Search

Loading

Martha Heller, CIO Expert and Recruiter

Martha Heller, President, Heller Search Associates

Subscribe To

Follow Heller Search:

Latest Blog Posts

Ten Things You Can Do to Retain Top Technology Talent
Wednesday, May 22, 2013
Take my job - please! CIO Succession Planning
Wednesday, May 15, 2013
SOUND OFF: IT Leaders Share Their Toughest Single Talent Problem
Thursday, May 9, 2013
How CIOs Get Onto Corporate Boards
Wednesday, May 1, 2013

Browse by Tag

You and Your CIO Career

Current Articles | RSS Feed RSS Feed

Is Your Password Policy Stupid?

Posted by Martha Heller on Wed, May 30, 2012
 

by guest blogger Ken Grady, CIO, New England BioLabs

I had been in my job here exactly 6 months. How did I know? Because my password had just expired according to the company’s password policy. So, I had to reset it, and reteach my muscle memory the chosen new password for the next two weeks, swearing softly (or not so softly) under my breath every time I logged in.

I recently oversaw a change in password policy at my company. To be fair though, the old policy was not that far off the “norm”:

  • Required changing twice a year
  • Minimum of 7 characters
  • It couldn't contain your first name or last name.
  • When changing it, you couldn't repeat any of your last 3 passwords.
  • It had to contain at least 3 of the following 4:
    1. An upper case letter
    2. A lower case letter
    3. A number
    4. A special character ($, !, *, etc)


This is fairly typical of the password policies you find at most corporations. And I've definitely seen worse. But with these policies, all most IT departments succeed at is making users write their passwords down on a sticky note, or place calls to the Help Desk unnecessarily.

"And by the way, changing the password every so often does absolutely nothing to make you more secure. "

This isn't to say that requiring passwords is a bad idea: identity theft and theft of intellectual property are increasingly common. You hear about it all the time on the news these days (which is another indication that most password policies are ineffective).

You just need a good password policy. And by the way, changing the password every so often does absolutely nothing to make you more secure. Changing the password only helps if it was already hacked. It doesn’t change the math required to hack it in the first place, and offers little to a company like ours besides increasing the number of help desk calls we receive. That’s why, to me, that requirement in a password policy seems useless and unnecessary.

READ THIS PART IF YOU LIKE MATH

The overall complexity of a password can be calculated and expressed in mathematical terms. To understand what makes a good password (at work or at home), mathematicians and security people talk about the concept of "entropy." In essence, it's the algorithm that combines the total number of possibilities for each character, and the total number of characters, and figures out how long it would take to go through them to get the right one.

With our old password policy, the complexity, or "entropy", as expressed in mathematical terms of my password hovered around 7.56 * 10^12. Which sounds like a fairly big number, right?

Not so much. Such passwords take about 2 days to break through using run-of-the-mill hacking programs downloaded off the internet (I wish I was making that up). It would take less than 2 minutes for a reasonably modern hacking algorithm to break.

READ THIS PART IF YOU ONLY LIKE MATH WHEN IT COMES WITH PICTURES

password entropy
(Image Credit: xkcd.com)

Here is the new password policy I have since implemented here.

Computer passwords are required to be at least 20 characters long.

That's right. 20. Spaces count. Trust me, it’s not as crazy as you think. And once we explained it, everyone was fine with it. Our users can make nifty little sentences they’ll never forget, and special characters or numbers aren’t required. They are exponentially harder to break than their old passwords. Here are some good acceptable examples:

•    I have really bright children (30 Characters. Complexity: 9.08 x 10^55)
•    Tom Brady is super dreamy (25 Characters. Complexity: 1.74 x 10^48)
•    Watch out for terrapins (23 Characters. Complexity: 2.41 x 10^44)
•    I am methylation sensitive (26 Characters. Complexity: 1.48 x 10^50) 

Don’t worry about calculating the exact password complexity. I just did that above for illustrative purposes. The important thing is that the number is crazy-high compared to what's possible with typical password policies. (For comparison, the complexity of our old passwords was 7.56 * 10^12).

