasked with remembering the passwords for dozens of accounts with different password policies, different change policies, and differing security needs. This causes frequent forgotten passwords (leading to overuse of password recovery tools, easy to guess passwords, and password reuse.
In theory, you could simply use good mnemonic devices for passwords (see XKCD example), but in practice this is often thwarted by differing password policies. One requires special characters, the other prohibits. One has a maximum of 10 characters, the other 100. One requires caps, the other isn't case sensitive. As a result of these passwords, I've often ended up in "vicious cycles" for infrequently used accounts. I can't remember my password because I only log in every few months, so I have to reset the password. I can't remember the password the next time because I'm always having to reset it.
Bottom line: we need something better. The current state of passwords can be bewildering for a techie, and fatal to technology use for the non-technically inclined. With the proliferation of the cloud and other online services, It's gotten to the point that every single time I try to help my mom or other layperson with something on the computer, it's nothing but a battle of trying to remember to passwords.
PCI-DSS mandates 90 days changes.
It improved security for me. It forced me to go from "password" to "password1". I'm up to "password7" now
If it's going to be rendered as a hash anyway, what's the difference between that and a bad password?
Why invest in expensive hardware that will be circumvented anyway? Six months after any technology is mandated, someone finds a workaround and the hardware is useless, whether via writing around the edge with a Sharpie or using a 3d printed eyeball.
Your insistence on complete security is unattainable anyway. People remain people no matter what we do. Modern thinking on this is "assumed breach". Protect what is important, use automation to make the rest irrelevant.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
For website logins keepass works very well and is highly recommended but if we're talking OS login that's a different story. You can't use password managers for your OS login unless it's on a secondary device like a phone. That's where the problem is and what the debate is really about.
Most companies that require 60 day or frequent OS password changes will eventually find their users picking shorter and easier to remember passwords the longer they are required to do it.
In my experience, I've found people writing down passwords on sticky notes and placing it on the side of their monitor. People that love to use sticky notes are the worst offenders. Walk into any corporate office environment, you can see passwords openly displayed or usually within arms reach not hidden well. Being IT you'll find out eventually where each user hides their written down login. When you come across someone that uses sticky notes you'll be thankful for those that memorize their passwords, no matter how easy their password is to guess. It's harder to guess someone's memorized password than it is to find their sticky note. In my opinion, users that feel they are being inconvenienced to change their password regularly have poor security practices seemingly as a sub-conscious retaliation.
And yet oddly enough, few question the Microsoft default setting of 42 days
Maybe that was to give you a week to remember to reboot the machine before being locked out, as Win95 and early Win98 would only manage an uptime of 49.7 days before becoming unresponsive
https://sites.google.com/site/...
(The mouse pointer would move, but no click, double-click or right click actions would work)
"She's furniture with a pulse"
Would be to get rid of passwords entirely.
Pin + smart card, private key, etc. would be much less prone to being compromised.
I guess I am a hipster. I was failing to reset my passwords before it was cool.
Silence is a state of mime.
The change of passwords is a technical solution for social beings. As anybody knows, in security it is only as strong as the weakest link. Yet people in IT keep forgetting to take human beings and human behaviour into account as well as other things.
1) Humans are not good at remembering random things. Yes, there are ways around it by using the first first letter of your favorite song and add some number or other ways.
2) Humans are not goot ate remembering a list of random things. So now you have one song for one website. Now you also need to have a different song for every other website AND remember what song belongs to what website.
3) People are lazy. They do not WANT to remember all these things if there are other ways to make things easy. We are specialized in looking for shortcuts, even if it takes a long time. Don't want to walk? Ride a horse. Don't want to ride a horse? Invent a car. Next step is the self driving car.
So if I can get away with using 8 characters, why would I use 9?
4) People look short term, not long term. I can use an easy password for all the places and that works today, so I do it.
As long as you do not factor in human behaviour in your security procedure, you WILL fail. The reason most do the change of password is to divert responsabilty from IT to the end user.
Don't fight for your country, if your country does not fight for you.
It's the bullet point that is easy to implement that pushes your ITSM score upwards. Changing it every 60 days is B+, changing it every 30 days is A+, hey, if they got another + for it they'd have you change it ever 30 minutes. It's a cheap way to "improve" your security score because it requires no work whatsoever from your security management. Servers come with that option built in.
And while we're at it, same shit with "2 numbers and 3 special characters and at least 30 characters long...". Same bullshit. The longer and more complex the passphrase, the more "+" in your security rating. Why? Doesn't matter. It gives you a better security score. You are winner.
