Are Often-Changed Long Passwords Really Secure?

Zweistein_42 asks: "I work at a large, navy-coloured IT corporation. A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*, with standard checks for non-repetitiveness, dictionary, uniqueness, etc. Is there any research to support whether such requirements actually increase security?"

"I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times. I usually take the trouble to memorize random alphanumeric, un-guessable combinations; but even I won't bother memorizing an average of 2 random strings a week. Eventually, won't most people use their pets names (fuzzy1cat, fuzzy2cat, etc) and start writing passwords on a note on their screen?

Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"

This is the reason

[popeyethesailor]

things like SecurID [rsasecurity.com] were invented.. 2-factor authentification eliminates most of these special requirements.

Password Safe

[MaccaUK]

Funnily enough, the use of a password safe - an app that keeps track of multiple passwords, similar to Apple's Keychain - is available (even encouraged) in that blue company :-)

Of course, it's kind of a single point of failure in terms of security, if you don't take into account the need to use a boot password and Windows login. Also, if your laptop dies... and you haven't backed up the password file...

Long passwords

[Masa]

"A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*"

So? In the company I'm working for, we have a policy that the password has to be at least 10 characters long, alphanumeric mixed case and it will change *every 30 days*. And the new password can't be the same as 10 last ones.

I have solved the problem of memorizing these passwords by using source code as a password. For example: "printf("Hello, World!");" should be complex enough and it is relatively easy to remember.

To your question: No, I don't know if the longer, more complex passwords are actually more secure / cost efficient than shorter ones, because of the side effects caused by difficult to remember passwords. But at least this kind of policy prevents the most trivial dictionary attacks. It's a completely different story, how else the security is taken care of (ie. educating the personnel, so there will not be any post-it notes laying around and other forms of security, because it's all about layers).

It's because of Italian law (I work for the same..

[Anonymous Coward]

Navy-colored company, but I'm staying cloaked.)

The Italians enacted some sort of privacy-oriented legislation which required these password rules. Because the Navy-colored company does business in Italy, and wants uniform rules throughout the company, they propagated this change throughout the company.

Like it or not, secure or not, that's where it came from.

Don't focus on this as the single point of security stupidity - there are far worse. We won't mention them, however.

Kerberos

[Trevelyan]

Isn't this the point of things like kerberos. ie to provide single sign on in you network. so you don't have to remember lists of passwords.

integrate it with pam, and then you'll get a ticket when you log in, that will be used to authenticate you when you access things like ftp or mail server.

Ofcourse this wont help with off site login, but at the point you use them you have access to the already mentioned password safes or security managers (eg mozilla's psm or kde's wallet)

as to the oringinal point, the more checks you can do for good password the better, but a 3 month life undermines any effort made to generate a good password.

I dont see the point of changing passwords, unless you can't keep it to your self. most methods of gaining your password are not effected by its age (eg sniff the wire, brute force, social engineering(is subsequent password going to be any less dependant on your frame of mind then the last?)). Then, once 'they' have it, they're likely to install another method of access asap and then no longer dependant on knowing your password.

Security D'ohLTs

[paol]

Bruce Tognazzini has covered this kind of stupidity before.

"I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.
(...)
My wife, the Doctor, was working over the summer at a local hospital. They are fiercely into security, requiring no fewer than four sets of passwords to navigate their system. And why not? There are confidential patient records on those systems! By golly, they ought to have eight sets of passwords, and really make things secure!"

Read it: http://asktog.com/columns/058SecurityD'ohlts.html [asktog.com]. Better yet, have the people who are implementing this policy read it. Point out it's by one of the leading usability experts in the world. Odds are it won't change anything, but hey at least you tried...