This policy is exponentially more secure, and every example shown above is far easier to remember than a typical password.

And perhaps the best part is that passwords need never expire! As mentioned above, that policy adds nothing to the overall security.

Along with ensuring every authorized device has a digital certificate, this has created a much more secure and stable policy, backed up by reasons that our users understand and can get behind. They no longer experience the frustration of changing and forgetting their passwords, and we have reduced calls to the Help Desk.

It's not exactly peace in the Middle East but it certainly will make life a little easier, and more secure, for our users.

 

Tags: , , , ,

Comments

Excellent! I learned something here I can use going forward. Thank you, Ted Laskaris
Posted @ Thursday, May 31, 2012 5:43 AM by Ted Laskaris
Thanks for sharing this on Heller Report, Ken. I had seen the xkcd example when I was a full-time consultant and not revisited it since changing sides of the table. 
 
 
 
The story of how you sold the new policy would also be instructional to hear.
Posted @ Thursday, May 31, 2012 6:47 AM by Ken Faw
A lot of good points to consider. What is your password policy for mobile devices?
Posted @ Thursday, May 31, 2012 8:10 AM by Arthur Hubbs
After seeing that same xkcd comic, I tried the same thing with some personal web site passwords. While I agree that they are more secure, long passwords have a distinct drawback when you try to use them from a mobile device, especially a smartphone. It is easy to mistype a long password on a phone, and the characters are typically masked so you have no idea that you made a mistake. 
 
While I hate forced password changes, note that period changes do improve security by some amount. If an account has been hacked, changing the password periodically resecures the account from the earlier hacker. It also helps reduce credential sharing, which can be a big problem in companies where people surreptitiously share accounts in violation of audit policy.
Posted @ Thursday, May 31, 2012 8:17 AM by Chuck Musciano
In theory this works well, for desktops. Not so fun or practical for devices. 
Changing passwords regularly should be normal if you are in an environment that has sensitive data or company secret.  
However many people do not have access to this type and to enforce draconian rules on them causes helpdesk delays and frustrations. 
A longer password would meet many guidelines but a happy balance must be accorded.
Posted @ Thursday, May 31, 2012 11:32 AM by Keith Brooks
Interesting take on it. We have trained users on how to create passwords that are easy to remember so they don't "write them down". The reality of course is that some people still do it.  
 
 
 
I still believe that you need to force password changes at some frequency and also set the appropriate level of un-authorized attempts before an account gets locked out as an addition layer of security.
Posted @ Thursday, May 31, 2012 1:13 PM by Jeremy Gill
Great comments & questions. And yes: we have a different approach for mobile devices.  
 
1) you have to have a password. 
2) you have to have the "enter it wrong X times, and self-destruct"  
3) your password has to be 4 digits (or more) 
 
These policies are enforceable with most Mobile Device Management solutions. And because of the "do it wrong too much and your phone blows up" capability (which doesn't exist on your laptop), we're comfortable that the combination of a lower password entropy and remote wipe capability still keep us within the boundaries of "good security", based on our risk profile. And again, enforcing regular password changes does nothing to affect the 'hackability' of the device, and is not a part of our policy.  
 
The education and roll out went exceptionally well. I have the luxury of working with a large group of research and production scientists who were genuinely interested in (and more likely to be convinced, perhaps) by the math behind the reasoning. A few grumbles. But the logic and reasoning have been generally well accepted.  
 
I'm happy to speak directly with anyone who's interested in more details or information, by the way. I enjoy hearing others experiences and trading notes that might be of mutual benefit.
Posted @ Thursday, May 31, 2012 1:24 PM by Ken Grady
Ken, 
 
The real concern with mobile devices is not the device password (I am a big fan of the pattern-swipe lock on Android devices and look forward to the ICS facial recognition on my soon-to-be-acquired Galaxy S III). 
 
The real problem is entering your password for all the other services and sites you use on the phone. For example, you will need to configure your email, access various cloud services, connect through a VPN, define a wireless access point, etc. Each of these passwords must be managed and is a potential point of confusion when trying to key long passwords on small screens. 
 