Management by numbers at its finest.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I have several passwords that require a "special" character. I've found it frustrating on the occasions when I need to enter these on my phone, having to switch to the symbols to enter my password. Now if a password requires a special character, I use one that is part of the default keyboard, which limits it to using a period.
Special character requirements might be fine when using a physical keyboard, but mobile devices change how people will use them.
If you have to reset your password every 30 or 60 days, consider something like this:
date +%y%b.asdfghjkl | cut -c1-9
That has a upper- and lower-case letters, numbers, and a punctuation mark. The cut can be adjusted based on the length requirement. The letters are chosen to be trivial to type on a Qwerty keyboard.
... not using that password elsewhere and that it is 12 or more characters
Indeed. It is not the number of possible characters, C, from which the password is created, but the number of characters, N, that the password uses: The number of possible combinations is C^N which is polynomial in C, but exponential in N. (Thus, increases much faster with N than with C.) Adding a few "special" characters doesn't do nearly as much as adding length. That doesn't even really prevent dictionary attacks as most of the time the user only adds a 0, 1 or ! suffix to a simple word-password.
Per XKCD, use your own easily remembered/typed pass phrase (but not "batteryhorsestaple"!) Damn the sites that insist on using a number and special character but limit you to 6 or 8 characters. You can add a meaningful UC letter, number and special character if they insist: "MySisterHas5ReallyBrattyKids!"
If your organization requires long and frequently changing passwords, try walking around the office some evening and look for post-it notes under the keyboards. You'll find plenty.
Our systems are setup for passphrases. They are usually simple sentences easily remembered. It also helps to use passphrases with a token type system like kerberos (kinit) where you get access for a few hours only entering passphrase once since folks won't want to type a long passphrase for every system accessed.
It's a good question as to why MS sets the policy to 42 days by default. I can't seem to find an answer, so I'll guess either a Hitchhiker's Guide fan was involved, or they settled on 42 days as a compromise between 30 and 60 days (because it's 6 weeks).
Gamingmuseum.com: Give your 3D accelerator a rest.
I worked at a company managing a login server. A requirement was added that the logs detailing failed user logins were to be made public for all employees (sans passwords, at least). Of course, I fought this. I explained that users sometimes get their passwords and usernames mixed up, and it would be easy to figure out someone's credentials, but it fell on deaf ears.
Of course, we required passwords with complex requirements (capital letters, numbers, etc). So I wrote a script to scrape our logs for usernames with capital letters and numbers (since those aren't part of our username standards). It then noted the source IP for the login, and found the next successful login from that IP.
I found a username/password combination, but it did not authenticate. I increased the digit at the end by 1, because I knew we had a strict requirement to change passwords early and often. Lo and behold, authenticated. The password was rather simple too, something on the order of "Superman84".
Mentioned that proof to the manager (minus the account details, of course). The rules about making the logs public were changed and everyone's password was immediately expired so they had to change them next login. Unfortunately, it didn't sink in that that would just mean increasing the login I figured out by 1. I gave up since at least now users without root wouldn't have easy access to someone else's account.
Stop requiring users to change their passwords every 5 minutes and instead increased the password length to 20+ characters. Don't enforce any rules about upper/lower case/numbers/symbols. Probably do check for repeated characters so lazy asses can't just set their password to "aaaaaaaaaaaaaaaaaaaa". Now people can follow the rules from XKCD and they may not even have to write the password down.
Let's say you change your password every day or every other day.
BOOM. You just forgot your password. You now have to use their backup recover password features with another account.
BOOM. linked.
Stop listening to stupid fucking people, wow. There are not millions of deadly assault hackers armed with paramilitary live cd's out to get your fucking noodz. If you are using Windows they already got your shit. If you are using Apple, well ask Jennifer Lawrence. It *WAS* Tim Cook that leaked her noodz, not the patsy they blamed.
Just use Linux or BSD and common sense your passwords. Your router is Linux if it is not Cisco so you are fine behind it. You don't have to be paranoid about your password unless it is password and you use Windows.
Do you think the people running supercomputers change their passwords every 8 hours or something? This is a social engineering bait story. It attempts to mislead younger age people. Slashdot is some sort of mutant from what it used to be. I still haven't figured that out yet. Too many Microsoft stories and Pokemon GO's. Dice has lost their fucking Vulcan minds.
Exactly what I was thinking.
I've been reading these articles about password security for 15 years on slashdot primarily. The TL;DR on passwords is that they are just not a panacea for security. Europe realized this quite awhile ago AFAIK, smart card readers are still being used as a means to do muti-factor authentication for people on networks and the internet, etc. It's a lot more convenient than remembering a password that is a gagillion number of characters long with a password policy that makes it impossible to create a password that could be remembered. Therefore people either write it on a sticky under the keyboard. They might try storing it in KeyPass or something but the average user that is computer illiterate finds this cumbersome.
