Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

The art of a good password – what is it, really?

key-array

Myp0ppy vs. UX*7(æ#6VbuiRomeo_and-Juliet8loVe4Ø&%

You may wonder whether the blog author has lost his mind using a subtitle as the one above. Is he writing a piece about a battle of intergalactic entities, or if the topic is about a fight between a dog and a machine?

Way off (one may of course argue the former)!
My topic this time is about passwords and password policy.

In the Security Culture Framework, passwords typically belong to the Metrics module.

The two example passwords

The two sets of characters in the subtitle are typical for two types of passwords.

My*P0ppy

  • 8 characters, letters, one number and a special character.
  • Is a created by using one of the most popular dog names (Poppy) substituting one character with a similar-looking number, prefixing the dog name by My and adding a * (‘star’) between the prefix and the dog name.
  • Quite easy to remember by using the “trick” My dear Poppy” as a personal reminder.
  • Probably non-trivial to crack by online testing, easily cracked by offline brute-force cracking systems. [One may discuss if this password is non-trivial to guess if one has intimate knowledge of the user.]

UX*7(æ#6VbuiRomeo_and-Juliet8loVe4Ø&%

  • 37 characters, letters, non-English letters, special characters and numbers. A Shakespeare play in the middle of the string of characters.
  • Extremely difficult to remember, very difficult to crack even by offline brute-force cracking systems, impossible to guess.
  • Close to impossible to write unless one has a Norwegian or a Danish keyboard.

Obviously the latter is the more secure seen from a purely technical point of view. But should we encourage the creation and usage of this type of password for normal use?

Characteristics of some popular password regimes

I have meant for quite a long time that many popular password regimes focus too much on the strengths and weaknesses of the passwords themselves. Other relevant security issues regarding password security are not correspondingly focused.

Typically some password policies require that

  • Passwords should be of at least 8-10 characters length.
  • Both numbers, special characters and letters are required.
  • Passwords must be changed e.g. each 30th (or 90th) day.
  • The new password must not be too similar to the previous ones.

Passwords should of course not be written down… And the same password should not be used for more than one site.

If users had one password this might have been possible to handle, though after three years, more than 35 different (and not too similar) password must have been created using the policy mentioned above.

However, some studies indicate that the average users have more than 20 different passwords to administer (in his/her mind only), which makes this inconceivable.

The inevitable consequence

The result from such password policies is of course that the users do re-use passwords across different sites. Passwords are written down.
And users forget their new passwords, and must require password resets from the site administrators.

Many use password administration programs to be able to administer all the constantly changing passwords. This is probably a good idea for many users, although these systems also have some security issues (which are beyond the scope of this blog item), and may not comply with some organizations’ security policy.

Thus, I would argue that the strict regime surrounding the passwords themselves encourage user “policies” that weakens the overall security.

How are accounts broken into

A password protected account can be compromised by several quite different means. Let me quickly mention some of the more common:

  1. The account is compromised by someone finding user name and password written down.
  2. The account is compromised by someone looking when it is typed(so-called shoulder-surfing).
  3. The account is compromised by guessing (repeated login attempts until success or lock-out).
  4. The account is compromised by social engineering techniques including phishing (email, SMS etc.).
  5. The account is compromised by a keylogger or other malware installed on the user’s computer.
  6. The account is compromised by offline brute forcing a compromised password repository.

Compromises as a result of 1, 4 and 5 above are independent of the strength of the password. To some extent this also applies for 2.
3 is the one, which the organization’s password policy as outlined above, influences most.
The success of 6 is highly dependent on how the passwords are stored and protected. This is extremely important and organizations should allocate sufficient resources to storing and protecting the stored password securely.

This illustrates that the security of the password itself is merely one of the many variables that determine the security of a user’s account. In my view however, this has been too much focused, at the expense of other important password security areas.

Users’ own passwords policies

A highly recommended paper from Microsoft Research (link below) mentions that a user can differentiate her accounts into five different categories:

  • Don’t-care accounts
  • Low-consequence accounts
  • Medium-consequence accounts
  • High-consequence accounts
  • Ultra-consequence accounts

It should be quite obvious that the passwords used for the accounts that are of no consequence (don’t care) should be less secure than those used for accounts that are important (e.g. high-consequence). Infamous passwords like qwerty or 123abc actually make (some) sense for the former as it does not matter if the account is compromised anyway.

Thus, each user should create her own policy regarding passwords and use secure passwords for the accounts that matters, while those of little or no consequence may suffice with less secure.

Organizations password policy

The organizations should also view the complete picture regarding passwords and not focus too much on the strength of the passwords that the users are required to use. Other considerations may prove to be at least as important.

A password regime that is too strict may in actually be in violation with the intent, and result in less security for the user accounts (and consequently the organization itself).

 A changed approach to password security (?)

I am pleased to see that there appears to be an emerging shift in how one views password security.

In addition to the research paper mentioned above, I would like to mention the recommendations that United Kingdom’s intelligence service Government Communications Headquarters (GCHQ) published earlier this year (link below).

Both of these advocate some of the same considerations that I have pointed out in this blog item, and other aspects as well.

Recommended further reading

Profile photo of Per Olav Førland

Per Olav Førland

Per Olav Førland is educated with a master in economics. He has been working in the IT industry since the mid ‘80s, and with information security since the mid ’90.
He has the following certifications: ISO/IEC 27001 Lead Implementer, PRINCE2 Foundation, Certified Security Culture Practitioner (CSCP), and EUCIP Core level.
He currently works as an independent information security consultant
His hobbies are reading and listening to music (rock and opera).
Profile photo of Per Olav Førland

Latest posts by Per Olav Førland (see all)

%d bloggers like this: