Passwords - 64 Characters, Changed Daily?

isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"

"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.

What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"

One time use?

[slykens]

SecurID and its like are your friends.

While you maintain a reasonably secure password you're not logging in without the token.

Anderson's formula.

[Anonymous Coward]

How long does it take? Use Anderson's formula to figure it out.

T = N/(PG)

In this:

1. T: The time units needed to guess the password
2. G: The guess rate, or the number of attempts to guess the password in a single time unit
3. P: The probability you want that the password is guessed. (Or use '1-P' to go the other direction.
4. N: The number of possible passwords, usually A^l, where
   1. A: Alphabet used for passwords. E.g., There are 96 printable ascii characters often used in passwords. Or maybe its case insensitive, so subtract 26.
   2. l: The number of characters in the minimum password.

So, let's say you want only a 10% chance your password is guessed. And you estimate an attacker can perform 2,000,000 guesses per second with his drone army. The passwords are from an alphabet of 26 characters, and are a minimum of 4 characters long. That means... (tappity, tappity on the TI calculator)... Um, that means you'll be hacked instantly. :)

Read more on Anderson's formula by googling. :)

Re:Simple...

[Anonymous Coward]

you get a hold of the encrypted password and check against that

The days when anyone on a system could just get all the encrypted passwords are long-gone. Getting encrypted passwords requires a root compromise these days. We not in the 90s anymore. :)

crack ratio

[epine]

Good grief, people. The size of the password space determines the ratio of the time it takes to check the *entire* password space vs checking only the correct password (normal logon).

The *absolute* time taken to crack the password space is therefore a function of how long it takes to check a *single* password. This can be any length of time the password validation system wishes to implement (relative to a fixed processing resource).

There's no reason at all why passwords need to evolve to greater lengths as computers become faster. However, this inflation happens by default if the authentication system does not compensate by implementing constant time password validation as systems become faster.

A modern computer can validate a password in one microsecond that would have taken one millisecond back in the VAX days. This is one case where increased speed is not, in fact, a good thing.

Re:Just do what I do

[Antique Geekmeister]

What you are describing encourages universal passwords. Unfortunately, it's not merely password cracking that is a real risk. It's password sniffing, via keyboard monitoring or packet sniffing over unencrypted protocols like FTP, POP3 or IMAP or HTTP without SSL turned on, etc. People are terrible about changing them, and they do tend to rotate them among a very small number of passwords to deal with this.

Universal sign-on systems such as Kerberos can help this, by encorcing decent password selection and then making it available everywhere without permitting re-use of that small set of passwords. But it's a bear to set up in a small or mixed environment.

Also, for the original article's point: the difficulty of cracking passwords goes up nominally as the exponent of the password length, the complexity of verifying them or encrypting with keys goes up linearly or maybe as N*logN with the length of the key. Selecting a long enough password, and system keys, to defeat this kind of brute force cracking is quite trivial to do. But getting it adopted, especially in the face of federal policies that prohibit the export of encryption technologies as a "material of war", has crippled encryption techniques for years.

Get the federal government out of that line of regulation and hardware based encryption to protect your logins from man-in-the-middle password sniffing will be quite cheap, even possible to incorporate as a part of common motherboards and network cards. Until then, though, we're going to have a real risk of people using the same password for years and having it sniffed and used by crackers.

Re:What about /etc/shadow?

[gregmac]

The only way hackers can check passwords quickly enough to matter is if they manage to obtain access to the file that contains the checksums for the users' passwords. In Linux, at least, this is /etc/shadow, which can only be accessed by root. If a hacker has access to the files owned by root then you have much bigger problems than a hacker trying to guess at users' passwords.

This raises another good point, where if you're properly controlling the methods to access whatever it is you're protecting, you can cut off someone that's trying to brute force (ie, wrong password 3 times in a row). Then your length isn't going to matter as much.

You could also go farther, and 'silently' lock them out - no matter what happens, it won't accept the password. Meanwhile, your IDS flags a security event and someone can respond, perhaps while they're still connected.

Re:Something you know, you have, and you are

[fbform]

To quote Bruce Perens, if security really matters, you should base it on three things

Did you perhaps mean Bruce Schneier [schneier.com]? He would be more relevant to security than Bruce Perens [perens.com] is.

Re:Just do what I do

[Harald Paulsen]

The problem isn't having a policy, or having a boss tell you to use safe password. The problem is that the boss somehow feels he should be exempt from the password policy. Ironically enough, the people in command that wears a suit usually has the simplest password. They also have access to most of the sensitive information.

A study on passwords...

[Elektrance]

I happened to remember this study [cam.ac.uk] which compares passphrases and random passwords.

I found it interesting that passphrases are just as secure as random passwords, and as easy to remember as dictionary based passwords.

A 10 character passphrase based password is very hard to brute force.

Re:Biometrics

[Coryoth]

Oh, that'll be just great. Chopping off fingers and plucking out eyeballs will be the new definition of "social engineering".