Its just common sense longer PSWD is safer

[museumpeace]

My company just upped the ante for anyone trying to guess one of our passwords...min of 10 characters of which at least one each of UPPER CASE , special, numeric and lowercase are required...Its hard to produce a memorable password under these conditions. I have about a dozen passwords to remember between the various OSes, LAN security, Mail, and then there is my firewall and systems at home.
One way to handle it all is to write a script that can deterministically convert some string that you can remember into a password conforming to a parametrically sellected rule [e.g. 12 chars, mixed case and numerics, no specials] I wrote one of these generators in AWK since I have unix boxes at work and run a cygnus shell at home...it even takes account of the date [per GMT] so that I get a fresh PSWD every 3 months but can always reconstruct past passwords in a pinch with override date. I only have to remember my "open sesame" and nothing is ever written down or stored.

Absolutely

[bryanp]

Every 90 days has been the standard everywhere I've worked. For us Sysadmin types it's every 30 days. I can keep up with it, but many end users with the 90 day restriction do exactly as you describe. They write them down, they use the same repetitive patterns, whatever. One user I used to support had a page of passwords in a little notepad he kept in his desk.

All I can really do is tell them the truth: If anyone gets on the network with their credentials they will be held responsible for what happens. It's hard enough just getting people to lock their screens when they go to lunch. One user got reamed out pretty badly when someone used her email account to send a scathing note to the CEO. The only reason she didn't get fired is that she was at lunch with several people who could vouch for her whereabouts at the moment the email was sent.

or you comply and store all passwords encrypted...

[hankwang]

I have stored all my passwords encrypted, with a script to easily access them... The essential part is:

stty -echo
read pw
stty echo
echo $pw |
gpg --no-secmem-warning --decrypt --passphrase-fd 0 $pwf.gpg |
perl -ne "if (/^$1/)"' { s|\[([^ ]+)\]|[\033[40;30m$1\033[0m]|; print; }' |
less -r

The passwords are enclosed in [] and the script displays the password in "black-on-black", so that you can copy-paste it without anybody looking over your shoulders seeing it, or you remembering it.

And the master password to this file hasn't ever changed... heh

stealth one time pad

[zogger]

just use a paperback book, change the book occassionaly. All you have to remember is the page number, paragraph number and line number, those are your random digits that preface or follow the letters. They refer to the phrase or sentence in that location, where you get your letters. Interposing can be your choice of course, straight ahead or rotating backwards to forwards, etc. Example page *237(insert first word)*, paragraph *5(insert first word)*, line *4(insert first word)*. Ton of variations on that theme, and in this example you only need to remember *23754* in case you forget the entire passphrase sequence. The book can be an ebook for that matter on your PDA or any other stealthy/innocent written thing you have handy. Throw in some special characters and it gets even more difficult of course, or instead of inserting a word, do several words that you find there within the number and special characters. You can add an additional wildcard to help stop a dictionary attack on the word, add a 4th digit, that reminds you to remove every 4th letter from every word for example, or add a special character at that place. So then you would only have to remember in this example *237544(insert special character to remember this cycle)* for your hint. One more number added to the initial memorized number is an additional hint as to where to look if you forget the whole thing, example, 2375448 would be a hint to look at book 8 for the other hints on your shelf of tech books perhaps.

One time pads especially when it's only you using them and not two or more people are a good thing. Of course it won't beat a boss injected keylogger someplace in the mix. In this example, even if joe bad guy has your book,and knows you are using it, those sorts of combinations are immense, especially with the special characters on the keyboard to use. And if it's gotten that far you are most likely cooked anyway, so time for plan B to avoid the rubber hoses, heh. I recommend a .45, a bag of cash in well used bills, several gold pieces, and a really fast motorcycle. Might as well have fun during your escape I always say;) Oh and don't forget the self destruct key for your cubicle....

Don't want to use a book, you can use something like the playlist and metadata for the song on your music player gadget. Example song 909, beatles, heyjude, something minutes and seconds or something KB in song length,etc. You only need to rember one song title per 90 day period then, along with the original placement number in the menu.

