What’s a good password security policy?
I’m being ambiguous, because I’m not sure what criteria qualify for relevance. Financial gain from hacking the account? Private/corporate account (mixed?)? Should home computers with automatic logins be allowed to store passwords?
Failing anyone with IT Security knowledge or something cool like that, can a mod move this to IMHO?
I did a search, but I didn’t see anything relevant (although the search limit is hard to work with).
IT professional here, though I’m in System Administration and not strictly Security…
I’m not sure exactly what you’re asking about. Are you talking about personal security (how long/complex should my passwords be? How can I choose passwords that are easy enough to remember but complex enough to be secure?) Or are you talking about corporate policy (What should password complexity rules be? How often should passwords be changed?)
A couple thoughts, that you can insert as answers to whichever questions they might apply…
Ideally, passwords should contain a mix of upper and lower case letters, numbers and special characters, be at least 8 characters long, and not have any dictionary words within the password string. They should also be changed every 60-120 days, users should not be able to use previously used passwords, and they should not be able to use the same password for two different applications/websites/etc.
The problem with this is that if you make the restrictions too draconian, people will simply write all of their passwords down on a sticky note attached to their monitor.
One way to help with this is to stop using “passwords” and instead use “passphrases”. Instead of having your password be “Rf5l#e7q”, which is nearly impossible to remember, choose an easily memorizes phrase and alter it to fit your restrictions. Start with “statue of liberty”; capitalize the ‘s’ and ‘l’, and change each ‘e’ to a ‘3’ and the ‘o’ to a ‘0’, and you get “Statu3 0f Lib3rty”. This meets all password requirements and will stand up to and dictionary search.
These days, more an more applications are “AD Aware”, meaning that they can use Microsoft Active Directory accounts for authentication. This allows users to not need a separate account and password for their application, but just uses their network logon to authenticate (assuming, of course, that you are on a Microsoft AD Network). This is great from the users’ standpoint, but makes it all the more imperative that you enforce password security on you network accounts, since their is now only one ‘master’ account and password’.
The biggest challenge really has nothing to to with IT at all. It goes like this:
Bob is going on vacation for a week. Mary needs to fill in for him while he is gone, but she doesn’t have access to the Widget Management System. Instead of Mary’s supervisor putting a ticket in to grant Mary access to the application, Bob simply writes his account and password on a sticky note and hands it to Mary, so she can use his account. At that point, it doesn’t matter that you have 64-character passwords that must be a combination of Greek, Latin, and Cherokee place names and changed every full moon. Your multi-billion dollar security system has been defeated by a 5 cent Post-It.
Along the same lines, most security breaches are not caused by hackers, but by employees (former or current) who either have access to data they shouldn’t, or who misuse access that they rightly are given. From an IT perspective, there is nothing that can be done about the latter; however, the former can be controlled by frequent security audits. The challenge there is that as a System Administrator I have no idea whether or not Mary needs access to the Widget Management System. I need Mary and Bob’s boss to tell me so. And as long as he would rather compromise security for the sake of convenience, there’s nothing I can do except crack down on ‘violations’ when I see them. By which time, it’s already too late.
I hope this hasn’t been too rambling, and that I’ve made at least a bit of sense…
That makes sense, but what’s the best compromise between draconian laws and the reality of people writing down more complex passwords, especially if they’ve got a lot of them.
Then you have people who keep them all saved in a note on their phone, or an automatically logged in PC at home.
More complex is better, but by necessity more complex passwords either need to be used with more applications (so you don’t have to remember as many of them), and/or for longer periods of time, because switching complex passwords is a hassle. So, where’s the line?
I disagree with the standard advice that passwords should include upper- and lower-case characters, numbers, punctuation marks etc. That just makes them harder to remember and more prone to typing errors, especially on iPhones and the like, where using alphabetical characters is much more convenient. I think it is easier to use regular, lower-case passwords, but in a slightly longer form.
For my passwords that need to be memorable and yet strong, I tend to use quite lengthy and quirky phrases, omitting any spaces. Something like “Gail’s doorbell is yellow” or gailsdoorbellisyellow. I find that easier to type than something like Gdo0rbelL$, even if it is twice as long. In terms of bit-strength, if an eavesdropper knows in advance that one password consists of four lower-case words strung together and the other consists of ten random characters from the upper- and lower case letters, numbers and punctuation marks (a generous assumption, because passwords tend to be less random than that), then the two passwords have about the same strength.
I agree that password complexity rules (upper/lower case, numbers, etc.) are counter-productive. At the same time, I think that such rules are considered “standard” at this point and I don’t think that’s likely to change.
Personally, I like using sentences for ‘passwords’, complete with proper capitalization and punctuation. That takes care of the upper/lower case and the ‘special character’ rules. Also, passwords can be extremely ‘simple’, as in “This is the password for the Widget Management System.”. That’s a 55-character, complex password that I’m not likely to ever forget.
The only problem is when dictionary words are disallowed, which is becoming more and more common. That’s when you need to start doing letter substitution to get around it. That can be fairly easy to accomplish just by substituting all of the vowels, for example:
a = 4
e = 3
i = 1
o = 0
u = 7
“Th1s 1s th3 p4ssw0rd f0r th3 W1dg3t M4n4m3m3nt Syst3m.” is a 55 character password that’s ***really ***secure.
As I mentioned before, by far the biggest danger to a company is not hacking, but internal leaking of information, which cannot be ameliorated by password policy. For personal security, using ‘complex’ and unique passwords does provide a great deal of security. Your computer may be secure, and your bank’s computer may be secure, but if you use the same user name/password combo to log onto your favorite World of Warcraft fan site, you might be in big trouble.
For management of personal passwords, there are a number of password management programs that will store your passwords in a single encrypted database (just make sure you make sure your database master password is secure). Personally, I use KeePass.
Personally, what I do is I have three different levels of passwords. For things that really shouldn’t even have a password on them at all (free registration to read an online newspaper, say), I’ll just use my birthdate. For things where it makes sense to have a password but for which I wouldn’t really suffer any harm if it were breached (an account for an online computer game, for instance), I use all the same password. And for things where I really would be harmed by a breach of security, I make up a separate secure password for every account.
If you are in fact in IT or even security, then I must say your advice is very very bad.
3 E 0 o substitution is no longer secure and is a straight go to attack method. Much as is taking a site like urban di c tiona ry.com and indexing it to brute a pw.
It’s not that you can’t take a dictionary word, you can’t even take slang words or derivations of words.
Try upper, lower, special characters, numbers, characters, 21 characters.
Another thing to consider when choosing a complexity policy is how the system you’re logging into deals with perceived attacks. For example, if I screw up my work domain login 3 times in a row I get locked out and an administrator has to unlock it. So this could get by with low complexity passwords.
Something that hasn’t mentioned yet are those systems that implement memorable information. That is, when you sign up for a service you choose some small number of questions from a list and give answers for them. The questions are usually along the lines of “what is your mother’s maiden name?” or “What is the name of your first pet?”. The idea is that when you forget your password you click the “I forgot my password” button and you get sent to a page with some of the questions you chose to answer. If you get the questions right the system assumes you are who you say you are and lets you reset your password.
The problem with this is that in these days of Facebook and personal blogs much of this ‘personal’ information can be found out. One way to handle this is to not answer the questions accurately but to make up answers that you can remember. For example take the questions “what was the name of your first pet?” and “what is your mother’s maiden name?”. Potential answers could be “this was the question about pets” and “this was the question about my mother”. You can be as inventive as you like as long as you remember your system for generating the answers.
As mentioned above, password vaults are useful. I use Password Safe
Former pen tester here. Just to add to Kferr’s point, application security comes into play here, as well. For example, if I punch in the correct username but the wrong password, does the system tell me that “your password is incorrect” or does it tell me that “the username or password is incorrect”? If it’s the latter, then I’ve got some research to do (and I’ll probably just spearphish your ass); if the former, then I know that I’ve got the username correct. From there, I can do much better guessing (is your username GiantRat? Perhaps your password is the same, or GiantRat1234, or ILoveCheese, or something). Also, if I know who you are, I can easily find a DOB, phone number, address, family member names, etc… with google hacking.
Most of this can be protected against with proper application development (a sad deficiency in most organizations).
As for me, I just use that LifeLock guy’s social security number as my password for everything. 
I never answer these with real information. I just use something that I’ll remember.
For example
“Who was your favorite teacher?”
“Mr Wizard”
I’ll have no problem remembering that and no amount of access to my personal information will reveal it.
Re Your Home Passwords
There’s nothing wrong with keeping them on a scrap of paper, provided nobody but you can find that paper. I can think of a dozen rather secure locations (some of which would be nigh impossible to access without my knowing) off the top of my head. If that scrap of paper was between the jacket and cover of my copy of The Frankenstein Diaries, I could find it with ease. The odds of anybody else finding one book on my shelves are quite low.
I’ll take the opportunity to mention again my pet peeve:
If you have a screen that asks the user “please create a new password”, for the love of God, have your screen tell the user the following:
I) MINIMUM length
II) MAXIMUM length
III) List of allowable characters
If special characters are allowed, TELL THE USER which special characters are allowed. i.e.
Are all the “special” characters on a standard US keyboard allowed?
namely
`~!@#$%^&*()_-+={[}]|:;"’<,>.?/
Can I use Western European characters?
e.g.
àáâãäåæçèéêëìíîïðñòóôõöøùúûüýþÿ
Can I use Unicode characters?
e.g.
абвгдежзйклнопрстуфхцчшщъыьэю
I have NEVER seen a “new password” entry screen that gives you those three pieces of information, and I am filled with rage every time.
Point taken. Perhaps my example was a bit too simplistic, but I still think the idea is sound. There’s a fine line between making something secure enough to be ‘secure’, but not so secure that users have to figure out ways to bypass said security in order to function. Passwords consisting of random strings of characters become too hard for a user to manage as they become longer and more complex. Passwords consisting of phrases are more secure, by virtue of length, and the fact that they are easier for users to remember so they don’t need to resort to writing them down.
I think it’s worth pointing out that there is a difference between protecting your information from ‘casual’ theft, and protecting it from a determined hacker. If someone really wants to get my bank account information, then they’re probably going to be able to get it no matter how strong I make my password. But if they are just looking to get access to someone’s account, then I know I’m safer than many (I would bet more than most). By the same token, my three dogs probably won’t stop a burglar if they really want ***my ***television set, but 99.9% of would-be thieves are going to bypass my house and instead hit the one next door where they can slip in and out without any noise being made.
I don’t use words- I use patterns on the keyboard.
To expand on my point about bit-strength earlier, I don’t think it matters what set of symbols or groups of symbols you use, be they the set of alphanumeric characters plus punctuation, random words from a dictionary, a memorable phrase with certain letters replaced by similar-looking symbols, whatever. Assume that the attacker knows the general scheme that you use to construct a password. Then, whatever the scheme is, if you use a large enough source set with enough combinations, you can make a strong password. In terms of bits, it will be about as strong as a random n-bit password where 2[sup]n[/sup] is the number of possible choices in your password scheme (not quite because you probably won’t choose completely randomly).
So it is not right to say that certain approaches, such as the one in which “leet” characters are used in place of certain letters, are insecure. It’s true that dictionary attacks can crack such passwords, but the way to protect yourself against dictionary attacks is to use several words and/or a very large dictionary.
Say the attacker knows that you’re using a modest dictionary of 10,000 words, and you always change one letter to a leet symbol if possible. That gives you a pool of maybe 30,000 words to choose from, equivalent to a 15-bit password. Not very secure. But string two such words together and it’s twice as strong, 900 million possibilities or 30 bits.
Replacing certain characters with leetspeak is a bit weak, because it’s so predictable (i.e. “e” consistently becomes “3”) and thus adds little new randomness (only “did he or didn’t he use that system?”).
Something like “use first letters of a phrase and capitalize all nouns” (intuitive if you’ve picked up even high-school German) is better: any given letter might appear in upper or lower case, with nothing in the remaining context (just the first letters of other words) to suggest which.
I use a sentence that I take all the first letters from, and include punctuation, and even symbols. Follow normal capitalization rules, and you are set. It looks like a meaningless mix of letters, numbers, and symbols, but it isn’t.
Leet speak IS a bit predictable. What I used to do is use what I thought of as “ascii rebuses”, using the names of characters for parts of words - “b&” for “band”, and so on. I’d combine that with positional puns, substitutions of specific types of something for a general class, or pronunciations of alternate meanings for characters, such as () for functional notation, read as “of” or / read as “over”.
f@i’mcity - I’m in fat city.
h&/tayl| - hand over the loot (guitar is a type of lute, tayl| = “taylor”).
Like I said, I USED to do that. It slowed me up being clever whenever I needed a new password, and not all places took arbitrary punctuation characters. I also took to using a password vault. I use KeePass which a few others have mentioned. Now I just use that to generate a random string and keep it in the vault. If it’s a password I’m going to use every day, after several entries I’ll remember the random string. If I’m only going to use it occasionally, opening the vault to retrieve it isn’t a big deal. In fact, for those, I usually don’t wind up even seeing it on my screen. I use “copy password to clipboard” and paste it into the password field. For that feature, KeePass cleans out the clipboard after a short interval, or when you exit the program.
I do not have anything worth getting into and all my info is all over the net.
I do use passwords.
Hack away, no money, no porn, no secrets, gonna be a lot of work for nothing.
This came up already in one of the BBQ rants about passwords, so I’ll ask here: why should passwords be changed regularly? If a hacker cracks your password, he won’t sit on it and wait one week, he will use it immediatly, at which point the damage is done. Maybe you get lucky and it’s day 59, and next day the password has to be changed - he still had one full day for damage, which might be enough to get all data he needed.
I don’t know if you refer to passwords to websites, to certain applications on your home PC, or your PC in general, but the attitude of “I have nothing worth stealing, why should anybody try to hack my private PC?” I hear very often from people not very computer-informed. Well, I’ve read enough articles in the Computerweek and PC World to know that any unprotected PC on the internet is like honey to flies for hackers: the Russian mafia employs fulltime hackers (as well as the Chinese govt., though they probably spend more effort on hacking the CIA and .gov pages), because it’S more profitable than drugs to create botnets for spam and DDOS attacks (or more precisly, telling amazon.com “if you don’t pay us 10 000 Euros, we will attack your server with Denial of Service so it goes down” and amazon knows that if the website is down for half a day, they loose hundreds of thousands of Euros in sales, so they quietly pay. There’s a BBC documentary on how easy it is to trick people into downloading a Trojan and how massive the effect of a botnet of only 50 PCs is.
And the statistics show frightently the attacks increase: it’s a steeply angled curve. Not only were there more attacks in 2009 than five years ago, there were more attacks in the first quarter of 2009 than in all of 2008 combined, and more attacks in the first quarter of 2010 than in all of 2010 etc. Attacks are virus and trojans and worms all together.