No need for that. I saw a presentation at AsiaCrypt a couple of years ago where a guy sucessfully managed to create an artificial fingerprint good enough to fool pretty much all the commercial fingerprint scanners tested using only a fingerprint left begind on a glass, and pretty much commodity hardware (he did use one somewhat obscure device but that was still only a couple thousand dollars). This wasn't spy movie crap - this was an actual research project. Current fingerprint scanners are, quite simply, complete crap.

Jedidiah.

Re:Just do what I do

[Pharmboy]

The point is that a moving target is harder to hit.

Stastically, that is false for a one time event. If someone today is trying to break your 14 character password, it doesn't matter when you changed it.

And vacation? I check my servers every day on vacation. Only takes a few minutes to ssh in. Yes, its vacation, but I would rather check the logs for 5 minutes a day, than spend 7 days recovering from a fatal problem that might have been averted.

Re:Just do what I do

[Bronster]

Consider the number guessing game, where you pick a number and some tries to guess it. The game would be much harder if you were allowed to change the number. In fact the game would become impossible to lose.

I was with you until the bold bit.

If you're allowed to change the number after the guess, then sure - it's impossible to guess. Otherwise if you've only allowed to change it between guesses, then the fact that I guess 517 right after you chose it means I win - regardless of how long it took to get there.

If you're considering a game where you have to say "higher" or "lower" - well, that doesn't map at all to the problem space here - all you get is "yes" or "no" from a login prompt.

Any algorithm which leaks partial correctness (e.g. measurably faster or slower response if you get the first letter correct) is going to break quickly anyway - just check out the SSH hacks based on the timing of typed letters to work out the length of a password and get a pretty good guess at the letters as well.

Re:Moores law needn't require longer passwords...

[betonklink]

You don't need more difficult algorithms to do this. Password function should just wait a second or two before returning result. User won't notice a difference, and cracker's computer speed becomes meaningless.
I could be wrong.

Password rotation script for NT domain

[dylanm]

We used to have to change our password every month to a new 10 char (it remembered last 5). I used to just run this VB script:

YOURDOMAIN = domain 'need to change this
user = InputBox("Enter username")
pass = InputBox("Enter password")
Set ns = GetObject("WinNT:")
Set usr = ns.OpenDSObject("WinNT://" & YOURDOMAIN & "/" & user & ",user", user, pass, ADS_SECURE_AUTHENTICATION)
usr.ChangePassword pass, "qazwsxedc1"
usr.ChangePassword "qazwsxedc1", "plmoknijb2"
usr.ChangePassword "plmoknijb2", "owidcjdcd3"
usr.ChangePassword "owidcjdcd3", "iojcdswdo4"
usr.ChangePassword "iojcdswdo4", "vownmdicm5"
usr.ChangePassword "vownmdicm5", pass
MsgBox("Password Changed (not really)")

Re:Just do what I do

[Clemensa]

Frankly, I think the best bet is to encourage users to just select longish (>8 characters), complex password (no word substrings, more than just alphabetic characters, etc), but don't force them to change it. After all, brute-forcing a complex, 8-character password is still a fairly difficult process. Sometimes, I think the simpler passwords would be easier. I've just inherited a network which was using 4 character passwords. So I changed it so the users had to use at least 8 chars, 20 password history plus complexity. I spent 2 days solid answering password questions and resetting passwords (bear in mind we only ahve about 50 employees here). Even now, when they have to change passwords, they can't. Quite a few of them I've had to change off the server for them. Which defeats the whole purpose of passwords because not only do I know the password, but anyone who has been listening to my conversation will know the password. They then tell the person next to them their new password in case they forget it. Or they'll write it down on a piece of paper (note that using password1, password2, password3 is not permitted any more) and stick it to their monitor. The more times you ask them to change their password, or the more complexity/length you ask them to have, the more common it is for them to either not be capable of changing their own password, and/or not able to remember it...

Re:Just do what I do

[MrNemesis]

Damn straight.

At the company I work for, we often have highly sensitive (legal) data that we're forever scared shitless of contaminating some other entirely different data. Hence the boss insisted we have an enourmously complicated login structure, so that fi you're working on case X, it's impossible to even be aare that case Y exists.

Then the boss insits I give him an account with root level access to all the work because he says it takes too long switching between accounts.

Entire point of this whole exersize? Nothing.

Re:Just do what I do

[JWSmythe]

APC masterswitches do that. Well, it locks you out after x attempts for x minutes.

It became a pain in the ass when some winner started trying to password scan one of the masterswitches. A machine went down, and everyone was locked out from it. They had just left the scanner running, so after the lockout time, it would get locked out again.

We moved them to a private network, and voila, everything works fine now. :)

People try to brute force so many various passwords, this seems like a really bad idea, unless your username is random also, and no one happens to know it. There's nothing like explaining to the boss that you couldn't hit a downed machine with the masterswitch because you were locked out, and it took 1 hour for someone to respond to the site just to reboot the machine.