Password Policy - What do you think?

Traditionally all of us have been taught that password policies are a must along with the thought that passwords must be changed on a regular basis. This even comes up in the CISSP exam. When you look at how a security team operates, those that are considered excellent and cutting edge all have a password policy that always includes some kind of periodic forced password change.

I'm going to throw something out there and see what you all think. Let's say that I have had a brick fall on my head and I decide that security is more a human-centric issue than a technical issue. Now, since the bump on my head is really big, I determine that if I make my alpha passwords with special characters too confusing, my end users are going to write them down or store them somewhere without the slightest bit of protection.

Since we're sure that I'm completely mad at this point, I will also tell you that I have decided that my alpha special character passwords that are at least 7 characters long will resemble normal words instead of crypto-babble. On top of this madness, if I can determine that current cracking technology cannot crack these common phrase passwords in my lifetime or the next and I know that my end users will not write these passwords down because they can easily remember them, I am no longer going to force periodic password changes (outside of terminations and personnel turnover to key assets if they are admins or the like).

Now that I have exposed the mania that has come over me, am I less, more or equally secure as those who implement traditional password policies as I have outlined here?


Now, before I lay down my cards, let's see what all of you have to say. ;)

IMO, a password policy cant enforce something like "must start with a vowel" or "must have 3 special chars on it". This only weaks the password. But minimum length and periodic changes i think that is "a must".
Following your idea, You dont enforce password change interval because you create a password strong enough to resist current crack methodologies.
But since noone change anymore i can dump all your strong password, use a brute force to break them while im waiting for a better algorithm :)
Since you dont change your password, if i wait 3 years and get a better crack tool i still can break you system with that old password dump, cant i?
If you dont enforce, most of the users wont change the password.
If now they are secure, maybe they wont be next semester...

hmm.. well I can offer no real experience, but I think you should consider that passwords are not only obtained by cracking them. Despite your best efforts, some users will write down passwords regardless. Some will give them away. Others may steal them.

I think password changes are much more a reactive policy than a proactive one... they're designed to minimize the impact os a potential breach. Still, I would certainly extend the time between password changes in your place, perhaps only keep a list of the last three password instead of the last ten to make it easier for them, stuff like that.

But all in all, I agree with the idea in theory. Could you provide an example of the policy text?

Must of been a big brick...

Another reason to change passwords periodically is social engineer attacks, your passwords might be uncrackable for the next 20 years, but all it takes is one user to give out his or her password to someone else and they are in until you find out that they are in and where they came in, assuming you do find out that someone stole a password.

People are lazy. They dont like to memorize passwords. One of your users may deside that he or she does not want to remember a new password and use that same password in another location such as on a website. Maybe the website stores the password in plain text or some method that is easily breakable. Websites have data stolen all the time or the website owner may not be the most honest person.

There is no policy in place at this time. It's an experiment that we're conducting to prove a point about human behavior in relation to our security policies. We've selected several departments that agreed to participate in order to see how the end users react to this theoretical enterprise-wide change.

Thus far, the experimental networks have had no breaches nor have we found passwords recorded in any number of mediums as we typically find in departments who are under the thumbof our traditional password policy. When this is over, I will post some additional information on our findings. The most significant result so far is that the end users are not recording these passwords, rather, they are remembering them. We have found that 85% of our password breaches were directly attributed to someone writing it down in the open or saving it to a txt file left on a floppy sitting at their desk.

We have password policy as part of our ISMS document (Iformation Security Management System).
Here is the extract of what we do.

9.3.1. Passwords
Passwords provide a means of validating a user's identity and thus to establish access rights to information processing facilities or services. Users should follow good practice in the selection and use of passwords.

Passwords will be at least eight characters long and contain a mix of lower and upper case characters and numerals.

Passwords will be changed by the user at least every 42 days or whenever there is an indication that a password may be compromised.

All users should adhere to the following guidelines with regard to passwords: -

a) Passwords should be kept confidential
b) Passwords should not be written down or stored in any way unless the means of storing them is in itself secure.
c) Passwords should be randomly generated and contain no dictionary word of more than three characters
d) Successive passwords should not repeat any obvious pattern
e) Temporary passwords should be changed at first login
f) Passwords should not be included or stored in any automated sign-on procedure
g) Individual user passwords should not be shared

If a password is entered incorrectly 3 times in succession, the user account will be locked temporarily. The lockout will last for a period of 30 minutes. If a password has been forgotten the user should contact the system administrator or Help Desk.

