The Center for Password Sanity

This site examines the problems of passwords as used in the real world by real people. The point is to establish a reasonably accurate assessment of how much safety passwords can really provide. In particular, we must avoid making matters worse when trying to make password systems stronger.

I welcome comments, suggestions, confessions, and war stories about passwords and other authentication techniques. Send me e-mail if you have something interesting to say or you're looking for something in particular.

 Problem Statement

DILBERT © United Media, used by permission

Computer security experts have been promoting Mordac's list of rules (or worse) for so many years that some experts have a hard time realizing just how absurd the rules have become. The rule set was driven by technical requirements backed up by simple arithmetic: if your password is chosen from among such-and-such many alternatives and it's change so-often, then attackers are unlikely to guess it, even through an off-line trial and error search at high computational speeds. Unfortunately, this rule making process has rarely considered the limitations of human memory. This yields false security, a population of guilty or furious users, and a lot of time wasted with password recovery procedures that themselves are vulnerable to social engineering

See the paper Avoiding Risky Password Rules for a brief review of Mordac's password guidelines. A similar discussion appears in the first section of the paper The Strong Password Dilemma. For an unvarnished look at what "real" passwords look like, see Famous Passwords.

The Strong Password Dilemma

After years of attacks on password systems, security experts have formulated numerous recommendations for how to select passwords that resist those attacks.

The recommendations are best summarized as follows:

Passwords should be impossible to remember and never written down.

The paper The Strong Password Dilemma starts by tracing the evolution of a typical set of strong password rules and examines the human factors implications of typical password systems. The paper also shows how often people will hide passwords around their work area and illustrates the degree to which this reduces the apparent strength of passwords.

This paper is an excerpt from Chapter 6 of Authentication, reprinted in the CSI Computer Security Journal. To buy a copy of Authentication, click here.

Password Policy Recommendations

The following two papers discuss common features of policies that can actually reduce the security of the password system in typical instances.

• Avoiding Risky Password Rules

This paper reviews common rules for password selection and use, explains the rationales for those rules, and why the rules often backfire in practice.

• Password Expiration Considered Harmful

Periodic password changes were introduced to reduce the risk of certain types of trial-and-error guessing attacks against passwords. In practice, periodic changes have a very limiated positive effect at best, and often open the system up to even easier attacks.

The following document(s) provide password policy recommendations that incorporate a realistic attitude towards password management.

• Brief Summary of Password Policy Recommendations

These recommendations were drafted as the result of reviewing yet another official document that intended to establish draconian and unrealistic password usage requirements. The policy briefly discusses the fundamental trade-offs in password management and recommends a focus on seldom-changed memorable passwords wherever possible. Click Here for the HTML version.

The following documents are still under construction:

• Overview of a Sane Password Policy

This document outlines the general elements of a sane password policy. The policy tries not to needlessly sacrifice ease of use, except when the inconvenience actually provides improved security.

• Safe Environments for Passwords

This paper summarizes how different computing environments and password implementations affect the safety and reliability of password systems.

 

This paper describes different physical and operating environments for computer equipment and discusses the relative risks of using memorized passwords in these environments.

• Password Policy for Internal Environments

This paper will describe the typical "safe" environment for using reusable passwords.

• Administrative Password Recommendations

There is no 100% safe way of managing administrative passwords in a modern computing environment. This paper will discuss trade-offs and make recommendations based on locally acceptable compromises.

• Remote Authentication Recommendations

This paper will discuss the challenges of using memorized passwords with remote access protocols, particularly across public and possibly hostile networks like the Internet.

 

Back to Rick Smith's Home Page

5

Posted: 11/30/01, last update: 4/24/2005