Sophos Cloud Optix
In this episode, entitled Busting Password Myths, Paul Ducklin and Chester Wisniewski take a look at the thorny issue of password rules and regulations.
In particular, we debate whether you really need corporate rules for password reset, password complexity, and password re-use.
The content of the show is based around a very popular presentation given by Chester at the RSA 2012 conference.
Listen now:
Read the transcript:
[TECHNO VIBES]
DUCK. Welcome to Techknow, where Sophos experts debate, explore, explain, and hopefully help you to understand the often baffling world of computer security.
Techknow is presented by me, Paul Ducklin [DUCK].
CHET. And me, Chester Wisniewski [CHET].
DUCK. And in this episode, we are going to look at the thorny issue of passwords.
Chester, I know that you have some very strong feelings about things which you consider myths in the password world.
Things that people do that don’t necessarily deliver the results they think.
And if I just summarise those in three words, that’s: Reset, Complexity, and Re-use.
So let’s start with the first of those.
The idea, which seems prevalent in many organisations, that having regular forced password resets for users is actually a good idea, and improves security.
What do you have to say to that?
CHET. A lot of these things are rooted in past experience for many IT professionals.
Lots of us have been geeks for a long time, and had to deal with the evolution of the internet and computing systems.
And I think that the password reset stuff is largely misunderstood, or misinterpreted, or misimplemented.
If we step back into the 1980s, the big issue, the reason we started with password resets, was the way our passwords were stored.
Very simply, on Unix systems, they were stored in a world-readable text file on the system, which meant anybody that had access to the system could have a crack at those passwords, and access other people’s accounts and information.
DUCK. So, Chester, what you’re suggesting is that in the early days, because of the way passwords were stored and the number of people who might have read access to important information about your password, like the hash…
…passwords, even in the days of lower-powered computers, might be considered to have a much shorter lifetime?
So, the idea of changing them regularly was to be more of a moving target, is that correct?
CHET. Absolutely.
And if you’re choosing quality passwords today, we’ve evolved many different things.
The hashes, as you say, are no longer so easily accessible without much more complicated attack techniques.
And in addition to that, we’ve all been trained and taught to use more complex passwords, which is a good practice.
The more complex the password is, the much more difficult it becomes to crack.
DUCK. Let’s come back to complexity in a minute.
Let’s stick to the idea of that, once a month, or once every two months, you ought to change your password whether you really need to or not, simply because that’s a good discipline and habit to have.
CHET. In most situations, I see it actually work to be a *negative*.
If you’re choosing to have a complex password, it’s very difficult to remember it.
And making people change it all the time makes people choose poor passwords, and find something very formulaic.
So, all people do is they choose password1 and then password2, and that actually makes the password more predictable, not less predictable.
DUCK. Surely the time to worry about changing a password is when you’re certain or reasonably certain that it’s been compromised?
And if you’re pretty sure that your password isn’t known to anybody else, it seems, as you say, that changing it just gets people into poor habits…
CHET. Yes!
Say I lost a laptop where, potentially, maybe an attacker could get access to the hashes.
Maybe I’ll make that user change their password.
But having an entire organisation change their password on a regular basis gets everybody in the habit of a bad habit.
DUCK. It also seems that it plays into the hands of social engineers if, on the third Tuesday of every month, it’s known that the helpdesk is busiest, with calls from people who’ve changed their password and then forgotten the new one.
CHET. Yes.
Or even things like, if you know that a company makes everyone change their passwords quarterly, you can guess or bet that almost every user has changed it four times a year.
And you log into LinkedIn and see that they’ve been an employee since 2000 [12 years before the recording date], and you go, “OK, 12 x 4, that’s 48.”
I bet you their password ends in -48, and you probably could crack quite a lot of them that way.
DUCK. [LAUGHS] So, in other words, by forcing change when it’s unnecessary, one actually introduces unnecessary risk.
CHET. Yes.
You’re taking away complexity and introducing something predictable, and the last thing you want in a password is something predictable.
DUCK. That seems like a good moment to move on to the issue of complexity in passwords.
Many organisations seem to have rules, or algorithms, if you like, that define how your password should embody complexity.
Isn’t that a contradiction in terms?
CHET. Yes.
It’s another thing that makes passwords easier to predict.
I’ve got a few examples from my own experiences that just boggle my mind, in that when we see password databases being disclosed by hacker groups and things on the internet, we often see, where an organisation will say, “It must be at least nine characters or ten characters, and it must contain a digit.”
And then we see that 5% or 10% of users have chosen password1 or christine1.
It’s the simplest way to meet the requirement without putting any thought into it.
DUCK. If you think about number plates, or licence plates as you call them in North America, on cars…
…in New South Wales [the state in Australia], they have six characters.
You’ve got 366, and if you do the calculations, that comes out to some enormously large number.
But our standard issue plates actually have letter-letter, number-number, letter-letter.
And if you do the multiplication for *that*, you’ll find that the grand total of number plates you can represent is significantly smaller just by forcing it into a known pattern.
And I guess exactly the same applies for passwords…
CHET. It does.
I mean, there are a lot of things around complexity, and many security professionals preach practices that are rather difficult to accomplish with the number of passwords that we have to memorise.
The important thing is to actually go back to that math that you’re talking about.
I can probably create a ten-character password, if I want to mix in punctuation and random digits and all these things that a lot of us preach, that would be almost insanely difficult to crack.
However, you can accomplish a similar mathematical goal by simply making your password longer.
Avoiding use of dictionary words is great, and using punctuation is great, but to make a password policy digestible, length is probably the strongest factor you can do…
…because the alphabet itself, if you consider mixed case, that alone is 52 possibilities.
And when you take it from being instead of eight-long to 24-long, but it’s still something you can remember, it’s darn hard to crack even if you didn’t bother to do the “comma and the number two”, and all these different things.
The one that annoys me the most is the dependence upon leet-speak [using digits as letters], as it’s known in the IT business, where people just pick a nice word and they go, “Well, it’s not a dictionary word – I added a zero instead of an O.”
In fact, most password cracking applications an attacker might use try those things right off the bat, because they know how frequently people rely on this false sense of “complicating” their password.
DUCK. So we’re falling into that licence-plate problem, where we have what seems like a large space, yet we’re only utilising a small fraction of it.
Now, it strikes me that the idea of having a very long password, which is not something that will be found in a book…
…the particular advantage of just using alphabetic characters is when it comes to things like tablets or iPhones, where typing numbers and punctuation is quite hard.
And for anyone who’s shoulder-surfing, it’s actually really obvious when you’re doing the special stuff.
CHET. And that’s the new frontier of the password problem…
I mean, as if passwords weren’t enough of a problem for most of us on the web, now we’ve got this problem of the iPhone and the Android and the tablet.
The other thing I don’t really understand is a lot of these websites that restrict your password length.
They go, “It must be between 12 and 16.”
We mentioned hashes earlier, and the great thing about a hash is you can put in one character, or you can put in 1000 characters, and you *get a predictable digest* that comes out at the other side of the hash.
So there’s really not a good reason, if you’re storing passwords correctly in an application, a website, a database, whatever it might be…
…there’s not any reason to limit the length of it.
If I really wanted to have a password like Mary had a little lamb, her fleece was white as snow, there’s no reason for something to go, “Oh no, that’s too long! I can’t store that in the database.”
It’s going to come out as a digest…
DUCK. OK, Chester, we’ve covered whether or not you should change your passwords all the time, regardless of whether you think they’re compromised.
We’ve talked about how you make a complex password.
Given that all of this complexity makes passwords harder to remember, the last issue I want to look at, which I hear people talking about a lot, is the idea that it’s possible to re-use passwords if you’re reasonable about it.
Now, everybody knows you can’t use the same password for everything.
But I’ve met a lot of people who go, “Well, for the easy or basic websites, unimportant websites, I use the same password. Then I have a medium-grade password, which I use on all the others, and then only for the really important sites, of which I only have a few, *then* I have hard passwords.”
And they convince themselves that this sort of password re-use, because you’re not using one password for everything, is in fact a good compromise.
But is it?
CHET. For one, I begin this whole idea with, “I’m not sure when it’s OK for someone else to be able to not only impersonate me, but for me not to know where they might impersonate me.”
So if I chose a low quality password and said, “Yeah, that’s fine for making a comment on the New York Times, no big deal”, but then I end up using that password at 400 different sites and it does get compromised…
…now I don’t even know where I might be impersonated.
And the information that could be gathered by logging into the accounts is frightening.
“SONY required I give them my birthday, my address, and my home telephone number; and Stratfor required I give them my email address; and this other one required that I give them some other personal information”…
And now all of those accounts are at risk, and I have no idea who might be compiling a dossier.
Not only my activities, but identity theft.
DUCK. What I think you’re saying is you really do need a complex but different password for every single online service you use… in an ideal world.
CHET. Yes!
And it’s a rather frightening thing to say that.
I personally have logins to just around 500 websites that maybe I don’t regularly access, but at some point I’ve needed to create some credentials for.
And you go, “Well, how would you not use password1, or decide that your password to comment on a Yahoo group is going to be yahoochet, and the comment on a Google group is going to be gmailchet?”.
At least they’re different, but they’re obviously predictable to anybody that knows exactly what the scheme is that you’re using.
And there really isn’t anything that is a giveaway or a throwaway kind of situation when you’re talking about your identity and what you do online.
DUCK. Now, you use a password manager, don’t you?
There are lots of them about; there are some good and some bad – we won’t discuss here how you decide whether they’re good or bad.
Ask a friend or colleague, I guess, for recommendations.
A password manager can invent complicated passwords for you, and remember which passwords go with which site.
Doesn’t that just bring us back to the problem that now you have one password for everything?
Because if someone gets the password to the master suitcase of passwords, then that’s like having a skeleton key to the whole hotel.
CHET. Yes, there certainly is a risk of that.
I’ve got two different policies around using my password management tool.
One policy I have is that truly critical accounts, like my financial institutions and things like that (going back to your idea of segregating how important something is)… those accounts are never stored in the password manager, period.
They’re too important to me to risk anybody being able to magically unlock them over the internet somewhere.
But then the secondary part of that is that when I do choose a new password, it is always different.
DUCK. OK, Chester, so we’ve dealt with the resetting of passwords; making complicated passwords; and reusing them.
I’m going to try and summarise, and you tell me if I’ve learned the right lessons.
Firstly: Reset passwords when you think that is actually necessary.
Don’t force change for the sake of it.
Secondly: Don’t try and define complexity.
Just encourage users to have some techniques for choosing well.
And lastly, and perhaps most importantly: There’s no such thing as a password that is unimportant.
So, choose a different password for every site.
And if you find that a mental challenge, consider using a password manager and be extra-super cautious with that master password.
CHET. Yes, and I think for the IT administrators out there that may be listening…
…users do want to generally do the right thing.
And if we trust people, actually, once you put trust in someone, they have a loyalty and an ability to do the right thing that’s surprising.
DUCK. Chester, let me try one last piece of advice and see what you think of it.
When you have to change your password, or you feel like changing a password, never do it at the end of the day or at the end of your shift.
Always do it at the beginning, and log in and out, so you get used to the new password.
CHET. You get a finger memory, right?
You start typing… your fingers just move around the keyboard.
It’s a great piece of advice, Paul – I agree with it wholeheartedly.
DUCK. So.
Forcing password resets?
BUSTED.
Trying to define complexity by simplifying things for users?
CHET. [JAMIE HYNEMAN IMPERSONATION] BUSTED!
DUCK. And re-using passwords because you think there are unimportant ones?
Very, very definitely BUSTED.
Do you agree with all of that?
CHET. I do.
And now, if we can just get everyone to start marching along with us, the internet will be a safer place!
DUCK. Excellent.
Thanks for listening, everybody.
If you’ve enjoyed this show, then we have plenty more audio for you.
And I’m going to hand over to Chester to tell you where to find it…
CHET. Well, for the latest news, opinion, advice and research, you can always find that on nakedsecurity.sophos.com.
All of our podcasts are also available at podcasts.sophos.com, via RSS, or on iTunes.
Until next time, stay secure!
[TECHNO VIBES]
I see a market for password managers with proper 2 factor authentication 🙂
In a time where everyone requires 256 bit AES, which has a password equivalence of say 35 random charachters, it boggles my mind that companies still rely on passwords. I know it has a bad rep (compromised certificate peddlers, expensive, exotic hardware) but I think good cryptographic tokens and a trustworthy PKI woulld make it lots and lots easier (on the user). Add some SSO to it, and all a user has to remember is to bring the token and remember the PIN, for all logons in the company infrastructure. Now you should be looking at where to set the PIN rules…
Audio-only is not very user-friendly (not to mention search/archive-friendly). Could you post a list of the topics discussed in future Techknow episodes ?
I added an explanatory sentence to the article to give a bit more detail about the password issues we covered – reuse, complexity and reset.
Hope that's satisfactory.
As for user-friendliness – I get your point, but the whole idea of doing the occasional podcast is that some people actually prefer audio "articles", at least from time to time. They can listen in the {car, bus, train}; they enjoy hearing the cut, thrust and tone of discussion and debtate; it provides a break from clicking, reading and scrolling.
Our written-only material outnumbers our podcast material somewhere between 10 and 100 to 1, so there isn't exactly a shortage of written articles for those who dislike listening 🙂
Perhaps you will accept the podcasts as an attempt to be a bit more user-friendly to those who like listening, rather than as items which are less user-friendly to those who prefer to read.
(We try to provide transcripts when we can, but they are a _lot_ of extra effort for the NakSec team considering that a podcast is specifically intended as an audio work. None of us is a stenographer, so it takes hours to transcribe 15 minutes of discussion correctly.)
Would you publish a transcript if someone else made it?
We used to do transcripts. But they are a lot of effort, and one day we didn’t do one and…
…no-one noticed. No-one asked us to bring them back. And so I guess we just lost the habit.
For this podcast: if you have made a transcript and are willing to send it to tips@sophos.com, I’m willing to proofread it and then publish it, sure.
Paul, for those of us who promote your articles by doing “fair access” repost articles. transcripts would help to pull a couple of good quotes out to promote the audio with.
There’s nothing like a good “teaser” paragraph.
Many years later 🙂 I just published a transcript. Online transcription services work pretty well these days. It’s still a lot of work to make them look good and read well (a precise, literal transcript often isn’t terribly readable because written and spoken English are two quite different languages). But it’s do-able, so I did it!
Just curious Barney, if you used Dragon to make the transcript, what version did you use? I assume the software had to “learn” the speaker’s voice.
Oblig XKCD reference> http://xkcd.com/936/
Nicely done. Was hoping someone would bring that up 🙂 (I originally mentioned that very cartoon in the podcast, but ended up editing it out because I didn't do it justice in my verbal description.)
Regarding the regular password changes… seems to me there are at least 2 good reasons not to give up on it… I'd love to hear your comments…
First, similarly to the principle of regular change of session keys in crypto protocols for communication, you do not want to give someone who is "listening" to your communication too much "material" from which he could try to crack the key. Regular change of the password limits the time of its validity, thus limits the amount of "material" someone could pick up from the network during your regular logins, and lowers the possibility for cracking your password that way.
Second, in case someone gets hold of that file with the hashed passwords, and eventually cracks some or all of them, regular password change shortens the time frame during which they can be misused.
Things are not black or white, of course, but in case of some of the mentioned scenarios, I would not want to give up on any security control that would have a chance of hindering the attack or limiting the damage.
Your points are certainly valid. What we are suggesting is that we need to strike a balance between perfection and it being easy enough that you get nearly 100% compliance from your user base.
If you are an individual, I think it is great to choose really long passwords and change them frequently, but when designing a policy for an organization if you choose a policy that is too hard, most people give up and find ways to break the rules.
I personally change my password on my LastPass every few months for that very reason. Of course if a company were to suspect their hashes may have been compromised (think RSA) it would appropriate to force everyone to perform a password change.
Thanks for your comments,
Chester
The fingerprint recognition is outdated?
Passwords are dinosaurs that need to go the way of the dodo. We can add password complexity, length and change them regularly, but sooner or later, you will be left out of your own stuff (or end up with the passwords written on a post-it).
I've already lost some info because of lost encryption keys (yes, I used to backup data with a long password lock. Now I realize I didn't keep records of passwords and its' date usage).
I was able to recover some CD's, because I used short passwords. With current computing power, that is irrelevant… but somewhere in 2000 I decided to go to unbelievable long passwords. I just hope the CDs with the data will survive 10 more years to give it another try.
Thank you for the podcast
What do you think is an appropriate length of your password?