In the event of a user forgetting a password, a temporary password should be allocated to the user (see e above).

A user may use the same password for multiple facilities or services provided an adequate level of protection is available for the password in each case.

System administrator (or equivalent) passwords should be different on each system. A sealed record of all system administrator passwords should be stored securely by Head of IT.

Quote:

---

Since we're sure that I'm completely mad at this point, I will also tell you that I have decided that my alpha special character passwords that are at least 7 characters long will resemble normal words instead of crypto-babble. On top of this madness, if I can determine that current cracking technology cannot crack these common phrase passwords in my lifetime or the next and I know that my end users will not write these passwords down because they can easily remember them, I am no longer going to force periodic password changes (outside of terminations and personnel turnover to key assets if they are admins or the like).

---

Im not sure, but I thought there was a password cracker that would use leet speak type of words along with the traditional dictionary type of crack.

So according to this, an accepted password for this scheme could be D0ct3r007 or iLik3ch33s3 or Ou812sodIdi

Interesting. Please keep us posted on your experiment.

~Halv

Quote:

---

Im not sure, but I thought there was a password cracker that would use leet speak type of words along with the traditional dictionary type of crack.

---

True, however, I have yet to see a cracking program that can break special characters (outside of the NSA).

Remember, special characters are used in the experimental passwords.

;)

If it is guaranteed that NO ONE will write it down or tell anyone else, and that they will remember them without a problem, and they cannot be cracked then it is all well and good. As long as the transmission of the password across any network is encrypted in such a manor that no one can sniff the password. And to make sure thet the security program doesnt have a flaw somewhere that would allow somone to just enter the hash rather than the password it self.

edit***

Oh and every single password you use would need this security, or atleast all of them that have access to the box(es) you are trying to protect. Becasue if one is bad, it leaves an opening to use one of many exploits available (depending on OS) to change the other passwords. remember, passwords are just one part of the equation.

Quote:

---

Now that I have exposed the mania that has come over me, am I less, more or equally secure as those who implement traditional password policies as I have outlined here?

---

Well, Hoss~ old chap, you are probably less protected, in that a 7 character pass is well within the ambit of john the ripper and suchlike.

You also need to consider your attack vector? like if you have to go through the razor wire, past the dogs, and the armed guards, and use your biometric pass to enter the building..............maybe you are just trustworthy enough to read the yellow sticky.

At home, I will make a terible admission, my user IDs and passwords are scotch taped to the boxes.........I have a wife :) .............and they are very complex passes.

Mind you, I do have 3 boxes with removable hard drives...........you would need to blow the safe to get to them :D

BTW..............have you apologised to the brick and sent it some flowers?

:D

Quote:

---

At home, I will make a terible admission, my user IDs and passwords are scotch taped to the boxes.........I have a wife .............and they are very complex passes.

---

IMO in some situations(such as homes) it is not -horrible- to write down the passwords for something. as long as the area they are in has good physical security, and it is ok for everyone that has access to that area to have the passwords, then its not such a big deal. For home computers where everyone is using it, and they are going to be sharing an account anyway, passowrds are reallly only there to stop remote access.

The idea behind changing your password periodically is directly related to the fact that it is supposed to take longer to crack the password, than the life of the password. Using something like a 7 char password is by far no good enough to meet this principal. If you could produce a password that was uncrackable by the best equipment in say, 5 years, then not enforcing password changes would be very acceptable.

The other problems you run into are:

Sniffing - Periodic changes only somewhat effect this. It just means that the lifetime a hacker has your password is reduced. Items such as restricted login hours, location, and count are much better ways to reduce this threat.

Social Engineering - Again, if you have policies in place that restrict two users from using the same account, and don't all out of the norm operations then this isn't a big issue. If a user has a problem where he/she gave our his/her password he would understand that he needs to change his password right then, and not when it expires.

Writing down of password - This is by far the worst case senerio in any password management situation. Again, restricted logins diminish the harm that can be done from such a lapse.