Don't misunderstand: I share your concern for foolish password policies and continue to seek a better way. On my Lenovo laptop, I enabled the fingerprint scanner and no longer need to type a password to unlock the machine. Very handy... 
 
Chuck
Posted @ Thursday, May 31, 2012 2:07 PM by Chuck Musciano
I recently attended a meeting at the White House regarding Identity Management hosted by the White House and the Department of Commerce (NIST). The subject was NSTIC – National Strategy for Trusted Identities in Cyberspace. The purpose of the meeting was to review the strategy for reducing the number of user ID/passwords in order to bolster commerce while still protecting PII. The follow-on will be a privately led (with seed funding from the DOC) private/public effort to define a solution. Ken Grady is right and it may take a large “village” to fix it. 
 
 
John Turato 
Vice President, Technology 
Avis Budget Car Rental 
Posted @ Thursday, May 31, 2012 3:41 PM by Martha Heller
As one commenter pointed out, this does not work with the Android or Apple iOS devices. 
 
Also we should have learned a lesson when Gawker Media was compromised. People reuse passwords on multiple sites and EXPIRING passwords is an important HABIT for have. It's simply basic hygiene on the Internet.
Posted @ Thursday, May 31, 2012 11:40 PM by philA
This is really good analysis and great options.
Posted @ Wednesday, June 06, 2012 1:07 PM by Laura McCanlies
Even on a smartphone one I can enter 1 really strong password quickly. Then using strong passwords, that difer for each site, implies using a cross platform, synchronized, and secure password manager. That's what I use.
Posted @ Wednesday, August 15, 2012 10:26 AM by Dick
Perhaps one of the better presented assertions regarding password security. As a developer of security technologies engineered to identify and protect computers against the risk of physical threat, we have integrated into our technology a unique indelible electronic serial number which can be used as a hardware based secondary authentication factor. By adding this feature, even if the password were to be discovered, without the hardware based factor, access is prohibited.  
 
To add to John Turato's comment, the Federal Gov has been making a very strong effort to get the message out that any nation which expects to protect itself against technical threat requires the participation of the public to aid in it's defence. In a briefing at Black Hat, Paul Mesterhazy the acting deputy, National Cyber Security Division of the Department of Homeland Security had also added that there needs to be a better means for privately developed security innovations to be introduced to the government. Despite these comments, there still seems to be no real avenue for those of us in the innovation space to get these technologies to introduced to government.
Posted @ Wednesday, August 15, 2012 12:35 PM by Ryk Edelstein
Absolutely great article and I learned something today! Thank you!
Posted @ Thursday, August 16, 2012 10:11 AM by Tony Ioele
How do you teach our auditors who believe that changing passwords is a good security practice and thus review our logs yearly?
Posted @ Thursday, August 16, 2012 1:06 PM by Matthew Henry
Get new auditors. Perhaps ones who have internal capabilities to validate risk based on practice.
Posted @ Thursday, August 16, 2012 1:15 PM by Ryk Edelstein
password
Posted @ Friday, August 17, 2012 10:22 AM by David Kim
Consider reading Claude Shannon. Entropy per character of running English text is quite low. For a pass phrase to be effective, the words must be randomly selected. The phrases created in this blog post are not random and thus overall entropy is quite low.
Posted @ Monday, August 20, 2012 7:56 PM by Brian Basgen
Great paper. Mobility has make this even more complex. Just imagine trying to type in a password longer than what most phones task for - 4 digits!
Posted @ Friday, August 24, 2012 6:22 PM by Chris
The issue that I see with the sentence-as-password approach is that you still have, practically speaking, only one password for every site. When one site's user/password database is exposed, as has happened in well-publicized incidents several times this year, your password is exposed regardless of it's complexity.  
 
