Monday, August 15, 2011

Passwords Don't Have To Be That Hard

One of the issues that most frustrate users is passwords. They have to be long, they have to be complex (i.e., upper and lower case, numbers, symbols), and they have to be changed regularly. PCI Requirement 8 has an amazing number of detailed requirements for passwords.

So how do you enforce a compliant password policy without everyone either (a) writing their passwords on yellow sticky notes attached to their screens, or (b) threatening you when you show your face in their office? Here are some thoughts.

Personally, I use 1Password to manage my (strong) passwords. There are also various other programs, many of which are free. I just like that one (along with a lot of other security pros for whom I have a lot of respect).

MAKE your password strong, with a unique jumble of letters, numbers and punctuation marks. But memorize it — never write it down. And, oh yes, change it every few months.

These instructions are supposed to protect us. But they don’t.
Part of the reason is that it is tough to follow those instructions.

But there are other approaches. For example, please take a look at this great column from the New York Times. The author emphasizes that it is the length that is important in passwords:

Here’s a little quiz: Which is the stronger password? “PrXyc.N54” or “D0g!!!!!!!”?

The first one, with nine characters, is a beaut. Mr. Gibson’s page says that it would take a hacker 2.43 months to go through every nine-character combination offline, at the rate of a hundred billion guesses a second. The second one, however, is 10 characters. That one extra character makes it much, much stronger: it would take 19.24 years at the hundred-billion-guesses-a-second rate. (Security researchers have established the feasibility of achieving these speeds with fairly inexpensive hardware.)

Don’t worry about the apparent resemblance of “D0g,” with a zero in the middle, to the word in the dictionary. That doesn’t matter, “because the attacker is totally blind to the way your passwords look,” Mr. Gibson writes on his Web site.

Wowsers. If I can remember the number of exclamation points (or ^s or &s or whatever), then I can have a strong password that I might be able to have users remember.

But for genuine wisdom (and I do not use that term lightly!), you have to see the blog post by my colleague Jeff Zellman at the 403 Labs blog. He writes:

What many people fail to realize is password cracking is done by automated computer programs. These programs are fairly sophisticated and try all the characters on the keyboard (not just letters!). Shorter passwords are easier to guess since there are less characters to match. Just like a 3-ball lottery is easier to win than a 7-ball one.

Now imagine the difficulty of winning a 44-ball lottery.

You actually have to see the accompanying cartoon (talk about wisdom!) to get it, but the point is that we can help users create strong passwords (high entropy) using passphrases that they can remember.

Computers can crack passwords (eventually), but people have to remember them. Too often when we are working on PCI compliance we forget that humans have to implement the requirements or they won't stick. Passwords are no different.

Let's see... "correct horse battery staple"... Read Jeff's post and you'll get it.

Maybe your users will, too.

1 comment:

  1. I've been advocating longer passphrases for years, however, I'm not convinced that password cracking is as big of a threat anymore. While it may take only three days to crack "Tr0ub4dor&3", it takes only a few minutes to phish your target.