In all three of these cases the periodic change only reduces the lifetime of the stolen password. Its really unlikely that after someone has stolen a password that they are going to use it for an extended amount of time anyway. With that information I would have to say then that the only measure that requires periodic changes would be to make the lifetime of the password less than the amount of time it would take to crack it.

Security is a total balancing act. You need to make the password cryptic and long enough to be effective, but short and memorable enough that someone won't write it down. If it were me, I would say increase the requirements of the password, say maybe 3 types of chars and 12 char minimum, and increase the lifetime of the password to maybe a year. The fact that a user doesn't have to change his password right after he finally starts to remember it will reduce the desire to write it down, yes increases the strength of the password. In the balancing act I feel this is the best situation.

Considering in the "high end" (goverment level) passwords are cracked in minutes, and using good rainbow tables and other very effective methods of cracking passwords 1 year would not be acceptable. You would need to change your passwords more than daily. So your theory they the TTL of a password should be as long as it would take to crack is flawed(not wrong, becasue it is good logic, and in most cases can hold true, but still very flawed)

as far ass password legnth, 7 characters I think is an acceptable legnth fo lower level security such as desktop computers with little valuable information on them, home computers, things like that. If my 7 character password was "1@550!?!" it would probably take longer to crack then a 12 character on that looks like "ki11ingtim3!" (this meets your requirements) simply becasue of the way the password is set up. it is a phrase, using common "leet peech" which is included in all good dictionaries. so pasword legnth is not the only thing to consider, the password itself has alot to do with defense against attacks.

oh, and I would much rather have a server in a secure area with a post-it with the password writtin on it placed on the key board, then I would a server with no physical security and a strang password. If the attacker has physical access, no password will stop him.

It all depends on the level of risk associated with your system. Complex, passwords with short lifespans ar just something admins have taken from the trusted operating system texts. It wasn't selected because it is anymore useful or sane for your traditional commerical level security system... than say a security kernel or MAC, but merely because it is really easy to implement.

That said:

1. Complex passwords that are required to be changed will show a statisitcally insignificant difference in the percentage of users writing down the passwords from simple permanent passwords. The only time you will see a difference is when it is made very clear to the users that you are now using simple passwords that don't need to be changed, however this will only last a short while. (if forced changes are required) My girlfriend is an excellent example, she uses one of two five letter words with no special casing for all of her passwords... yet she has these written in her phone, address book, notebook in her desk, etc. and she isn't ever required to change those passwords, from my experience she is typical of a non-IT worker using IT resources in this regard.

2. Users frequently use the same passwords for many things. For example, a user gets phished on their home computer or even uses a site like this. They register: [email protected] and use their_normal_password. Now the account has been compromised. Forcing users to change passwords regularly narrows down that window of vulnerability.

I am not sure complex passwords are really a must, I think so long as the login attempts are limited to 3-5 the chances of an attacker guessing a password, especially 7-8chars is very slim, even if it is something like "godcatch".

cheers,

catch

PS. to the rest of you, password hashes should never be accessible to untrusted users... so cracking is moot.

First off, I would enforce my users to change their passwords periodically, I consider this practice a very good practice especially in the field of data security and integrity. In every company there is always someone to miss things up and never even care about changing their DEFAULT passwords. I think this enforcement can save a lot of time and money, we don't really need to fall in this pitfall before yielding to the policy of changing the password periodically.

Consider the following scenario, a negligent employee entered the password in the presence of a friend, colleague or even a client. This person might catch the password, and later try to gain access, without making sabotage, like going over and steal some sensitive data, if the password is not changed this person will still has a complete access to the data. This case is usually overlooked and neglected. {No countermeasure policy for such a case}.

Not to mention, many employee may open a work session from home, friend's house or even from a café. Here there is no guarantee that this PC is not watching the keyboard strokes {No guarantee of course}.

Believe me guys, in my country there are still people who don't even care about the passwords and their delicate mission. Even in the most hot seats. They keep all the doors of hell widely open, welcoming everyone.

My thoughts

Cheers

At the end of the day a password is only as secure as the password holder is. All this fuss about passwords becomes moot if your password gives access to the Crown Jewels and some one is holding a gun to your childs head.

A far more secure system would encompass restricted access to a system, user verification and a covert method of telling whether a persons security has been compromised.