Ton of ways to do a one time pad variant easily, you just want it stealthy so no one realises that's where your passphrase hint is stored. Do you get any quarterly journals of the dead trees variety? You can use that, fits the 90 day rule too, and an excuse to have that journal kicking around already. You could do it optically with random "things" that are around your office. Look up, you might have a calendar, some houseplant, a picture in a frame, the color of the wall, how many tiles on the ceiling between x place and y place in the office, etc. Just rotate your junk around, then all you have to do is look at the placements, along with that quarters number sequence you remember. Example number 48910(wildcard character), this quarters passphrase might be january4*spiderplant8*mom9*cream10*

have fun

Re:This is the reason

[Bastian]

I hacked my own together with a USB key containing an encrypted keychain and encrypted copies of my SSH key files. (Granted, I have no idea if a PC equivalent exists - my office lives in Mac-and-Unix-Land.) The keychain is backed up to another secure location every time I add or change a password, because the passwords I use look like what you get when you fall asleep on the keyboard. The USB key comes with me when I leave the computer, and the keychain get's locked automatically after 10 minutes in case I forget.

Not perfect, but it's better than post-it notes, and it does implement its own version of the "something you have and something you know" philosophy.

secstore

[DrSkwid]

I use secstore [bell-labs.com], I don't have to remember my passwords and they can be as long and as random as I like.

All I need is the password to secstore, which, in my case, is on the LAN.

secstore client - man page [swtch.com] - for non-plan9 systems is now available as part of the Plan 9 from User Space [swtch.com] project.

Re:This is the reason

[Ararat]

Well, one of the reasons. Two-factor authentication was defined (as I recall, by the US Bureau of Standards in the mid-70s) as any AAA system that requires presentation of two of the three factors (something held, something known, something one is), but there was originally an additional requirement: one of those factors must be resistant to replay, dynamic.

Sniff and replay were then, and in many places still are today, a prominent security threat -- and that threat grew exponentially with the evolution of local nets, and then exploded in scale and volume with the Internet.
The SecurID, or any One-time Password (OTP) used to provide "strong authentication," does indeed obviate the need for all the Draconian rules now used to buttress the static reusable password or passphrase. In '87, however, as the SecurID was first brought to market, we never thought the static password would survive, no matter how complex it became, because it had none of the inherent resistance to eavesdroppers provided by a dynamic password.

We never dreamed that -- to save, per user, the price of a keyboard -- the corporate bean counters would stay committed to static reusable passwords for another 20 years, using these increasingly painful routines to make those passwords more resistant to guessing, dictionary, and now pre-computed hash attacks. Nor did we expect that the market would consistantly undervalue one of the token's core virtues: its resistance to sniff and replay.

We thought it was obvious that a password, however strong, could never be enough.

Passwordsafe

[bLanark]

Look into PasswordSafe [sourceforge.net].

I think that the project was begun by Bruce Schneier, of "Applied Cryptography", "Secrets and Lies" and "Cryptgram" fame. But now the utility is open-source and multi-platform.

Re:passwords....

[BlueTooth]

I compartmentalize my passwords. And I rotate what password fits into any given compartment.

So the compartments, from most to least secure:
-root on a machine (different for every account)
-user accounts (for the Windows and *NIX machines I log onto)
-email systems
-financial sites
-shopping sites (i.e. that store credit cards)
-forums, etc... (sites for which I assume the jow schmoe admin can see my password in cleartext)

I generally rotate in a new password every year or two. So even if you r00t me, you still can't get into my bank account...for that you need to r00t my bank ;)

English entropy

[Peaker]

Using passwords which are correct English sentences isn't much better.

Correct English sentences have about 1.2 bits per character. That means that for 10 words of 5 characters each, you have 50 characters which are 60 entropic bits (~7.5 entropic bytes).

That is as strong as a 10-character password, or so, but much much longer.

Not sure this is the solution.
I think that whatever is easy to remember, is easy to remember because it has low entropy and is easy to attack.

The solution might be to use non-human memory? USB disk-on-keys containing crypto keys?

Re:passwords....

[smeenz]

I would only ever use the same password on systems that have the same administrator running them.. ie, I'll never use my email password for my bank, or my netware password for unix boxes. That's not to say that I *do* use the same password on all those systems.

Common sense, I would have thought.