Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Passwords

Created: 05 Jun 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:59:22 GMT
Dave Stahl's picture
0 0 Votes
Login to vote

"Your password will expire in six days." Upon receiving thisnotification, I grimaced. What could be more fun than coming up withyet another password—particularly one that meets the increasinglyludicrous password policies that are ever present in the industry?

"Yourpassword will expire in one day." Well, shoot. I guess I'd better go onand take care of it. A small modification to my current 23 characterpass phrase, and hopefully I'll be done with this for another month ortwo. Nope. It seems that more rules have been added since I lastchanged my password; specifically, the requirement that they be betweeneight and 14 characters. No shorter, no longer. The password changetool helpfully suggests a few possible passwords:

sYdid,5jag
glip*4esO
e&6fLogi
fam,1hYo
tar,7yePy
nib,2duenK
kEt1%geuck
yaLal7#yas
neTec7#jin
pEa+8hegju

Great, thanks! I'll be able to memorize one of those shortly beforethe next ice age. I'm now in full rantin' and cussin' mode, as mycoworkers giggle from nearby cubes and offer various passwordsuggestions. My preference for 20+ character passphrases having beenthwarted, I look at the password rules to see what I can come up with:

Eight to 14 characters
One or more punctuation marks
One or more digits
A leading letter
A trailing letter
A mix of upper and lower case
No repeating letters
No use of forward slash
No use of words related to my name

15 minutes and much more cussing later, I've come up with areasonable password that can be typed (with care) and remembered (if Iwrite it down). Which I do promptly in the best way I know: in a file,on an encrypted volume, which uses a 28 character pass phrase.

I shouldn't have to do this. The long pass phrases I use forencryption keys and other systems are easy to remember, hard to crack,hard to shoulder-surf, and don't need to be written down anywhere.Draconian password policies like this only serve to encourage users toeither write their passwords down or forget them, resulting in extracalls to support.

It's interesting how these rules seemed to evolve over time. In a passage from The Strong Password Dilemma,Rick Smith cogently summarizes the evolved rules for passwords as:“Passwords should be impossible to remember and never written down.”[1] He demonstrates how simple rules for a password policy evolve intopasswords which are not only impossible to remember, but because ofthis less secure. In the author's experience, the likelihood of findingwritten passwords near a workstation subjected to periodic passwordchanges ranged from 16% to 39%, varying from site to site. At thesesame sites however, the likelihood ranged from four percent to ninepercent for workstations connected to systems that did not enforceperiodic password changes.

Here's hoping for a migration towards sensible password policies inthe future. I leave you with a couple of quotes from interestingarticles on the subject:

From Brief Recommendations for a Sane Password Policy: [2]

“Some experts say that periodic password changes will reduce thedamage if an attacker intercepts a password: once the password ischanged, the attacker is locked out. This assumes that the recoveredpassword will not give the attacker any hints about the victim'scurrent password. In fact, periodic password changes tend to encouragepeople to design sequences of passwords, like secret01a, secret01b,secret01c, and so on. This allows users to easily choose and remember anew password when the old one expires. Such sequences are usuallypretty obvious to an attacker, so any one of the victim's old passwordswill probably provide the attacker with a reasonably small number ofpasswords to guess at.”

From The Great Debates: Pass Phrases vs. Passwords (Part 3 of 3): [3]

“While no one can conclusively answer the question of whether passphrases are stronger than passwords, math and logic appear to show thata five or six word pass phrase is roughly as strong as a completelyrandom nine character password. Since most people are better able toremember a six word pass phrase than a totally random nine characterpassword, pass phrases seem to be better than passwords. In addition,by adding some substitutions and misspellings to a pass phrase, userscan significantly strengthen it, which is not possible with a totallyrandom nine character password.”

References

[1] http://www.smat.us/sanity/pwdilemma.html
[2] http://www.smat.us/sanity/pwrecom.html
[3] http://www.microsoft.com/technet/community/columns/secmgmt/sm