Avoiding Risky Password Rules

Richard E. Smith, Ph.D., CISSP

Posted November 30, 2001
Revised Friday, August 09, 2002

Many well-known rules for choosing and using passwords will actually reduce the security of the password system. This paper examines the risks associated with well-known password rules.

Some observers will note that the "risky" rules were implemented to increase the security of password authentication. In fact, password authentication can never provide a high degree of security, except in extremely limited situations involving a small group of security conscious and highly motivated (even fanatical) individuals. The sophisticated rules provide the illusion of security while in fact most people rely on risky behaviors in order to make the password system work reliably. This is illustrated in the examples below.

1. All Passwords must be memorized.

Why:

This is the core definition of the password mechanism: it associates the person who knows the password with permission to use a computer system. If the password is written down instead of being memorized, then authentication relies on access to the piece of paper the password was written on. This is much harder for a person to control. People aren't likely to blurt out passwords randomly such that attackers will hear them. On the other hand, attackers are likely to search for written passwords, much like safecrackers always search for a written combination and often find one.

Why Not:

Human memory isn't 100% reliable, and the password interaction often makes it difficult to memorize a password when first creating or changing it.
People are often provided access to computers that they use rarely, and the access information (user name and password) are selected by an administrator and distributed to the users. Thus, the user didn't have the opportunity to choose a memorable password.
In some cases, administrators distribute access information to new users via e-mail, which is essentially a written medium.
In some cases, written passwords aren't likely to fall in the hands of attackers, since the written text resides within a physically protected office suite.

2. All Passwords must be at least six characters long.

Why:

If an attacker mounts a trial-and-error attack against your password, a longer password gives the attacker a larger number of alternatives to try. If each character in the password may take on 96 different values (typical of printable ASCII characters) then each additional character presents the attacker with 96 times as many passwords to try. If the number of alternatives is large enough, the trial-and-error attack might discourage the attacker, or lead to the attacker's detection.

Why Not:

It won't matter how hard a password might have been to guess, if the attacker mounts a sniffing attack on the password while it's in clear text. Lots of systems use clear text passwords, even on the Internet.
If the authentication system keeps track of the number of incorrect attempts, then it will detect trial-and-error attacks on passwords after a relatively modest number of guesses.
An attacker that has physical access to a computer, or to its internal communication links, can successfully attack the computer without having to guess its password.
The Personal Identification Number (PIN) used on typical Automated Teller Machines (ATMs) contains only four digits, and the assets they protect are far more important to most people than the assets protected by their computer passwords, and the 4-digit PIN seems to work well enough in the banking environment. In particular, successful attacks on ATM cards rarely involve trial-and-error PIN guessing.

3. The password should contain a combination of upper- and lowercase letters, digits, and punctuation or other special characters.

Why:

Choosing the password from a larger number of characters will produce a broader range of possible passwords within a given password length. If we only accept lowercase passwords, or ignore the difference between upper- and lowercase, then each added letter only increases the number of passwords by 26 times. If passwords may consist of a combination of uppercase, lowercase, and digits, then each additional character in the passwords increases the possibilities by 62 times. If we admit all printable ASCII characters, then each additional character increases the possibilities by 96 times.

Why Not:

Same as 2.
It is especially difficult for people to memorize a string of characters they've imagined but never actually seen in printed form.
If a person chooses a random selection of printable characters for a password, then the person has a very short time in which to memorize that password before it is forgotten. Moreover, people can't reliably memorize such passwords as they get longer.
If a person chooses a familiar word as a password and then substitutes various digits and other characters for the usual letters, then the person must successfully memorize this substitution, or the password will be forgotten. This isn't as hard as memorizing a random string of characters, but it still requires concentration.

4. The password should not be a word that appears in a dictionary.

Why:

Many systems, including Windows and Unix, store and transmit passwords in a self-encrypted form called a "hash." Attackers can reverse the hash through a computationally intensive trial-and-error process that can quickly try thousands and even millions of possible guesses for a password. Typically these attacks use a dictionary of common (and even uncommon) words, and such attacks succeed in many cases. If the password doesn't appear in a dictionary, then such an attack won't find it.

Why Not:

Same as 2 and 3.

5. You must use a different password for every computer that requires one.

Why:

Not all computer systems provide the same level of security for their passwords. If attackers manages to retrieve your password from a weak system, they may use it to try to masquerade as you on other systems you use. This attack would work if you use the same password everywhere.

Why Not:

It is not unusual for people today to work with several separate computer systems, and these systems often demand passwords for authentication. Some people end up with dozens of separate computer accounts which, according to this rule, would each require their own password. Few people have a memory proficient enough to keep all of those passwords straight.

6. Passwords must be replaced periodically.

Why:

If an attacker has access to your password and abuses it, you will prevent further abuse once the password has been changed.
If an attacker mounts a systematic trial-and-error attack on your existing password, the attack might not yield success until after you've changed to a different password.

Why Not:

People are more likely to remember something they use regularly, even if they only use it rarely. If they have to change their password regularly, then they're constantly working at memorizing a new one. This leads them to write the passwords down.
When people are forced to choose a new password periodically, they often do so by inserting a number into the password (i.e. "password1" "password2" "password3" or even "passone" "passtwo" "passthree" and so on). Attackers can easily guess the current password if they intercept one of these "expired" passwords. This eliminates the benefit of periodically replacing a password.
Many types of trial-and-error attacks are detectable, and the attack can probably be stopped if it is detected.

7. You must never use the same password twice, especially when periodically changing your password.

Why:

Human history has shown that secrets get leaked even when people work hard to keep them secret. Therefore, it's a prudent security measure to change from one secret to another periodically if you can.
Trial-and-error attacks on passwords take time, and you can outsmart some such attackers if you change your password before they've tried all of the possibilities. If their attack is against a cryptographically protected copy of your password, then they'll have to start the attack all over again.

Why Not:

Since people have a hard time remembering random bits of information over long periods of time, some of them will write down these new passwords. This often produces a list, and the list is usually stored somewhere that makes it easy to find.
People who don't keep a list will often use s sequence of passwords (racquel01, racquel02, racquel03, and so on). If an attacker intercepts one of these, the attacker can easily guess the correct password even if the victim has changed it a couple of times since it was stolen.

Back to the Center for Password Sanity

Back to Rick Smith's Home Page

Richard E. Smith, smith@smat.us