Why hasn't the United States figured this out yet for the most part? Because we're backwards and naive. I'm American and I can honestly say we are backwards in regards to certain things. I hope we improve and I think we eventually will.
Furthermore, passwords are not secure because passwords are based on mathematical algorithms, specifically one way hashing algorithms. On the surface, one might think the concept of a "one way hash" means a password is un-crackable. Nay. It just makes it more difficult requiring brute force attacks and clever things like rainbow tables. All things based on math can be defeated it's just a question of how much computing power is required to do it. What we've seen is the evolution of hashing algorithms that are based on larger size cipher blocks and all that does in reality is pushes the carrot out farther but it doesn't mean it's unbreakable.
Multi-factor authentication improves security remarkably more than password policies. So much in fact the benefits of password policies are infintessimal by comparison. Furthermore, multi-factor authentication when done well is much less cumbersome to the legitimate user resulting in a win/win on security and ease of use. Where it doesn't meet the win/win/win criteria is cost and I suspect that's the primary reason adoption has been relatively slow in America. News flash: good security costs money and isn't free.
We'll make great pets
OB xkcd
Every company I've worked for forced us to change passwords regardless of complexity. So I, and probably everyone else, used a simple phrase with a number to increment. I would have liked it if I picked a long, complex, hard to crack password that I'd be rewarded with a longer period before requiring to change my password. Would this make sense in practice?
Length, not size matters. Got it.
I have a powerful computer on my desk. Why can't it handle passwords? The browser software could communicate with the server it's trying to attach to and negotiate a new password with the client when the client logs off. Except for the initial login onto my desktop, the computers would handle the passwords. I understand that this is what the chops on my credit card do now. The current passwords could be stored in a database on my computer that I could access through something like keepass if I had to find the current password. The password could be set to any level of complexity.
In the meantime no one can remember all these passwords and writes them down, making it super easy for anyone to know the persons password. I have worked at a college with a 90 day password change policy (and long complex passwords) and 75% of people had a sticky note somewhere around their desk with their current password on it because almost no one could remember them all. At the time I worked support and when going onsite I could easily have collected almost everyones passwords if I wanted. Most of IT didn't really remember the (multiple) sets of passwords either and so made use of password keychain programs to remember for them.
I always found concepts like ITSM silly. Very little of it has any proof backing up their 'scores', but yet so much of the industry just accepts it.
we are all invisible unless we choose otherwise
Your password is expiring in 10 days. Click here to change your password now.
In order to login with keypass you have to set a password on the keypass database right? There would be no difference in the strength of your keypass database password vs your OS password. Same fundamental issue would persist. I don't think you thought that one through.
Yup. Such policies lead to very silly behaviour patterns. The oddest one by some margin was a coworker whose first way every morning was to the IT-Department to pick up his password of the day (i.e. "i forgot my password and need a new one"), take it with him, use it, deposit the print in the shredder on his way to lunch, come back to retrieve a new password, use it, dump it in the shredder on his way home.
Without fail for years. IT had his password ready in the morning at 8 and after lunch at 12:30 (he was very punctual).
That works for one person. Now try for a few thousands.
The point is here, though, that this is one coping strategy for insane password requirements. And yes, it is possible to do a sensible security strategy. That may take money to implement, though.
Like card+code (similar to ATM). Such systems exist for computer login procedures, too. This can double as a door access system, too, providing you not only with a control for computer access but also physical access to your premises.
If you shy away from expenses, at least give your people something to work with. It's of course easy for a CISO to require his people to use insanely complex passwords, not note them down and change them every other day. But that's blameshifting, that's simply offloading his work onto those who he should be working for.
And yes, writing a password down is not the worst thing you could do. It's actually quite sensible. As long as you keep this password with you. Put it in your wallet. That's ok. You DO notice when you lose your wallet, and if it is stolen or lost, the average thief will not know what to do with a post it sticking to your wallet with "6'nuKdarw" written onto it.
If you want to be sneaky, make your password part of a grocery list and tack that to your wallet. If everything fails, nobody would think that "1/4lbButter" is supposed to be a password.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
A password written down on a sticky note can't be cracked remotely. You have to be physically present in the room to have a shot. http://www.imdb.com/title/tt0086567/?ref_=nv_sr_1
If the password is sufficiently complex, and the system uses properly salted hashes, then it is infeasible to crack remotely via brute-forcing the password database. Simple passwords are susceptible to brute force cracking.