Quote:

---

At the end of the day a password is only as secure as the password holder is. All this fuss about passwords becomes moot if your password gives access to the Crown Jewels and some one is holding a gun to your childs head.

---

It's a good thing that BS7799 adresses this. :) (7.5.5) And to think, some people still find standards useless. ;)

Also, just because something (like passwords) are not a complete solution, doesn't mean they shouldn't be discussed just because a situation might arise to nullify them.

Quote:

---

A far more secure system would encompass restricted access to a system, user verification and a covert method of telling whether a persons security has been compromised.

---

Although true, these points are well beyond the scope of this conversation.

cheers,

catch

by phrases are you saying something like:

pw = My dog is a rat bastard!


we were tossing that around over here for a bit, but it turned otu to not be compatible with some of the other stuff we are running. when that legacy stuff gets phased out i have no doubt we'll go that route.

i would still require a mandatory change tho - but perhaps every 6 months as opposed to every 30 days.

Quote:

---

Although true, these points are well beyond the scope of this conversation.

---

Well yes, I suppose they are. I would hazard to say, that to day, passwords are more a find a scapegoat technology than a security technology? Still a very important tool in a corporate or other inviroment none the less.

Quote:

---

I would hazard to say, that to day, passwords are more a find a scapegoat technology than a security technology?

---

I couldn't agree more, and I think that we will see password authentication phased out in the near future. I suspect it will be replaced by two-factor authentication involving either biometrics or something like smartcards... and by having the user answer soft matching questions.

I have seen a few systems like this already... that ask three simple questions. typically the user answers 10-20 questions when setting up the account. Of which 1-2 of the questions are fakes, eg: "When was your last trip to Europe?" If you've never been and this wasn't selected from the original set and you answer it, even if your other answers are correct this will act as a duress alarm.

The duress alarm typically initiates a fake session that is then disconnected giving a communications error, so the attacker doesn't know they were lied to.

After passwords phase out I think will see application level security phase out. People will realize that blaming applications for security issues is merely more scapgoating... and the real issue lies at the OS level. NGSCB is a stab at making this workable at the COTS level, I think we'll see good things.

cheers,

catch

Quote:

---

Originally posted here by catch I have seen a few systems like this already...... that ask three simple questions. typically the user answers 10-20 questions when setting up the account. Of which 1-2 of the questions are fakes, eg: "When was your last trip to Europe?" If you've never been and this wasn't selected from the original set and you answer it, even if your other answers are correct this will act as a duress alarm.

---

I hate to be the botheration in this thread, but are these systems modeled after the traditional models (Bell-La Padula, Biba (I know those only address reads and writes), lattice etc..)? What are the design principles and concepts? What model or models are these modeled after (designs)? If you're at leisure to divulge this information?
Forgive for my ignorance, I'm just trying to learn. :)

Well the password system concept that you quotes is merely an authentication model rather than an access control model like those you cited. ;)

cheers,

catch

Quote:

---

suspect it will be replaced by two-factor authentication involving either biometrics or something like smartcards... and by having the user answer soft matching questions.

---

And here is a look at the cards I mentioned when I started this thread.

Longhorn will require two factor auth (or so rumor has it). All law enforcement systems that I personally secure must have two factor auth by a certain date, the requirement coming down from DHS.

My experiment *should* prove that password protection as we know it is nearly dead. How many of you fully trust the classic password model? Not me.

This also implies that classic password policies are near death as well. I wsa a believer in them at one point but like I mentioned, today they look nice on paper but are laughable in practice. Some will disagree with me and I expect that. This is my professional opinion.

Anyway, my shop will be moving towards two factor auth and don't be surprised if it becomes a requirement within the next 10 years.

Thanks to all for throwing this around.

--TH13

im gonna say that you still need to have periodic password changes but with your plan you wouldnt need them as often bet there is always the human element and thats where your screwed and theres nothing you can do about it but say to hell with technology

We know that using classic password policies causes users to do stupid things with passwords. We don't want this to carry over into our two factor auth model and policy.

Our experiment is using strong passwords with special chars formated so that they look like normal words in order to eliminate as much of the human factor as possible. Theoretically, this new password format is what will be used on the smart cards and or biometric readers. We certainly do not want someone taping a password to the back of a smartcard. See how all this fits together now?

