In this episode, entitled Busting Password Myths, Paul Ducklin and Chester Wisniewski take a look at the thorny issue of password rules and regulations.
In particular, we debate whether you really need corporate rules for password reset, password complexity, and password re-use.
The content of the show is based around a very popular presentation given by Chester at the RSA 2012 conference.
Read the transcript:
DUCK. Welcome to Techknow, where Sophos experts debate, explore, explain, and hopefully help you to understand the often baffling world of computer security.
Techknow is presented by me, Paul Ducklin [DUCK].
CHET. And me, Chester Wisniewski [CHET].
DUCK. And in this episode, we are going to look at the thorny issue of passwords.
Chester, I know that you have some very strong feelings about things which you consider myths in the password world.
Things that people do that don’t necessarily deliver the results they think.
And if I just summarise those in three words, that’s: Reset, Complexity, and Re-use.
So let’s start with the first of those.
The idea, which seems prevalent in many organisations, that having regular forced password resets for users is actually a good idea, and improves security.
What do you have to say to that?
CHET. A lot of these things are rooted in past experience for many IT professionals.
Lots of us have been geeks for a long time, and had to deal with the evolution of the internet and computing systems.
And I think that the password reset stuff is largely misunderstood, or misinterpreted, or misimplemented.
If we step back into the 1980s, the big issue, the reason we started with password resets, was the way our passwords were stored.
Very simply, on Unix systems, they were stored in a world-readable text file on the system, which meant anybody that had access to the system could have a crack at those passwords, and access other people’s accounts and information.
DUCK. So, Chester, what you’re suggesting is that in the early days, because of the way passwords were stored and the number of people who might have read access to important information about your password, like the hash…
…passwords, even in the days of lower-powered computers, might be considered to have a much shorter lifetime?
So, the idea of changing them regularly was to be more of a moving target, is that correct?
And if you’re choosing quality passwords today, we’ve evolved many different things.
The hashes, as you say, are no longer so easily accessible without much more complicated attack techniques.
And in addition to that, we’ve all been trained and taught to use more complex passwords, which is a good practice.
The more complex the password is, the much more difficult it becomes to crack.
DUCK. Let’s come back to complexity in a minute.
Let’s stick to the idea of that, once a month, or once every two months, you ought to change your password whether you really need to or not, simply because that’s a good discipline and habit to have.
CHET. In most situations, I see it actually work to be a *negative*.
If you’re choosing to have a complex password, it’s very difficult to remember it.
And making people change it all the time makes people choose poor passwords, and find something very formulaic.
So, all people do is they choose
password1 and then
password2, and that actually makes the password more predictable, not less predictable.
DUCK. Surely the time to worry about changing a password is when you’re certain or reasonably certain that it’s been compromised?
And if you’re pretty sure that your password isn’t known to anybody else, it seems, as you say, that changing it just gets people into poor habits…
Say I lost a laptop where, potentially, maybe an attacker could get access to the hashes.
Maybe I’ll make that user change their password.
But having an entire organisation change their password on a regular basis gets everybody in the habit of a bad habit.
DUCK. It also seems that it plays into the hands of social engineers if, on the third Tuesday of every month, it’s known that the helpdesk is busiest, with calls from people who’ve changed their password and then forgotten the new one.
Or even things like, if you know that a company makes everyone change their passwords quarterly, you can guess or bet that almost every user has changed it four times a year.
And you log into LinkedIn and see that they’ve been an employee since 2000 [12 years before the recording date], and you go, “OK, 12 x 4, that’s 48.”
I bet you their password ends in
-48, and you probably could crack quite a lot of them that way.
DUCK. [LAUGHS] So, in other words, by forcing change when it’s unnecessary, one actually introduces unnecessary risk.
You’re taking away complexity and introducing something predictable, and the last thing you want in a password is something predictable.
DUCK. That seems like a good moment to move on to the issue of complexity in passwords.
Many organisations seem to have rules, or algorithms, if you like, that define how your password should embody complexity.