A better solution is to use both. Write down the complicated password, but append or prepend a memorized PIN. That way, if the written component is compromised, the PIN still has to be guessed.
Learning HOW to think is more important than learning WHAT to think.
Changing passwords regularly ensures that users will pick poor passwords, because they won't be able to memorise a completely new strong password every 30 days...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
How about a policy which says if you pick a short password you have to change it every XX days. If you pick a 12 character complex passcode, you get to keep it for 3 years?
Passwords in wallets:
Carry a business card (not your own) and steg the password on its back using some variant of the following:
"Ben O. Aronsen: 237 Smith Place #12 Roxbury Vt 05669 ---Sally has phone number". This stegs the password "237SP#12RVt05669" for a Bank Of America account.
Like the Purloined Letter, the password hides in plain sight. Ain't stegging wunnerful?
I like to write down fake passwords on post-its and leave them laying around for would be hackers to find. Most people probably aren't that cunning though.
HA! I just wasted some of your bandwidth with a frivolous sig!
I still remember the day my manager forced mandatory password expiration on all Active Directory accounts and the shitstorm that followed. Everyone from the CEO to the clueless administrative assistants were left unable to get any work done because they couldn't log in with their old password they had "been using for ## years!". Some of them handled the situation by getting really snooty and began putting a Post-IT note on their monitor with their newly created passwords for the specific reason to spite IT. Others resorted to placing the Post-It under the keyboard, while the less provisioned simply wrote it down on the palm rest of their laptop. For anyone that had more than 2 passwords for different systems in the company the all too common "Passwords.xls" file was created and stored on their desktop. Some people thought they were smart by using a password to protect the workbook until they forgot that password as well, panicked, then were shocked when I trivially cracked the passwords using free tools off the Internet for doing so. The end result of all of this was the industry standard password creation method: pick a word, add a number, and put a symbol at the end. When the password expires, increment the number. When you get to 4-6 try re-using 1.
Just tested logging out and back in, I'm still using the same password for my Slashdot account I've had for far too long (the password that is.) In fact, it is my 2nd oldest password still in use, my oldest password of course being a scorned 5 letter password not accepted in modern Internet society. :(
-==- Buy a Mac and leave me alone!
... don't fix it.
My most secure passwords are ones that I mentally generated and never wrote down even a hint for; I can remember only a few such before I need to record a hint. My least secure passwords are for sites that insist on frequent change; though based in something that only I know, the succession of passwords (if you ever saw it) would reveal that they are only 'different' to a stupid algorithm, and in fact form an obvious family.
That is an OS vendor question. Admins that have to change their password every 30 days would love to put in longer, but easier to remember, passwords. However, there is no checkbox in Active Directory or command line switch in bash to make that happen.
One password for your banking & investments
One password for credit cards, PayPal, etc.
One password for email
One password for root on your home servers
One password for your routers
One password for your social media
One password for online merchants & auctions
If you keep it layered, if one site gets compromised, it's far less likely they could raise their privileges further in attempting to pwn you.
Also if you can, use different email address aliases for the different sites. Like joe_pp for PayPal, joe_fb for facebook. This complicates the password reset by email attack effort, if they don't know your email address. Obviously if they're reading your email history they could figure it out, but at least this is an extra layer.
Something you know and something you have. El-cheapo two factor authentication realized. :)
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
From TFA: "Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking."
Let's imagine, that my old password was C/6)dLj^,FZ\>|UZ and now I changed it to +X.?450Dx$f^6v6H. How did it make things less secure?
If that's password for my online account, then learning in 2016 that someone in 2015 was selling users database of that online resource is different whether I did change passwords every X days, or not. In latter case my password would still be active and most likely used by script kiddies.
On the other hand, professor needs publicity, too.
lots of outfits have wildly inconsistent rules, change periods, and prohibition types on passwords. I ought to just be able to set time to expire as well as changing everything to "asspword", and be done with it.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Two factor authentication, like RSA secure ID, is a great idea (IMO). Then you have only one password to remember, but need your RSA device, too. We do this where I work. The problem is that, while that gets me through the firewall, internally it's just AD - so when I log in remotely, I need both RSA with prepended key that I supplied, but also my "normal" password - that still needs to be changed every 90 days.
Stupid sexy Flanders.
My 2FA code (which I have to use to login to pretty much everything) changes every 20 seconds. I guess that's A++++++ then, right?
