A password policy is a common part of every companies overall security policy. Most password policies are set in stone, and have been essentially unchanged over the past twenty years. We think of the ideal password as a random collection of letters, numbers and random characters. Common password policies often include rules such as:
- Both upper case and lower case numbers are required.
- At least one number and one special character.
- A minimum length of 8 characters (and often a maximum length is set).
- A prohibition against certain rules or sequences of characters.
- No personal information (i.e.. cannot use ones first or last name).
- Cannot repeat the previous dozen passwords.
Password must be changed every 90 days.
These are all pretty standard and have the desired effect of forcing fairly complex passwords. After all the more complex the password is the more secure it is, right? Or do they? Let’s look at two examples.
1. Super.001 – This password meets all the requirements above. It has the advantage of being very easy to remember, Has four different character types, etc. Most people would be able to remember this password without much effort, which is ideal. But, it is a password that is subject to one very serious issue, predictability. That is to say, the users next password is going to be Super.002 and then Super.003 and so on. While they all meet the complexity requirements of the aforementioned rule set, they are a serious breach of ideal information security since knowing one password makes it real easy to guess the next iteration of the same users password.
2. $%thIn25b – This password also meets all of the above requirements. But has a few disadvantages. First is that the human brain is simply not wired to remember passwords like this which means most people will have to write it down. Which means post-it notes on monitors, tape strips underneath keyboards or on the back of badges, etc. Because of it’s complexity, it also means the user is far more likely to suffer an increase in the number of lock-outs they experience (decreasing the employees productivity) which in turn increases the workload for IT help desk. One other consideration not often mentioned, is that a more complex password often means slower, finger picking at the keyboard, which in turn might make it easier for shoulder surfers to pick out passwords.
Before going too far, we need to understand a little about how passwords work in a corporate environment. The first thing that we need to understand is that passwords are not stored in plaintext. That is to say, we can not view the password in any way once it is passed to the system. For example, if you are storing all your personal passwords in an Excel file (a common, but very bad habit), you are storing your passwords in plaintext. Anyone who opens the Excel file can read and copy your passwords. But within a computer network, passwords are not stored that way, rather they are stored and passed as hashes. A hash is the result of passing a password through a mathematical formula that takes a password and turns it into a fixed length set of characters. For example, the SHA1 hash of the aforementioned Super.001 is “b61bcff38b1a464aedc8261afb8211a7a67eaa07” and that is what Windows sees and uses. Now, you might think that changing Super.001 to something very close like Super.002 would result in a hash that is very close to the other but in fact you end up with a very different set of numbers and letters. In this case Super.002 becomes: 020ad20ab24b29118d1fc2ce391dd18fe41b3000. Notice the radical difference between the two. This is the result of a mathematical concept called entropy, and entropy is one of the most important concepts to understand when considering passwords. Basically, entropy is how much change results in the final hash value based on extremely small changes in the original plaintext value. This is important because the more entropy you introduce into the hash, the further away from the original value you get, the more difficult it becomes to decrypt the hash.
Now, without getting into the mathematics of password entropy, which quite honestly is beyond me, I can say that password length is far more important than password complexity. A concept which even the most casual Google search will confirm. In fact, there is some significant mathematical evidence that increased complexity actually decreases password strength. What this means basically is that complex passwords don’t matter, long passwords do.
There is some really interesting history around the development of the password rules that we are so used to, but in essence they were made up, rushed through to get published in a federal specification with no evidence to back them up. But they have been used for so long that we don’t question them. However over the past two years or so, a lot of work has gone into rethinking passwords, and that research has ended up producing a whole new set of standards that the federal government has now published, and is slowly being adopted through out the country. It should be noted that even our infamous three-letter agencies are in agreement with these new standards. In fact, as part of the FIPS program, agencies that do business with the federal government are required to implement these new standards which are published in NIST SP 800-171.
So what do these new standards say:
- Get rid of the password change requirements. Passwords should not be required to change or expire based on a specific time frame. Instead, passwords should only be changed if they have been forgotten or compromised.
- No more complexity requirements. Password owners should not be forced to use convoluted and overly complex combinations of letters, numbers and special characters to create their passwords.
- Require longer passwords, a minimum of 8-12 characters and maximum sizes should be moved up to 64 characters or even more.
- Consider not using passwords and moving instead to a passphrase. A passphrase is a sentence or combination of words, such as the line of a poem or song, that is easier to remember.
- Implement screening against known lists of bad or common passwords.
- Eliminate the use of password hints and security questions that are based on specific knowledge points (such as your high school mascot or mothers maiden name).
Ultimately, these new standards are about favoring the end user. It means less time trying to remember new passwords, lost productivity due to expired or forgotten passwords. And fewer passwords left laying around on post-it notes. The end user should not suffer because software writers are to lazy to handle passwords properly.
A few other items of note is that software systems really should be using 2 Factor Authentication, there simply is no excuse not to anymore, and SMS is not a secure 2FA method.