Password management is a personal bugbear of mine. I think it's generally done really badly, and the security industry has adopted a number of policies which are universally accepted as best practice, without much thought as to why. I call them the myths of password management.
This post will be the first of a short series covering various areas of AAA, and is going to cover the myths around password quality and rotation.
The Myth of password rotation
I've always argued that there are two really important objectives when it comes to passwords :
1) No-one can find out your password.
2) You can remember the password.
Over simple? Not really. When you boil it down, this is what you need from a password.
Security managers tend to focus on the first objective, without much attention being given to the second. I'd argue that both are equally important. Let's take a scenario (which is amazingly common) where policy is set that passwords must be changed every 12 weeks. The first question I'd have is why?
What does this actually achieve? If the password is not guessable, then constant rotation achieves nothing positive. I'd won't go as far as saying it should never be changed (although it is the logical conclusion of my argument), but if objective 1 has been achieved, then there is no need for constant password rotation.
In fact, the one thing that is achieved by over-regular password changes, is we will fail to satisfy objective 2. A place I recently worked make me change passwords on about 20 different systems every 2 months. Most of those systems, I didn't log onto very often. As a result, I often had two or three revisions of my password in play at any one time. I couldn't remember which password to use in which place. And after one has been deprecated a while, I don't remember it at all. Which means I need to document it somewhere. Now we've broken objective 1.
I use a system (I'll do a separate post on how) for creating passwords which makes them unguessable(tm) - (but very memorable). There are plenty of others too. Any password can of course be broken by a brute force attack, but assuming any kind of sensible lock-out mechanism is applied, I'm happy to say that no-one knows my password. If someone logs into a system with my credentials - it had to be me. No excuses. The term often used for this is non-repudiation - in other words I can't deny it was me.
Once my password gets written down, even in some kind of encrypted password management tool, we can now only go as far as I'm fairly sure no-one knows my password. Other people have access to the tool (anything stored on my 'domain member' PC is readable by admins), there may be a flaw in the password management tool. You see the difference - we've gone from definitely, to fairly sure. Objective 1 is now no longer satisfied, and there is no longer non-repudiation.
To put it very simply, if the password is well formulated, and your systems have a sensible lock out mechanism, then constantly changing the password is not going to have any positive affect on your security. Conversely, constantly changing passwords make people write them down, this means they are no longer unguessable. This has made your security worse.
Myth - you need at least 8 characters in your password
This one really annoys me. Lets say a password using a combination of letters, capitals, numbers and non-alphanumberic characters (based on my Mac keyboard) gives you something like 108 to the power of X, where X is the number of characters in your password (in other words, there are 108 characters that 'could' make up each character) as the number of combinations that you could use for your password.
A 5 character password has a 1:14.7bn chance of being guessed, a 6 character password has a 1:1.5tn chance of being guessed, a 7 character password has a 1:171tn chance of getting guessed, and an 8 character password has an 1:18.5 sextillion (thousand trillion) chance of being guessed.
As long as you use a sensible way of coming up with passwords, and lock out an account after a sensible number of failed attempts - then the difference between 14.7 billion (5 characters) and 18.5 sextillion (8 characters) is irrelevant. To put it in context, the chance of winning the UK lottery jackpot is an easily guessable 1:14 million. In reality the odds will be lower than that as most people use more letters than anything else, and you'll get a couple of goes before the account locks, but you're not going to guess it.
'As long as you have good passwords and a sensible lock out policy....'
You've probably noticed that written a few times. If you've ever been in a meeting with me you've probably heard me chant it like a mantra. The more astute amongst you are hiding in the long grass waiting to pounce with something like 'ahh, but good security comes from layering good practices in case one fails - like the system that doesn't have the lockout policy set'.
Yes, that's true. But here's the thing, if you have an accessible system that does not lock out properly, and an attacker decides to run a brute force attack to guess the password, then it makes no difference if the password was changed yesterday or 6 months ago. They're either going to get it or they're not. You're into attack detection and mitigation now.
Which leads us predictably onto the question of 'how do you make users make their passwords complicated?'. It is the big question of all this - and focusing effort here, rather than on satisfying myths, is how you will achieve improved security. And of course, if I had a magic answer for this, I'd be so stinking rich I wouldn't be wasting good beach time on writing this post.
The most cost effective (best benefit for your buck) is always education, combined with the tools available within your NOS to enforce complexity. Teach people how to create good passwords - so that when windows tells them to make it complicated, they know how to do so easily. Teach them why it's important. Point out that if someone logs in as them from the outside and does something bad because they had a crappy password, they will get blamed and fired. Once a year, a compulsory 1 hour session from IT security for all staff will take less time, and achieve more, than making them change their password all the time.
If you have the need and the budget, and have the infrastructure and skills to support it, then of course OTP systems and/or biometrics will give you a great solution. It's complicated and expensive, but fulfills the requirements really well and takes the role away from the user.
Comments/flames welcome :-)
2 comments:
nice post, thanks for it. Anyway I dont agree that using 5 char passwords is enough. I've made some googling to find out the speed, and seems like modern PC's can bruteforce that password in less then 30 minutes, while they will need months to bruteforce 8 char passwords.
Hi darkside,
thanks for the comment. In reality you're right of course, a five letter password isn't the smartest thing in the world.
But let's say you have a 90 day password change policy, that means the 'normal computer' is still going to brute force the password (if by an amazing coincidence they start on the day you changed your password). If the attacker has access to two or three high end machines, they'll have it in a few weeks.
Is this much less acceptable than the half hour? You're still in a position where a remote user can break a password without much difficulty. It'll just take them a little longer.
I guess the key point I'm trying to make, is that it's the lockout policies and limiting access to the system that's going to make the difference between 'acceptable risk' and 'not acceptable risk', not the password length. The password lenght is just going to give you 'how quickly'..
I'm not saying don't use longer passwords, but it's most important to focus on what reduces our risk the most..
Post a Comment