Years ago I worked at a defense shop that got the idea people were using passwords that were too easy to guess. So they assigned your password every 30 days. You get assigned something like "3z~L8;GS=4", which would be changed before you could remember it without some kind of mnemonic trick ("Three Zebras Tried Laughing..."). After a few months you'd start mixing up the current password with passwords from last month or the month before.
Anyway, they finally did an audit and found something like 70% of their employees had their password written on a scrap of paper and placed in their right top desk drawer. I would have bet money if they went through wallets and purses they would have gotten nearly 100%. They changed the policy to one that's common today - you pick the password but it can't be too easy to crack.
Changing it every 60 days is B+, changing it every 30 days is A+, hey, if they got another + for it they'd have you change it ever 30 minutes.
Or every use, otherwise known as one-time-pad:
https://en.wikipedia.org/wiki/...
Ask me about repetitive DNA
FWIW, MSWind95 would crash after being up for 42 days. I think there was a millisecond counter overflow.
I think we've pushed this "anyone can grow up to be president" thing too far.
If you're suggesting that changing passwords is such a burden that we shouldn't even bother, let me remind you that users are going to be "locked out" for FAR longer than a few hours or days when the entire company is hacked due to stagnant security practices.
Changing passwords does not help the slightest security-wise.
As a hacker, I only need to guess/bruteforce the password you have right now.. The fact that you changed the password yesterday does not make this harder at all. The fact that you'll change passwords again tomorrow won't lock me out - once I got in, I installed a backdoor so I won't need the password to access your account/pc.
Add to this that most people are unable to remember a new really complicated password every 60 days again and again - so they go for simple passwords that are easily cracked - or series like "complicated#-01", "complicated#-02", ... If I crack one of these, I easily guess the next one.
Better to never change passwords - have a really long good one that you use for decades. Easy to remember because it does not change.
Oh, and if you change passwords because an AD hash can be cracked in 60 days or so - then that is not an argument for changing passwords every 60 days. It is an argument for NOT using AD!
For some people and applications that 30 days change pattern pretty much WAS a one time pad. Think of all the things you do once a month.
Now let's ponder for a moment:
People will use that password exactly ONCE. When? When they log in to change it to something else. And if that alone isn't silly enough, now ponder whether they bothered to memorize a password that they will only use once, ever, and that will be 30 days from now.
OF COURSE this password was written down. Expecting anything else is insane.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Changing passwords regularly ensures that users will pick poor passwords, because they won't be able to memorise a completely new strong password every 30 days...
Changing passwords frequently does not ensure that users will pick poor passwords.
Simply having oxygen in the atmosphere will ensure that users will pick poor passwords.
Memorization is irrelevant, because users don't pick strong passwords. The only time that happens is when a machine force-feeds them one, and they're too damn lazy to change it.
{...} the password constraints of the financial instituion mandate such pathetically weak passwords, {...}
Drop them.
And move your stuff to a modern financial institution that uses modern best practice like 2-factors authentication (something you know [password] + something you have [app on your smartphone] ) or public key log-in (which is another form of "something you have", with the password less exposed to online).
Relying solely on a password might be okay for some furry fandom site on wikia, but not for something serious like financial sector. /dev/random output. (= the only kind of password that might be passable as secure enough. As long as you can trust your password manager, anyway).
Even more so if their password constraints are so pathetic, that prevent you from using something that looks like 30+ characters of base64-encoded
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
In the meantime no one can remember all these passwords and writes them down
or worse come up with a scheme to make them easier to remember.
Like "company name" + "season" + "year" + "!" (because you're required to use a special symbol).
e.g.: "AcmeSummer16!"
- It's got everything the password policy requires (lenght, upper, lower, number, special)
- It's also trivial to hack using patterns and/or dictionary attacks and combiners.
(Hacker don't even neet to Post-It note, they can remotely break the password).
See the various presentation by KoreLogic on youtube.
and so made use of password keychain programs to remember for them.
As long as you trust the keychain itself (the software, the cloud syncing, the encryption of the master password / master private key), /dev/random and base64-encoded).
that's actually a pretty good solution because it lets you uses password which are actually passable (random noise out of
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
If the password is sufficiently complex, and the system uses properly salted hashes, then it is infeasible to crack remotely via brute-forcing the password database.
That's the theory.
What the practice (analysis of million of leaked passwords from databases) has shown:
passwords are rarely really complex (as in: something that looks like base64-encoded output of /dev/random)
even if you skip the most stupid and obvious ("password", "123456", etc.)
the rest tend to use some common pattern (five letters capitalized, followed by 2 digits, then a "!" at the end. Like "Denver14!")
and/or very short combination of dictionnary words and modifier (company + season + year + "!" : "AcmeSummer14!")
things which can be correctly prioritized in a (semi) brute force
same about storage.
in theory special key-derivation function - that are designed on purpose to be slow and have high ressource usage to discourage bruteforcing - should be used, like PBKDF-2, Scrypt, or Argon2.
in practice a simple hash will be used (something like SHA-1 or worse MD-5) - that are designed to run as fast as possible even on small form factor hardware like smartcards. You're lucky if the developer didn't forget to put an actually useful salt (a random one per user).
So in practice, when a DB gets busted somewhere (like they do on a weekly basis) in a matter of hours to a couple of days max, something like 75% of passwords are cracked.
And out of those millions of users, some might be re-using password on other sites. Like corporate, like financial, like on a critical service like mail used for password recovery or OAuth/OpenID provider.
Maybe you're among the remaining 25% who let their cat choose (= "walk") an actualy password and store it in their keychain(*).
But there are going several thousands of users who are utterly busted.
(*): That's a joke. Cats walking on keyboards aren't actually random but produce very specific patterns. There was experimental software mentionned a couple of years ago on /. that could distinguish human and feline typer and ignore the later. That means they produce patterns which can be fed into special purpose brute forcers. /dev/random + base64 is the closest to something safe-ish.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
For our small office, with fewer than a dozen employees, we use a two-part scheme. There is a complex unchanging suffix comprised of upper/lower/digit/punct, which everyone memorizes, and a changing prefix which we don't mind writing down and is simple. For example, the webcam password is "webcam1"<complex suffix>, but only the "webcam1" part is written down. Where we need more security, instead of an easy-to-remember prefix like "webcam1", we use a more complex prefix (also written down).
It works.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Today I wish I could easily find my old postings where I said I'll say "told you so".
But I'm not the only one. A lot of security experts have been critical of these requirements for some time. I'm just glad it finally hit mainstream with some quotable words. Now we have a chance to update some of the braindead password policies.
Assorted stuff I do sometimes: Lemuria.org
Makes no difference. The attack scenarios that justify regular password changes have almost no overlap with the attack scenarios that require complexity.
Assorted stuff I do sometimes: Lemuria.org
Most of the standards don't actually require any specific password policy rules, only that a password policy exists.
Yes, there is a big management by numbers part there, but also a big "we don't want to think, let's google the best practice and use it". part. But some of those best practices were authored 20, 30 years ago, and only slightly updated since then.
Assorted stuff I do sometimes: Lemuria.org
AD hashes cannot just be "hacked in 60 days or so" as long as it is properly configured and passwords are of the appropriate length.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I'd start with my usual low level password, which would become the same thing with a 1 at the end, then the original again and so on.
It's a real pain when it rejects previous passwords (then I just start counting), and even worse when it tells me the new one is "too similar".
If it's locking ME out of my own account because I can't keep up with the random crap I'm forced to keep coming up with, then I might as well have had my credentials stolen, because if anyone's using them, it isn't me. And at that point I'm blissfully unaware because I already moved on in frustration. But at least if one of those accounts gets compromised, the password is definitely unlike anything I use elsewhere.
It's the bullet point that is easy to implement that pushes your ITSM score upwards. Changing it every 60 days is B+, changing it every 30 days is A+, hey, if they got another + for it they'd have you change it ever 30 minutes. It's a cheap way to "improve" your security score because it requires no work whatsoever from your security management. Servers come with that option built in.
And while we're at it, same shit with "2 numbers and 3 special characters and at least 30 characters long...". Same bullshit. The longer and more complex the passphrase, the more "+" in your security rating. Why? Doesn't matter. It gives you a better security score. You are winner.
Management by numbers at its finest.
I agree on the final point - not from a "A+, B+," score perspective - but rather than a cost perspective. If management can prove changing a policy will result in cost savings - they'll do it. If it won't result in cost savings - they won't do it. Sorry - that's the truth of it and also applies to password policies.
Every company I've worked for forced us to change passwords regardless of complexity. So I, and probably everyone else, used a simple phrase with a number to increment. I would have liked it if I picked a long, complex, hard to crack password that I'd be rewarded with a longer period before requiring to change my password. Would this make sense in practice?
Tricky. Since passwords are stored as one-way hashes, complexity can only be evaluated when the password is changed. Thus, a indicator of the complexity would have to be stored. If the password store were compromised, this data could be used to selectively attack the weakest passwords.
AD hashes cannot just be "hacked in 60 days or so" as long as it is properly configured and passwords are of the appropriate length.
