About three years ago, developer Cameron Morris had a personal epiphany about passwords, he recently told ZDNet’s John Fontana: The time it takes to crack a password is the only true measure of its worth.
Not whether it has a minimum of x or a maximum of y characters, not whether it’s got blah-blah amount of numbers, not whether it includes your frou-frou leetspeak ch@r@ct3rs, not whether it contains the verboten from lists of taboo words.
Syntax laws like those make up the typical password policy creations most organizations use and that many security practitioners preach.
But if you religiously follow such policies, Morris notes, you get situations like this: Facebook graded as “weak” a password he made up of 35 characters using the first letters of a random phrase, while it deemed a password “strong” when it matched the social network’s creation policies, which allow for use of common words.
Morris’s Facebook-appeasing password?
The time it would take to crack that supposedly strong password, according to tools that Morris has created to estimate password strength: less than one day.
Morris, a developer at defense contractor Partnet, told reporters that he came to his realisation after a half hour spent creating a tough-to-crack password.
That 30 minutes of password creation labor was followed by the realization that he’d have to go through the whole rigamarole again when he had to change it in a month’s time.
Stop right there. That has the aroma of a password myth.
As Paul Ducklin and Chester Wisniewski discussed in a Sophos Techknow podcast, “Busting Password Myths”, the idea that regular password changes lead to better security dates back to the days when passwords were stored in plain text files on Unix systems.
Regular password changes actually decrease security, for a few reasons: 1) your poor users are going to start using sucky passwords because they’re easy to remember and to increment, and 2) doing something security-related on a regular, predictable schedule (quarterly? monthly?) is a gift to hackers.
This regular password change-out distracts the IT department for a predictable chunk of time on a predictable schedule. Predictability is a gift you don’t really want to hand to attackers.
At any rate, being influenced by the myth that regular password change equates to good security, Morris thought it would be neat to set password expiration based on the strength of a password. He couldn’t find a way to measure password strength, though.
Hence, he started building a collection of tools to do just that.
Those open-source tools are out now. Morris handed them over to the Open Web Application Security Project (OWASP) in January.
Morris is inviting people to give them a try. One tool, called Passfault Analyzer, predicts how long it will take to crack a given password.
He also created a Password Creation Slide-Tool that lets administrators configure password policy based on the time to crack, the possible technology that an attacker might be using (from an everyday computer on up to a $180,000 password attacker), and the password protection technology in use (from Microsoft Windows System security on up to 100,000 rounds of the cryptographic hash function SHA-1/).
The tool lets users move a slider bar to increase or decrease the amount of time passwords should take to crack.
All good, yes? But then came the next step in what came to be a password kerfuffle: Morris’s premise and tools quickly lit a fire under SecurEnvoy, maker of two-factor authentication technology.
SecurEnvoy blogged that, basically, Morris was right about password creation policies, but he didn’t take it far enough, because, in fact, conventional ID/password security is toast.
The company’s blog quoted co-founder Steve Watt as putting it this way:
"This isn’t to say that Cameron is wrong - far from it - it’s just that the reasons why passwords are coming to the end of the line in today’s online environment are multi-faceted, with company password policies being only one issue of concern."
"One of the other major issues we have observed is that people have great difficulty remembering more complex passwords than the six or eight alphabetic strings that most Internet users rely on. Because of this, they fall back on an eight digit passphrase that is usually a family member’s name or place of birth, and which—unfortunately—are all too easy to hack using brute force password attacks."
It will not shock many readers to find that Watt proposes that the answer is what his company sells: i.e., tokenless two-factor authentication.
Watt does have good points about corporate password policies: they spawn mutant, impossible to remember passwords. Users wind up storing them on their mobile phones or, worse, writing them on sticky notes or on the undersides of their keyboards.
This is, in fact, the heart of the matter that Morris got right, SecurEnvoy says: overly complex passwords prompt users to find easy ways to remember them.
Yes. But the idea that passwords are going away is nuts.
The reasons for this were well laid out by ZDNet’s Manek Dubash.
Dubash suggests that two-factor authentication isn’t going to save us, given that we’re all bringing our smartphones to work and logging on to Facebook in the enterprise:
"The reality today is that the division between enterprise and personal environments has all but evaporated."
"In the course of their jobs, people increasingly access their personal services at work using their personal devices. And enterprises cannot mandate two-factor authentication for access to Facebook, for example, which might well be the chosen method of communication of a key supplier, or a way of communicating with potential customers."
"All FB wants is a password, and it's not alone."
So if two-factor authentication isn’t going to save us, what’s the answer?
I rely on password generation using the scheme that Sophos’s Graham Cluley teaches in this video.
So I put one of my Graham-inspired passwords – containing seven characters – through Morris’s Analyzer and found that it would take approximately one day to crack it.
I would prefer that it get up into the range of a year, at least, if not a few centuries, and that is exactly what happened when I appended a range of characters from the keyboard, left to right and then the same string right to left.
Presto! Up in the centuries range.
That points not to a flaw in Graham’s technique, of course, but rather a confirmation of Carnegie-Mellon’s 2011 study (PDF) that concluded that length was the only thing that really influences password strength.
ZDNet’s Dubash, for his part, writes that he uses a “tiny portable password generator,” as well as KeePass, an open-source password manager that can even be bolstered with two-factor authentication.
It’s all good. We have a technique from Graham that shows us how to create easily remembered passwords. We have password managers. We have a bunch of busted security myths from Chet. We have the Carnegie Mellon study that shows that making them long makes them strong.
And now we have a tool to analyze that strength in terms of how long it takes to crack a given password.
Cracked safe image courtesy of Shutterstock.