Brief Recommendations for a
Sane Password Policy
By Richard E. Smith, PhD, CISSP
from the Center for Password Sanity
http://www.smat.us/sanity/
These recommendations are based on the 4 years I spent
researching authentication systems when writing the book Authentication: From Passwords To Public Keys
(Addison-Wesley, 2002). See the book for further information supporting
these recommendations, or see the article The Strong
Password Dilemma, published in the CSI Computer Security Journal and posted on the Center for Password Sanity site.
It is true that poor password selection is endemic. My survey of password cracking studies has found a well-documented 'hit rate' ranging from 20% to 35%. However, a recent study by Yan (working with Ross Anderson) has found that even with password selection training the hit rate remains around 10%. In short, weak password selection should be seen as a fundamental limitation of the technique. You might be able to reduce the likelihood of poor password selection, but you can't reliably eliminate it.
You can't improve the performance of human memory by making rules or even by restricting password selection. That simply increases help desk expenses a Forrester Research study in 2000 ("A Digital Certificate Roadmap") claims that lost passwords represent 20% to 50% of help desk calls and cost $80 each to resolve. The help desk process also opens the risk of social engineering attacks on password protected resources. Many people try to avoid the help desk by writing down their passwords, and that introduces yet another dynamic into the security mix.
The most practical and safest approach is to look at the
password risk differently in different environments. Here are some brief
recommendations for developing a sane policy for password management:
- Passwords are at risk from interception, guessing, and
dictionary attacks. Passwords are particularly at risk of interception
if they are written down or are used on unprotected Internet connections.
- Password systems must be arranged so that individual
user passwords never needs to be shared with anyone, including administrators
and other site officials. Passwords are particularly at risk to "social
engineering," that is, attempts by attackers to trick users into divulging
their passwords. Such attacks are harder to mount if users are confident
that they never, ever have to divulge their personal passwords.
- Ideally, passwords should only be used internally, that is, on systems that reside within a physically protected environment that blocks access by outsiders and restricts the activities of visitors. In such an environment, passwords provide the same level of protection as other office security measures such as desk and door locks: they protect against the marginally dishonest but not against a determined attacker. If the passwords aren't usable from outside the site, then outsiders and ex-employees can't exploit them without trespassing.
- Internally-used passwords should be selected to be memorable
but hard for others to guess. Passwords must not be based on well-known
personal information. Instead, they should be based on private, even embarrassing,
personal information that others don't know and that the owner is unlikely
to want to share or otherwise divulge. Think of different words associated
with such an incident and choose a word that's memorable and specific.
Generic words are more likely to be guessed.
- Reusable passwords should never be used over the Internet unless they are encrypted by a strong, separately established cryptographic key. For example, the SSL protocol used in Web browsers provides this type of protection, particularly when 128-bit keys are used. The IPsec protocol used with VPNs also provides good protection. If such protection is in place, then Internet passwords may be chosen using the same criteria as internally-used passwords
- Reusable passwords are vulnerable to dictionary attacks when used with certain remote access protocols, including Microsoft RAS, Windows NT LAN Manager, Windows 2000, and Kerberos. Use of passwords with such protocols across the Internet, or across untrustworthy corporate networks, should be restricted to specific individuals. These individuals must be trained to choose and memorize strong, hard-to-crack passwords and be highly motivated to use such passwords.
- If large communities of users require remote access, they should either use a strong cryptographic protocol like SSL or IPsec, or they should be issued one-time password authentication tokens, smart cards, or similar devices that are not vulnerable to dictionary attacks.
- Strong passwords that resist dictionary attacks should contain at least eight characters and should contain a mixture of upper- and lowercase letters, digits, and special characters. One approach is to choose two separate words from a large dictionary and combine them with a digit or special character.
- If a password must be written down, it must be given
protection that is consistent with the value of the resources protected
by that password. For example, a password for protecting financial resources
should be protected the same way that similar financial resources are protected
(i.e. a vault for large values and a wallet for appropriately small values).
The password's owner must maintain physical control of the written password
in order to reliably detect situations in which others might have had access
to the written password. If this occurs, the password's owner must ensure
that the password is changed, or the account disabled, as soon as possible.
- Passwords should be changed if there is a risk that someone
has stolen or guessed them somehow. Some sites interpret this as meaning
that they should be changed on a regular schedule, but this can be counterproductive.
In some cases, regular password changes simply induce people to write their
passwords down, since they change too often to justify the effort of memorizing
them.
- Some experts say that periodic password changes will reduce the damage if an attacker intercepts a password: once the password is changed, the attacker is locked out. This assumes that the recovered password will not give the attacker any hints about the victim's current password. In fact, periodic password changes tend to encourage people to design sequences of passwords, like secret01a, secret01b, secret01c, and so on. This allows users to easily choose and remember a new password when the old one expires. Such sequences are usually pretty obvious to an attacker, so any one of the victim's old passwords will probably provide the attacker with a reasonably small number of passwords to guess at.
Back to the Center for Password
Sanity
Richard E. Smith, smith@smat.us
Posted: 11/13/01
Revised 8/9/2002
Copyright © 2001, 2002, Richard E. Smith