:)

I'm going to have to side on the issue using combination passwords. This is similar to a pass phrase, but instead uses, for example, 3 random common dictionary words separated by two other random characters. Take for example the password:

coffee#SYSTEMIC#juniper

Such a password is sufficiently long enough to withstand brute force attacks. In addition, providing the user with a way to generate these passwords can be accomplished easily. The fact that a user should change passwords often is simply following a best practice. Regardlesss of the password, many folks use different passwords at different locations, and will write them down anyway. Changing them to something less obfuscated might curve this a bit, but surely not completely.

Quote:

---

We certainly do not want someone taping a password to the back of a smartcard.

---

Like the millions out there with their ATM pin written somewhere in their wallet. Oh my god, a 4 digit number, how will I remember that.

Quote:

---

m gonna say that you still need to have periodic password changes but with your plan you wouldnt need them as often bet there is always the human element and thats where your screwed and theres nothing you can do about it but say to hell with technology

---

I disagree here, I think technology will provide an answere.

We all no that the human element is the weakest link in the security chain. There are far to many variables to consider, bad memory, poor operating practices, blackmail, coercion, etc, etc, the list is probably endless.

The technology to, positivley identify, authenticate and look for signs of duress/stress are already in wide spread use. They just have not bean amalgamated into one security solution viable to the mass market. There will come a day though, when these technolgies will be within reach and more reliable than what is available today.

In the mean time we have to do the best we can with what is available.

Passwords are nothing but security by obscurity anyway. A password is liek your own personal 0-day into a system. As soon as someone else finds out, it's no longer security by obscurity, and it's no longer YOUR password. I'm thinking of my own methods. I'm going to make an OS that has a cable that hooks up to the chair you sit in to log in. If you can't enter in the password, it sends a couple volts through the chair.

Most people quit ****ing around when they realise they are that much closer to no longer being able to produce children. If you don't believe me kick a penny half way into a light socket and tea bag it with your testicles.

Quote:

---

Originally posted here by whatthe
Like the millions out there with their ATM pin written somewhere in their wallet. Oh my god, a 4 digit number, how will I remember that.

---

My dumb ass Cousin MAtt had his written on the back of the damned card.... Well HAD. After a 400 dollar cash withdrawel, he re-thought that process over. Horsey, maybe that's what you should do, when they write them down, USE THEM.

Like my Cousin's card, after it was used he learned the values of security, after you take their passwords and send email to their boss as them, they learn.

BOFH love ;)

[quote]I'm going to make an OS that has a cable that hooks up to the chair you sit in to log in. If you can't enter in the password, it sends a couple volts through the chair.
[quote]

Yes! Then on monday morning... everyone will be able to see who all the idiots are... I don't know why... but it seems like the same dozen people forget their password every monday morning... its insane!

phishphreek80,

No doubt - and not just passwords... it's everything!!!

I swear, we must process over 1000 workorders each month - for the same 25 dumbasses!!!
I've got a better idea - the "dumbass-policy" - if you send in more than 3 "dumbass" workorders to IT in a week, your computer is taken away and replaced with a typewriter for two months...

"Let's see your 'bold' button disappear from Word now!!!! muwhahaha!!!" :D

-Wiski C.

You may be on to something there.

I say we both take our ideas and work them out into a computer where if they do something stupid it Zaps them, then if they do as you say, they get another big ass zap and a type writer. If you have to have it on the network, keep it legal with that and just use those type writer looking things that Unix ran on back in the day.

I still think there should be a license to use a computer. Some people really are just too stupid.

Quote:

---

Originally posted here by thehorse13
True, however, I have yet to see a cracking program that can break special characters (outside of the NSA).

Remember, special characters are used in the experimental passwords.

;)

---

I think it all comes down to human nature, Lazy Joe will write down his password, and we all know this. People, in many common cases (disgruntled employees) can and will give the PW away.

Aside from enforcing a regular change, it will not happen on it's own. As Sysadmin. could you just issue them (unique) to each user (no shiz), and monitor their use?

Apparently the best way to monitor spyware, is to spy on the very people who receive it.

How ironic. heh

Solving the "special character" puzzle is a major project for even the best cracker out there.

Just a thought.

Edits- Hideous Grammar

:D