Network Security Experts: Frequent Password Changes

Factual Questions
1

This may be more of an IMHO… Is it still considered, amoungst security experts, good practice to force the user to change his password every X days?

Our IT department has just institituted a policy forcing users to have a “secure” password and to change it every 45 days. If you login 3 times incorrectly, they lock you out. A quick walk around the building shows that about 20% (pure guess, I didn’t count, but saw many) of the people have little post-its whit their passwords on the monitor.

I teased one guy about it and he said: I have a login at home, one at work, a bank pin, an ebay account, sharebuilder, paypal and online banking. (He may have mentioned more, but I lost interest.) Anyway, his point is, with all the different accounts, it is easy to confuse all the different passwords. Now with the new more strict requirements at work, he has to think of yet another new one every 45 days. We can’t recycle. They can’t be deemed “too close” to each other. They must have a combination of upper/lower case and numbers. The password is complex and must be new each time and it is difficult to remember, especially with so many other accounts needing passwords.

I kinda get what he is saying. It seems like they have made it less secure by making it so hard that people are simply writing down their passwords and posting them. I know that I find myself running out of what I consider unique but memorable passwords.

Anyway, is this still an accepted policy, or are these guys lost in time? I seem to recall an article circa 2000 that said this policy was depracated pretty much for the above reasons, but I can’t find it online.

2

Our company has gotten even more strict about the password policy across all systems (A SOX requirement they say :rolleyes: ) . Required is a number, a letter, a capital letter, and it cannot have any of the same characters in a row next month (abc). I hate it, but I understand it, only because I was always careful before the requirements. I keep track of all my passwords in a password protected Excel file. It’s not that difficult to grasp, IMO. There is no reason to keep a post-it on your computer screen. Someone should be fired for that, regardless of how many passwords you have. You never know when a deranged employee might take that password, open an HR file, with your ID.

3

This can sort of be taken care of using Firefox/Mozilla and the password vault. It would take care of eBay, Sharebuilder, Paypal, and anything else online that he needs a password for. You can use a strong password (even the same one, though in theory it’s a bad idea) for each account, then another strong password (definitely a different one this time) for the password vault. Then all you have to do is remember that master password.

4

Such a password policy does not take into account basic human nature and is probably far, far worse than just using standard passwords. Even posters here who think they practise good password policy have a system that is not much harder to crack than the generic single password system. In fact, a password protected Excel file would be far easier to crack than a system password since someone could steal a copy and brute force it without you knowing.

One very good trick I’ve learned about making secure passwords is to think of a phrase and then get the starting letters and obfusicate it. For example, the phrase “Mary had a little lamb whose fleece was white as snow” would become something like: “Mha11WfWW/\s”. If you need to change it every week, put a cryptic post-it on your monitor that only you could intepret, something like: “Todo: See Mary, re: lunch tomorrow”.

5

Yeah, it’s funny the kind of mnemonic tricks you come up with to try to remember a ‘strong’ password. The computer science lab had requirements like that when I was in my senior year of university… though actually they didn’t have any password recycling restrictions.

I think I used *98imCA for all that time… which was actually based on a standard telephone feature… star nine eight was the special feature code to immediately access the ‘call answer’ message recording service for the phone number you were dialing out of, if there was. ‘star nine eight is my call answer’

at work right now, there’s a 30 day expiry on the network passwords, but no ‘strength’ requirement. I generally don’t enter in numbers or symbols, but I don’t use simple combinations of dictionary words either… generally come up with combinations of proper names (from tv shows) and initials and so on. I figure that those would be pretty difficult to guess, if anyone tried. And no, I never write them down on a post-it :slight_smile:

The original question about best passwords practice is probably best suited to IMHO, in that I’m not sure there are any standardized answers. Everyone has opinions. :slight_smile:

6

Note that nowadays, a few experts, and notably some big names at Microsoft, are recommending pass-phrases rather than passwords. The author makes a convincing argument here: http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx (and in the other two articles of the series) With precomputation attacks, even an 8-character “strong” password like “ht45%$pa” is easily cracked.

7

I think the users should be allowed to use whatever password they want, as long as the password is tested to see if it’s crackable. If the system can decrypt the user’s password, tell them to change it.

8

While I’m not sure I can claim that I am a “Network Security Expert”, I can at least claim that I am a Network Security Professional, and have been paid by Fortune 500 clients in advising them on network security policy.

I agree with the OP that the policy they have in place actually reduces network security, not improves it, as it does force most users to write down their passwords (bad thing).

Likewise, putting them in a password protected Excel file is little better (Excel file protection is exceedingly weak).

My current employer has a similar policy to the one in the OP. It irritates me to no end. What’s worse, they limit the number of characters in the domain password to 12 characters (minimum 8). A passphrase (exceeding, say, 20 characters) good for a few years would be much more secure than an eight character password changed every 45 days.

More important than developing acrcane password rules would be to offer some really basic training of end users about how to develop strong passwords, much as Shalmanese suggests above.

9

What AZCowboy said.

Also, I dispute this:

DarrenS wrote

There are over 6x10^15 permutations in the password you described. Even in the case where you can check them offline on a single machine at say a 100,000 per second (which is crazy optimistic), it will take about 2,000 years to run through all the combinations. So, on average, you could expect to crack it in half that or 1,000 years.

Now, could someone with resources crack it faster? Of course. If you bought yourself a thousand machines, you could crack it in a year.

So, the real question is (and always is in security matters): how important is what you’re attempting to protect?

The math on this is pretty easy. You compare the value of what you’re protecting with the cost to break it. In this case, the cost of a thousand machines and labor for a year would be say, a million bucks. So, if what you are protecting will be worth more than a million dollars in a year (not today, and this is important as well, as information is perishable), then this type of security would be inadequte.

Also, the above is an example. If this were a real-world example, I expect the number of attempts/second would be much smaller, and that dramatically impacts the other numbers, perhaps by a factor of ten or even a hundred.

10

Passwords are fundamentally flawed. Computers double in speed at a fairly predictable rate. The human brain does not improve in speed or memory capacity with age. That means that any security system that uses password length/complexity as a defense against brute-force attacks on passwords is doomed to failure. Passwords that are hard to crack are also hard to remember, and it is only getting worse. A random sequence of 21 characters, including digits and upper/lower case letters, would provide a strong password by today’s standards. How many people could memorize one such password, let alone a dozen or two? Would you use your ATM card if it required a 39-digit PIN?

11

mks57, you wanna mathematically rationalize this statement, please?

Sorry, but that’s just not true. Well, it’s technically accurate in that it would be a strong password. But it’s far from required for even the most security-concious systems.

Although your general comment about the nature of passwords and the accelleration of computer processing power is accurate.

12

There’s another thing that’s worrying me, here: The “not too close” requirement. That seems to be implying to me that the computer has your password stored somewhere in plaintext to compare it to… Which implies that anyone with access to the computer could find out fairly easily what your password is. Is this correct?

13

Srong passwords are good but can be cracked. The more characters included in the password the longer it takes to do a brute force crack. The problem, as others meantioned is thta people write the long passwords down which is a problem. The other problem is that if someone has physical access to the machine any password can be bypassed in a short period of time by copying the SAM to a disk and using a utility to rewrite the password. I’ve done it a couple of times when friends/family forgot their passwords.

If they really need strong network security the best way to go would be Secure ID. Secure ID is a little fob that has a display of number/letters in it that is updated every 45 seconds or so. When you login the network asks for the Secure ID number. If you don’t have it you don’t get in. The only problem with this scheme is that if someone forgets the Secure ID fob they have to get the system admin to disable it so they can login, otherwise they are locked out until they get the fob. As far as I know Secure ID has not been cracked.

Slee

14

I picked 21 characters to approximate 128 bits of key material, which would be a typical key size for a modern cipher system. 56 bits is clearly insufficient (DES). The NSA chose 80 bits for Skipjack, and NIST chose 128 bits as the minimum key size when it solicited proposals for what became the AES.

15

you’re lucky it’s 45 days. Most of my company’s ones (and I’ve got about fourteen, in addition to the ones I’ve forgotten and hope I’ll never need) work on thirty.

16

Friend mks57:

Encryption keys and passwords for access to systems are different concepts. First off, encryption can be attacked with a piece of encrypted content, i.e. by attempting to decrypt it with one key and verifying a known portion of the content, then trying with the next key until the correct content is seen. Because of this, it can be attempted off-line. Further, specialized hardware exists to encrypt and decrypt with standard algorithms such as DES, allowing for huge numbers of attempts/second. Several years ago, a DES-encrypted message was cracked in a few days with a machine costing a quarter-million dollars. Today, it could no doubt be done quicker.

A password allowing access to a system on the other hand, requires access to the system. First off, pretty much every system out there has a delay between attempt time and notification of failure. Even in the systems where there’s no intentional delay, there’s delay none-the-less, because that aspect of the system isn’t tuned to be super fast, i.e. there’s no dedicated hardware to verifying the users credentials etc. So, even with a particularly fast response time, you’ll likely be able to make ten attempts per second at best. And that’s incredibly optimistic.

Now, the machine I mentioned above that cracked DES was really built to prove a point. Though various government agencies no doubt have extensive cracking hardware in place, there really aren’t “DES crack kits” available off the shelf to get into things. So for your adversary to violate your secrecy, they’d have to invest some R&D to build such a machine. In practical terms, for most day-to-day encryption uses, DES is plenty secure.

Now, as it turns out I use encryption all the time, in SSH for example. And I never use DES, I always mandate the stronger stuff. But there’s a simple reason for this: the cost to use a higher-strength encryption algorithm is minimal. In fact, from a performance impact point of view, there’s no difference between using DES and 3DES for example. So, for no extra cost, I get enormously better quality protection.

Now, back at the current subject: What is the cost for the extra security that the OP’s admin is getting? It’s huge. Users are pissed off, passwords are often forgotten, and passwords are occasionally compromised when people write them on sticky notes or such. It’s a huge cost with extremely minimal benefit. And that’s bad security policy.
On another topic, seeing as how the OP’s administrator has taken the wise step to lock users out after 3 unsuccessful attempts, the other security mandates are lunacy. He could literally allow non-changing 4-digit passwords and be confident of the system security (assuming users chose wise passwords, i.e. not their birthday for example).

17

I’ve been following this thread from the start as my company has recently gone into a 30-day change scheme, with strong passwords. I’ve only had to create two, so far, but I can anticipate a time when I won’t be able to remember a password because the imposed “strength” has exhausted combinations that are easy to remember.

I’ve Googled for easier solutions, such as fingerprint readers, especially those that uses the fingerprint to access the previously-created strong passwords, but I’m not sure that these are appropriate for initial login to a domain.
I do have a Secure ID token to enble RASing into our servers from a remote location, and this is easy to use, but this is used after initial login to the computer itself.

Are there other solutions out there? Especially something that doesn’t require the blessing of our IT department? A USB fob or card or something?

18

The principle of changing passwords is to eliminate the risk that is posed by people leaving their password lying around. Someone who finds this password does not necessarily know that it is still valid.

But the OP has a point. Passwords are a poor way of verifying access. People being people will always forget, always use easily guessed ones (you wouldn’t believe how easily!), always write it down, or even share. And I need to remember far too many passwords, and many of them I use in more than one place. Unfortunately, for the likes of web access, no-one has come up with a better alternative that’s practical. For a local network though, I do like the idea of a thumbprint scanner.

What is unforgivable though, and I hate, hate, hate systems that do this are passwords that are case sensitive. It really does make getting them right twice as hard.

(And putting your passwords in a protected Excel spreadsheet is a all-your-eggs-in-one-basket solution that’s about as secure as a plain text file when you really get down to it.)

19

Access to the system is not always needed. If the attacker can get password hashes from a system’s password file/database or by sniffing the network, he can do the attack offline. Many attackers are currently using very large precomputed databases
to map hashes to passwords.

I have a copy of the book that describes in detail how to build a DES cracker. Just add cash and some assembly time. With the proliferation of zombie networks, many crackers now have access to massively distributed systems for cracking keys or other things requiring large amounts of CPU time.

20

There were a couple of interesting demonstrations recently where security researchers showed how easy it was to reproduce fingerprints in gelatin or other substances to fool these fingerprint readers. In spite of what the vendors would have you believe, biometrics alone are a lousy solution.

Most of the security experts I’ve read agree that passwords are a terrible solution but they’re better than any alternative at the moment. I’ve read several articles recently and it seems to have become trendy to bash passwords, but so far none of these pundits have suggested workable alternatives (except for their transparent sales pitch for whatever product they’re shilling). Bruce Schneier (one of the leading security industry experts) goes on at length about this topic, and I think he’s the one that suggests a three-prong solution: something you know (password), something you have (key-generating fob or mag-strip ID card), and something you are (biometrics). Each alone has faults but used together correctly they can be strong.

On the topic of passwords, Bruce Schneier is also the one that points out that he writes down his passwords and keeps them on a slip of paper in his wallet. He has a lifetime of experience protecting his wallet and considers this a very secure solution. I tend to agree. I frequently write a password to a new system on a post-it note on my monitor, and this is secure because no one (and I mean no one) can access my office. Most people don’t have this luxury, but the point is that security is about recognizing what works in a given situation against a given set of threats, not blindly applying rules as if they applied across the board.