My approach to passwords ensures site-specific passwords, so that when one web site's database is exposed, my logins at other sites remain secure. Any password solution that doesn't address this risk is, to me, incomplete.
Posted @ Tuesday, August 28, 2012 9:04 PM by Tim Reed
I don't think the sentence-as-password approach is the solution. Yes it results in a longer password but they are no more difficult to crack than an 8 digit password was 10 years ago. By lengthening the amount of time it takes to crack the password you have only postponed a problem not solved it. As computers get faster the time it takes to crack a sentence-as-password password goes down. Also, with cloud computing you can now for a few pennies put the power of a super computer into the hands of a teenager. And the sentence-as-password has one major flaw. You have limited the potential word combinations to words found in a dictionary. Following this password policy, to crack one you know to a) stick to only words in the dictionary. b) in order to be simple for users to remember the word order must follow basic grammar rules. "puppies car computer street" is not likely to be a password. c) the word combinations tried must exceed three words. d) the word combinations tried must be less then seven words or users will find it difficult to remember. 
 
If you take these into account I think you will find the sentence-as-password approach is not as complex as your algorithm suggests. You are not trying to crack a code of 30 characters but simply all possible combinations of dictionary words, in grammatically correct order, that are 4,5,6 or 7 words long. All of your "good acceptable examples" follow this pattern.  
 
The Oxford dictionary has only about 150,000 words in it. do the math. It is not a 9.08 x 10^55 complexity.
Posted @ Wednesday, August 29, 2012 10:14 AM by Frank Sandor
Frank, your statement that a passphrase is easy to crack due to the pattern of the short words in it is false. Remember, just because a passphrase might be made up of many short words, there is no way to guess how long the "word you are currently working on" is. Let's look at a simple example: just because a passphrase has four words, and they are 3, 4, 5, and 6 characters (for a 21 character passphrase, with spaces), this doesn't mean the first is 3 characters, etc - you would have to go through ALL 3, 4, 5, and 6 letter words in the English language - and you would still have the possibility that one of the words is 1 character or 7 characters. 
 
Keep in mind that the password isn't saved - its hash is. So the password can't be guessed by guessing the first 6 characters, then the next 4, etc. You have to throw together 4 words and hope you have the right spacing, punctuation, and capitalization - and you have to do that until you find the right phrase. Sorry, but that is definitely going to be at least as difficult as brute-force hacking of the phrase. 
 
 
 
And what if someone uses fictional terms like Dr Seuss names? Are you going to put Grinch and Lorax into your lexicon? No, I'm afraid that your passphrase hacking computer is going to have at least as hard a time cracking my passphrases as it will the 10 character passwords with caps, numbers, and characters. And I won't forget them.
Posted @ Thursday, October 11, 2012 2:34 PM by Will Martin
Will, I will give you that you could make a very complex passphrase by using fictional terms or terms from different languages. But the reality is that the average user, given the choice, would simply leave their password blank. Security isn't their first concern. Many programs that require passwords now have strength checkers to combat the human tendency to be lazy. So would the average person use made up words, I doubt it. 
 
Second, the number of characters in the words is irrelevant. Since you are going for a system that is easy for the user to remember then the words are going to be from the dictionary. rebmreem is not going to be a possibility so it does not need to be tried. Since only dictionary words need to be tried each word becomes a single character itself. Since only about 10,000 words of the 150,000 are actually in daily use you can dump the archaic words to the bottom of your attempts. Luciferous is not likely to be used even though it is a valid English word. 
 
Looking at this another way. A four word passphrase is essentially four characters from a 10,000 character alphabet. The shape of the characters does not matter. 
 
If you are doing a brute-force attack you can narrow your attempts further as I said before by using grammar rules. Most users will not use unrelated words or repeated words, they will use a phrase so it is easier to remember. "Rabbit rabbit hat stick" is not likely to be a passphrase. 
 
Would a passphrase be easier to remember? Absolutely. Would it take longer to crack? If processor speed remains constant then yes. But as processor speed increases I personally would not be putting too much hope in a grammatically structured system that can be mastered by a six year old. A child can master the English language because it is predictable and constant. Two things I would never want in a security system.
Posted @ Monday, October 15, 2012 4:10 PM by Frank Sandor
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics