The Great Password Question That Won’t Die, “Just how long should a password be?”

How long should a password be by Dovell Bonnett - Access SmartIn one of my LinkedIn discussion groups, a member, who we will call MB, posted this simple question back on March 14, 2010: “How long should a password be?”  Well as of 11/11/11 and over 1,350 comments later, the discussion keeps going and going and going. It seems to have gained a life of its own. And while I can’t say I have read every comment, I did read enough to pick out some common themes, beliefs and suggestions that I will attempt to summarize in this article.

Observation 1: There is no right answer to the length.

This is probably true, at least if one looks at the problem from a single point of how long a password should be. As computers get faster and faster, and there are cyber attacks that can share unused processing power from a whole network of unknown computers (Botnets), the time it takes to crack 8, 9, 10 character passwords gets shorter and shorter. So length alone is not the fix to password security.

Observation 2: Passwords need different character types.

This too is true. Mixing in upper case, lower case, number and special characters makes cracking the password more difficult. But more difficult for whom: the hacker or the user? With keyloggers, social engineering attacks, backdoors through server ports, etc., adding special characters doesn’t necessarily solve the password problem. One is the biggest problems with complicated and difficult to remember “secure” password occurs when the user writes the password down on a piece of paper or a yellow Post-It® Note and stick it to the side of the computer.  See my recent post about UCLA recently agreed to pay a penalty of $865,000 for a series of HIPPA violations and now they are forced to reveal that the theft of an external hard drive from a former employee’s home has created the fears of yet another security breach.This was a remarkably silly and avoidable breach. According to the news reports, the information on the hard drive was encrypted, but the password necessary to unscramble the information was written on a piece of paper near the hard drive and cannot be located. Another problem with writing passwords down is that people can get ever craftier  and put it in a drawer, in a word document or even on a memory stick in a folder labeled “passwords”. And we all know how easy it is to lose or misplace those memory sticks. Security defeated just for ease of use.

Observation 3: Long passphrase and ch@cter$ substitution for letters.

This falls in the camp of combining Observations 1 & 2. The idea here is to allow the person to remember a long password from a favorite phrase and then think they can make it more secure with character modifications. Okay, it can work for the complexity issue, but what I find is that once one of these clever passwords is created people will use that same password everywhere. It is just easier for the user to remember the same password and they will use it on eBay, online banking, company networks, subscriptions to articles, social networks, porn sites, email clients, etc., will all have the same password. It takes one hacked site and a good “cookie sniff” for the cyber thief to get everything. The solution is for every site to have its own unique phrase which again reverts back to people remembering the correct phrase to each site.

Observation 4: Change your password frequently.

I often laugh when IT mandates that employees change their passwords every 90-days. I hate to break the bad news to IT but people have better things to remember than this quarter’s password. So the way employees have learned to conform to these demands is to write their passwords in a notebook, white boards, and you guessed it on those little yellow sticky pieces of paper. I even know of a high level executive who carries his passwords in his wallet.

I once won a steak dinner beating I could find a password written down in any cubical of my choosing in under 2 minutes. It took me less than a minute to find the yellow note under the tissue box. I thoroughly enjoyed the fine rib eye, medium, with the fully loaded potato, please.

Observation 5: Limit the number of attempts.

If the password is wrongly entered a given number of times, the account is locked. This works well against the brute force attacks. But, those pesky Post-It Notes and same password everywhere will defeat this security barrier.  Once the password is known this method only adds a false sense of security.

It was also suggested to implement exponentially increasing delay in response time after some number of incorrect passwords (typically #3). Most attackers will attempt to circumvent the lockout mechanism by altering their attack frequency; three tries every 15 minutes.  Frequency limits only puts pain on a user and the Helpdesk and nothing on the attacker since their computer programs don’t understand the concept of time. As a side note, 20%- 40% of calls to a IT’s helpdesk are to reset passwords!

Observation 6: Have a database table of unacceptable passwords

Some of the most common passwords used by people are “password”, “12345”, “qwert” and “1234567890-=”. So blocking these and similar common passwords is a good thing. But this does pose a bigger question: why do people use these? That’s easy! They are easy to remember and convenient to type. Did you know that 91% of people use passwords from the top 1000 common password list? It will take longer to pour another cup of coffee than for a computer to brute force 1000 passwords.

Observation 7: Prevent the use of the last 5 used passwords.

Again, more complexity placed on the user and less on the thief. All I have to do is add a number sequence in front or behind the main password phrase. Then after the fifth iteration I simply go back to the beginning. The main observation you should be making now is that employees will find ways to circumvent security for their own convenience. So harder, longer, changing, limited password is not the solution.

One comment was “I have requirements to set password reuse to not be able to use the same past 10 passwords or same password within the last 365 days for database security. You also have to change a minimum of 4 characters and cannot simply repeat characters.” My answer to this remains the same. Buy stock in 3M, because your employees are going to go through a lot of Post-it Notes.

So after these more low level suggestions were made by a number of commenters, the more techno savvy contributors started to chime in.

Observation 8: It’s not your father’s hacking tools anymore.

The tools and the methods to hack into computers is no longer just the “over-the-shoulder-surfer”, the dictionary attack, brute force runs, etc. While they still do exist because sometimes the simplest methods still work, today we are facing malware infested USB drives purposely left in corporate parking lots, web drive-by-downloads, malware infected ads, Phishing, Pharming, Spam, Spear Phishing, Trojan Horses, social networks, Autorooters, Man in the middle (MITM) on DNS servers, personal information available all over the web, social engineering, server port attacks, SQL Injection, botnets, RAT, Zeus, Poison Ivy, CRC32 Compensation Attack Detector against OpenSSH, Apache Chunking Exploit, IIS Unicode, uneducated employees, the list goes on and on and on. I need an aspirin. And I imagine you do as well right about now!

Observation 9: Forget user defined password, use One-Time Password OTP) tokens instead.

This made sense until the number one supplier of OTP technologies (RSA) got their algorithm hacked and basically defeated the security. But there are other issues with OTPs. They can only be synchronized to a single server or account. So if a business person travels to other locations he/she will need another token for that network. Plus, if different web services like banks, brokers, etc. implement OPT you soon have multiple tokens in your pocket, which begs the question: “Are those OTP’s in your pocket, or are you just glad to see me?”

Another problem with this technology is the cost and back-end server infrastructure that has to be modified to accept OPT. While OTPs might be affordable to the medium and larger corporations, for the small and Mom/Pop businesses OTPs are neither affordable nor practical.

Observation 10: Public Key Infrastructure (PKI) is the answer to the password problem.

Well, yes, if you are a Fortune 100 or large government agency. If you think OTP is expensive, you ain’t seen nuthin yet. PKI is very secure and with the addition of smartcards the security is top notch. But with encryption server blades, certificate authorities, root authorities, crypto-controller smartcards, key generation, digital signatures, hashing, etc., one needs a PhD (piled higher and deeper) to figure all this out. I once work on a PKI project for a very large software company and it took them three years or more to finally deploy. With cyber-attacks at an epidemic rate companies simply don’t have the time or money to wait for a very expensive and complex system to get built and deployed. It is no longer a matter of IF you will be attacked. It is WHEN you will be attacked.

Observation 11: Multi-factor Authentication.

Now we are getting somewhere. Before anyone can access a computer, web site, network or cloud they first have to be authenticated. There are three parts:

  1. Something you have like a token or smartcard.
  2. Something you know like a password or PIN.
  3. Something you are like a fingerprint or iris print.

Using any one of these by itself is very weak, thus the problem with password being only single-factor authentication. Combining any two of the three raises the security exponentially. Using all three now you’re thinking like the big boys. This is a key piece of the security puzzle but not the final solution.

Observation 12: It’s a system confirmation issue and who has Admin rights.

Just securing passwords alone will not secure your network. That’s why some discussions focused on system configuration, enterprise privileges and security monitoring (i.e. alerts when new Admin accounts are created, alerts when shadow files or SAM databases are changed, or alerts when non-system accounts attempt to read restricted files). By not securing the authentication and Root/Admin level privileges on your system you could open up a back door where even a 1-million character long password using 18 different languages character sets will be just as strong as the password “1234”. The scope of security architecture is too complex to discuss here but remember, “It’s very expensive to design network security poorly.”

Observation 13: Man-in-the-Middle (MITM) & Man-in-the-Browser (MITB) Attacks not prevented by Passwords.

Basically true. But who has claimed that they are supposing too. Security architecture has to be made up of a number of components (i.e. firewalls, anti virus, data encryption, etc.). While PKI offers safeguards with MITM/MITB there is also the trade off of high costs of ownership. Encrypted data transmission protocols like SSL can be used. The take away is that no one security/authentication is perfect for everything. The first steps have to be:

  1. Segment the data being protected into two categories (High Value & Low Value).
  2. Determine who will have access to what.
  3. Implement the security authentication technology that is appropriate for the data/user and budget.

Conclusion:

After reading so many of the post and injecting my own knowledge here some of the top strategies. It is not deploying only a few strategies but rather all of them that can start giving the “C”-office and IT a better night’s sleep.

Strategy 1: The weakest part of corporate security is often blamed on the employees.  I disagree. If they are never properly trained and informed on what to do then who’s really at fault here? Develop a program and bring in outside consults to teach people how to be more security conscious about computers, networks, passwords, encryption, etc. Make employees your allies and not the bane of your existence. Or worse yet, a reason why your company may face fines, public censure and possible bankruptcy.

Strategy 2: Hay stacking of password is better than the alternative. Combine length, complexity, frequency, uniqueness, etc. to the password security. While nothing can offer 100% guarantee of network security, adding more time and work on attackers at least will drive some amateurs away. Think of it like your house; a front door lock will keep some burglars out but by adding a camera, alarm, and a big barking dog you have a better chance of keeping burglars out.

Strategy 3: Design the entire computer/network around a security and monitoring strategy. There are four major points of vulnerability that we tell customers to address:

  1. Building security.
  2. Employee security.
  3. Computer Devices security.
  4. Network Security.

Since any one of these points can expose passwords, a systems approach has to be taken

Strategy 4: Authenticate users before they have access behind a firewall. This requires the use of multi-factor authentication. Since the password is only something you know, cards and/or biometrics have to be incorporated.

Strategy 5: A KISS for the employees. That’s right, “Keep It Simple Stupid”. If, and when, security becomes cumbersome to use, not only will employees try to find ways to circumvent it for their personal convenience, but upper management will remove it if it interferes with productivity.

Strategy 6: Implement a password manager (PM) solution that takes the burden of passwords off the user. Not all PMs are the same so find one that incorporates the strategies listed above.

Shameless self-promotion

Access Smart developed Power LogOn to address many of the password problems and security strategies mentioned above.  We want to securely authenticate who is “knocking” on the computer network’s front door. Power LogOn delivers:

  • A Window’s based password manager that allows for very long, complex passwords that the user does not need to know, remember or type. And every site can have its own complex password.
  • Multi-factor authentication with a smartcard, PIN and/or biometrics to first authenticate the owner.
  • Multiple levels of assurances of the person, card, server, data, URL and passwords are checked before user gets past the firewall.
  • Convenience to the user and IT since Power LogOn can be combined with employee ID badges so only one card to manage and carry. Plus, the user’s experience is inserting a card, typing a PIN and/or swiping a finger, and double-clicking the mouse to gain access. Then when the card is removed the user is automatically logged off, and the computer can be locked down or turned off.
  • Power LogOn has multiple uses like logging onto a computer during boot-up, launch access into Forefront’s Identity Manager, log into websites and numerous Windows applications.
  • Power LogOn works with many different off-the-shelf card and reader technologies so existing systems can easily be expanded and replaced.
  • Low cost of ownership in that software licenses are transferable for high employee turnover environments, no annual subscription or renewal fees, no backend server hardware modifications, and implementation is finished in a few days.
  • IT Centralized management of card issuance, password complexity and change frequency, lost/stolen cards, card recovery, and a whole lot more. Power LogOn allows the card to match the security policies while at the same time take the burden of those policies off the employees’ shoulders.
  • Finally, with Power LogOn we have seen the elimination of Post-it Notes “security”.

Power LogOn is designed to work much of your existing computer infrastructure and is scalable from the 5 person office to government agencies with hundreds of thousands of employees. Please look though our website to learn more about Power LogOn or call our office for a free consultation.