Isn’t that a contradiction in terms?
It’s another thing that makes passwords easier to predict.
I’ve got a few examples from my own experiences that just boggle my mind, in that when we see password databases being disclosed by hacker groups and things on the internet, we often see, where an organisation will say, “It must be at least nine characters or ten characters, and it must contain a digit.”
And then we see that 5% or 10% of users have chosen
It’s the simplest way to meet the requirement without putting any thought into it.
DUCK. If you think about number plates, or licence plates as you call them in North America, on cars…
…in New South Wales [the state in Australia], they have six characters.
You’ve got 366, and if you do the calculations, that comes out to some enormously large number.
But our standard issue plates actually have letter-letter, number-number, letter-letter.
And if you do the multiplication for *that*, you’ll find that the grand total of number plates you can represent is significantly smaller just by forcing it into a known pattern.
And I guess exactly the same applies for passwords…
CHET. It does.
I mean, there are a lot of things around complexity, and many security professionals preach practices that are rather difficult to accomplish with the number of passwords that we have to memorise.
The important thing is to actually go back to that math that you’re talking about.
I can probably create a ten-character password, if I want to mix in punctuation and random digits and all these things that a lot of us preach, that would be almost insanely difficult to crack.
However, you can accomplish a similar mathematical goal by simply making your password longer.
Avoiding use of dictionary words is great, and using punctuation is great, but to make a password policy digestible, length is probably the strongest factor you can do…
…because the alphabet itself, if you consider mixed case, that alone is 52 possibilities.
And when you take it from being instead of eight-long to 24-long, but it’s still something you can remember, it’s darn hard to crack even if you didn’t bother to do the “comma and the number two”, and all these different things.
The one that annoys me the most is the dependence upon leet-speak [using digits as letters], as it’s known in the IT business, where people just pick a nice word and they go, “Well, it’s not a dictionary word – I added a zero instead of an O.”
In fact, most password cracking applications an attacker might use try those things right off the bat, because they know how frequently people rely on this false sense of “complicating” their password.
DUCK. So we’re falling into that licence-plate problem, where we have what seems like a large space, yet we’re only utilising a small fraction of it.
Now, it strikes me that the idea of having a very long password, which is not something that will be found in a book…
…the particular advantage of just using alphabetic characters is when it comes to things like tablets or iPhones, where typing numbers and punctuation is quite hard.
And for anyone who’s shoulder-surfing, it’s actually really obvious when you’re doing the special stuff.
CHET. And that’s the new frontier of the password problem…
I mean, as if passwords weren’t enough of a problem for most of us on the web, now we’ve got this problem of the iPhone and the Android and the tablet.
The other thing I don’t really understand is a lot of these websites that restrict your password length.
They go, “It must be between 12 and 16.”
We mentioned hashes earlier, and the great thing about a hash is you can put in one character, or you can put in 1000 characters, and you *get a predictable digest* that comes out at the other side of the hash.
So there’s really not a good reason, if you’re storing passwords correctly in an application, a website, a database, whatever it might be…
…there’s not any reason to limit the length of it.
If I really wanted to have a password like
Mary had a little lamb, her fleece was white as snow, there’s no reason for something to go, “Oh no, that’s too long! I can’t store that in the database.”
It’s going to come out as a digest…
DUCK. OK, Chester, we’ve covered whether or not you should change your passwords all the time, regardless of whether you think they’re compromised.
We’ve talked about how you make a complex password.
Given that all of this complexity makes passwords harder to remember, the last issue I want to look at, which I hear people talking about a lot, is the idea that it’s possible to re-use passwords if you’re reasonable about it.
Now, everybody knows you can’t use the same password for everything.
But I’ve met a lot of people who go, “Well, for the easy or basic websites, unimportant websites, I use the same password. Then I have a medium-grade password, which I use on all the others, and then only for the really important sites, of which I only have a few, *then* I have hard passwords.”
And they convince themselves that this sort of password re-use, because you’re not using one password for everything, is in fact a good compromise.
But is it?
CHET. For one, I begin this whole idea with, “I’m not sure when it’s OK for someone else to be able to not only impersonate me, but for me not to know where they might impersonate me.”
So if I chose a low quality password and said, “Yeah, that’s fine for making a comment on the New York Times, no big deal”, but then I end up using that password at 400 different sites and it does get compromised…
…now I don’t even know where I might be impersonated.
And the information that could be gathered by logging into the accounts is frightening.
“SONY required I give them my birthday, my address, and my home telephone number; and Stratfor required I give them my email address; and this other one required that I give them some other personal information”…
And now all of those accounts are at risk, and I have no idea who might be compiling a dossier.
Not only my activities, but identity theft.
DUCK. What I think you’re saying is you really do need a complex but different password for every single online service you use… in an ideal world.
And it’s a rather frightening thing to say that.
I personally have logins to just around 500 websites that maybe I don’t regularly access, but at some point I’ve needed to create some credentials for.
And you go, “Well, how would you not use
password1, or decide that your password to comment on a Yahoo group is going to be
yahoochet, and the comment on a Google group is going to be
At least they’re different, but they’re obviously predictable to anybody that knows exactly what the scheme is that you’re using.
And there really isn’t anything that is a giveaway or a throwaway kind of situation when you’re talking about your identity and what you do online.
DUCK. Now, you use a password manager, don’t you?
There are lots of them about; there are some good and some bad – we won’t discuss here how you decide whether they’re good or bad.
Ask a friend or colleague, I guess, for recommendations.
A password manager can invent complicated passwords for you, and remember which passwords go with which site.
Doesn’t that just bring us back to the problem that now you have one password for everything?
Because if someone gets the password to the master suitcase of passwords, then that’s like having a skeleton key to the whole hotel.
CHET. Yes, there certainly is a risk of that.
I’ve got two different policies around using my password management tool.
One policy I have is that truly critical accounts, like my financial institutions and things like that (going back to your idea of segregating how important something is)… those accounts are never stored in the password manager, period.
They’re too important to me to risk anybody being able to magically unlock them over the internet somewhere.
But then the secondary part of that is that when I do choose a new password, it is always different.
DUCK. OK, Chester, so we’ve dealt with the resetting of passwords; making complicated passwords; and reusing them.
I’m going to try and summarise, and you tell me if I’ve learned the right lessons.
Firstly: Reset passwords when you think that is actually necessary.
Don’t force change for the sake of it.
Secondly: Don’t try and define complexity.
Just encourage users to have some techniques for choosing well.
And lastly, and perhaps most importantly: There’s no such thing as a password that is unimportant.
So, choose a different password for every site.
And if you find that a mental challenge, consider using a password manager and be extra-super cautious with that master password.
CHET. Yes, and I think for the IT administrators out there that may be listening…
…users do want to generally do the right thing.
And if we trust people, actually, once you put trust in someone, they have a loyalty and an ability to do the right thing that’s surprising.
DUCK. Chester, let me try one last piece of advice and see what you think of it.
When you have to change your password, or you feel like changing a password, never do it at the end of the day or at the end of your shift.
Always do it at the beginning, and log in and out, so you get used to the new password.
CHET. You get a finger memory, right?
You start typing… your fingers just move around the keyboard.
It’s a great piece of advice, Paul – I agree with it wholeheartedly.
Forcing password resets?
Trying to define complexity by simplifying things for users?
CHET. [JAMIE HYNEMAN IMPERSONATION] BUSTED!
DUCK. And re-using passwords because you think there are unimportant ones?
Very, very definitely BUSTED.
Do you agree with all of that?
CHET. I do.
And now, if we can just get everyone to start marching along with us, the internet will be a safer place!
Thanks for listening, everybody.
If you’ve enjoyed this show, then we have plenty more audio for you.
And I’m going to hand over to Chester to tell you where to find it…
CHET. Well, for the latest news, opinion, advice and research, you can always find that on nakedsecurity.sophos.com.
Until next time, stay secure!