Ah, "appropriate length" is relative to the size of the rainbow tables that are online today that can crack AD hashes in seconds, not days. Good luck defining "appropriate length" tomorrow to continue to secure yourself.
As far as AD being "properly configured" to prevent that, let me refer you to backwards compatibility, also known as the reason rainbow tables remain effective for every Microsoft OS.
PRO TIP: if you are creative and want to get back at the jerk drones in IT for making you change your secure twenty five digit password every 60 days because they read somewhere that that helps keep hackers out here is what you do:
Look up the password algorithm used for your network passwords. These sorts of things are verified by auditors, and bandied by sales droids, so it shouldn't be hard to do. Build a rainbow table of hashed passwords, this might take time and a large db to store them in. Then, whenever you are forced to change your password, use a new password that generates the exact same hash as your old one.
You can then drink your coffee in the morning with the strange smug satisfaction that you are making it ever so minutely simpler for a non-existent eastern European hacker to brute force your password, and steal all the dataz of your asshole employers.
HA! I just wasted some of your bandwidth with a frivolous sig!
I recall working with an amazing idiot a few years back who, when he was forced to change his password, would change it 13 times, because the system remembered the last 12 passwords used, and thus kept using the same password all the time.
As soon as you build an idiot proof system, they just build better idiots...
HA! I just wasted some of your bandwidth with a frivolous sig!
So now we're taking advice on security from a US government agency?
Let's see now.... An inclmplete list from late 2004 through late 2005:
- Department of Health and Human Services (HHS), August 2014.
- White House, October 2014.
- National Oceanic and Atmospheric Agency (NOAA), November 2014.
- United States Postal Service (USPS), November 2014.
- Department of State, November 2014.
- Federal Aviation Administration (FAA), April 2015.
- Department of Defense, April 2015.
- St. Louis Federal Reserve, May 2015.
- Internal Revenue Service, May 2015.
- U.S. Army Web site, June 2015.
- Office of Personnel Management (OPM), June 2015.
- Census Bureau, July 2015.
- Pentagon, August 2015.
Hmmm... FTC isn't in THAT list. Maybe the other agencies should have listened to them. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The default settings you speak of have been turned off by default for years now. The appropriate length is around 15 characters, with no complexity required.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Password rotation is intended to prevent against offline attacks. If someone who grabs a copy of your password db can break the hashes in 30 days, then rotating passwords every 30 days is a good defence: by the time someone has found a password, it won't be valid anymore. The problem is that it's a threat model that doesn't really make sense for most organisations.
Especially since a lot of (larger) organizations use AD, and if they get your credential store, they have the password or plain-text equivalent (since AD is based on Kerberos). It would probably be too hard at this point to create a "Kerberos 6" where instead of the password, something like an SRP verifier [1] is saved, and after the exchange the shared key is used to encrypt the ticket-granting ticket.
As it stands, if AD (or any KDC) is compromised you're basically screwed. (Unlike, say, using OpenLDAP where you can have the passwords stored as a one-way crypt(3) string.)
[1] https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol
Not necessarily. If the system only stores a sunset date then only those that are definitely strong because they were complex and recently changed could be identified just from that data. Of course, tracking the last password set date permits computing the time.
However, this discussion is missing an important point -- context.
A website that is storing a hash of the password (which, btw, is *not* best practice despite being a common practice) is prone to having the password store dumped due to site vulnerabilities. In general, this is not true of corporate environments where if you have access to the hash database then you don't need to crack anything (e.g., because you already have domain credentials or could use a key logger to obtain it or leverage pass-the-hash or...)
Even then, in the web environment having a flag as to "which are weak" is unlikely to make any difference to the crackers in the event of a leak. Sure, they could get a slight speed bump by ignoring the stronger passwords on the first passes -- but those are the passes with the least time cost which is why they are done first and so exclude them from the more costly cracking attempts. In other words, it could help them, but not significantly.
As for corporate, your overall security is better the more of your users you can convince to use stronger passwords. Breaches are more likely to be caused by malvertising (resulting in keylogging, for example) or phishing (where users voluntarily reveal their passwords). Ad blocking and phishing training will give you a much better reward than password rotation.
(for the curious, what websites *should* be doing is SRP [http://srp.stanford.edu/whatisit.html] which not only provides better security than the standard send-the-password method but protects against password re-use)
If a hacker is able to "brute force" your password, you have bigger problems than password security. For starters either A) Your system security is terrible, B) they physically own your hardware, or C) Your admin accounts are too vulnerable.
Brute Force is exactly that, hard. Most uses don't have access to much. Should someone manage to crack mine, well big deal really. Most organizations have many thousands of passwords, to brute force them all is unrealistic anyway. Ideally they would target someone with high level admin privileges, but then there should be additional security around those.
As we've see time and again, most "breaches" come in two flavors, and neither of them will be influenced one iota by complex 30 day rotation passwords. Breaches usually occur by A) inside jobs by someone already in a position to do so like an admin, or B) something truly mind boggling stupid like storing important data in an unencrypted text file which is left for public view on a website, or on a USB left in the back seat of a cab or something dumb. I guess the third possible situation would be that of social engineering where someone simply convinces someone with access to give them the information voluntarily. Either way, making all your users go through what amounts to security theater every 30 days isn't going to help.
I've come to understand that security is less about the "protection" of data, and more about the justification of the existence of security and the ability to blame someone. The security drones will simply mouth "I told you so, you need us even more", and "this wouldn't happen if security policy was followed", and "Person A is all to blame, not security", even though none of that actually protected the actual data itself.
As the comic the Watchmen illustrates, "who watches the watchmen", the most recent high level example of Edward Snowden is a perfect example. One of the largest breaches is by someone in security, with enhanced privileges, with no additional safeguards in place to prevent it. After the fact, the fault is all on Edward, which isn't totally unplaced, but given the material involved, shouldn't there have been appropriate security in place to prevent it in the first place. At the same time having the thousands of NSA drones have 15 long complex passwords that need changing every 5 days (or whatever it is they have) would not have changed a thing.
As a last final broadside: One of the major vulnerabilities that this practice enables is exactly that "lockout". You will have a large percentage of your organizations users forget their password on any given day. This leads to probably the most IT calls by far for anything (another reason to do it, you increase the need for more IT, AND easily solve thousands of "tickets" for performance reviews). Typically the IT folks that handle these are lower paid, less experienced, poorly trained, and frequently replaced personnel. Meaning they likely (particularly after the 10,000th call) don't care all that much, and are much more susceptible to the social engineering method. Sure you can put in system level safeguards, sending it only VIA email and verification etc... However if something goes wrong, and they have a timer and a quota of tickets to fill by the end of the day, and someone is working from home and their email isn't working right, but the have all the contact information, and needs immediate access for a very important project, etc.... Well not everyone will fall for that, but try it a few times with a few different people, and someone might.
Massive phishing attacks gather large lists of passwords and/or hashes that are sold days, weeks, or months later. The buyers then work their way through the lists over the course of months or years. Changing passwords regularly makes these attacks less likely to be lucrative because the hit rate on the data drops as time passes. Changing passwords regularly doesn't help much against a real-time targeted attack on a specific person or system. But it does reduce the value of aggregated stolen information that is sold on to third parties and abused at a later date. Since we can't count on timely notification of data breaches (http://www.federaltimes.com/story/government/cybersecurity/2016/04/20/fdic-major-breach/83233956/), proactive password changing is a bit safer than changing passwords after a breach is discovered.
i could never understand the theory of changing your password all the time. is it that the hackers will crack your password, then put it on their list of cracked passwords, to be used at some future time, after 3 months? because they're too busy to use it now?
i used up all the good passwords i can remember at work, where we have to change them after 45 days and can never reuse them, ten years ago, and since then they're just the kind of gobbledegook that IT likes, even though I have to reset the password every monday because i can't remember what it is after two days off and i don't want to put it on a postit note on my monitor where they'll find it and fire me.
Every time I change my password, I have to change my dog's name, then he never realizes that I'm calling him.
Star Trek transporters are just 3d printers.
In the meantime no one can remember all these passwords and writes them down, making it super easy for anyone to know the persons password. I have worked at a college with a 90 day password change policy (and long complex passwords) and 75% of people had a sticky note somewhere around their desk with their current password on it because almost no one could remember them all. At the time I worked support and when going onsite I could easily have collected almost everyones passwords if I wanted. Most of IT didn't really remember the (multiple) sets of passwords either and so made use of password keychain programs to remember for them.
I always found concepts like ITSM silly. Very little of it has any proof backing up their 'scores', but yet so much of the industry just accepts it.
of course, there are simple workarounds for this, like using a simple and invariate code to write down your password, like writing down the character on the keyboard to the left of the real one for each character in your password on the post it, every time you change it
Star Trek transporters are just 3d printers.
If it is a choice between getting the company's work done and having "secuity", then guess which wins! Because it is getting the work done that pays everyone's salery checks.
I have seen more than one company that got so mad over password foolishness, that they fired half of the IT staff and removed all requirments for passwords. I asked them about it but it was still so "fresh" that they would not even discuss it...