Friday, December 13, 2013

Reflections on Password Complexity

Michael Coates started an interesting thread on the OWASP Leaders list about password policy complexity guidance. http://lists.owasp.org/pipermail/owasp-leaders/2013-December/010492.html

I think that password policy overall is a failure and we indeed need to update our guidance on this topic.

Password length is the most important mathematical aspect to password policy, so passphrases seem like a good idea. But if your passphrase is a known sentence from a book, or just a collection of dictionary words - then the benefit decreases significantly. Here are some interesting articles that discuss this problem to some degree from the perspective of offline password cracking.

http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/
http://dashburst.com/bible-hackers-password-cracking/
https://bitcointalk.org/index.php?topic=85862.25;wap2

Jeffrey Walton suggested to me that one of the most important aspects to a good password policy is to not allow users to use commonly used passwords; even passwords that fit your corporate password policy. For example, the password Password1! probably would be accepted by most corporate password policies, but it's a dangerously bad and commonly used password. Hackers conduct "reverse brute force attacks" where they take a commonly used but supposedly strong password, and make one attempt against a large list of accounts. This and other reasons have prompted some banks to enforce strong policies on usernames!

I feel like the use of Password Managers is one of the key aspects to secure user password management. I know of several mid-size companies who have or are starting to enforce their use. Bob Lord, the Director of Security at Twitter, has led the charge of enforcing this on the entire Twitter staff. I think this move is a big win for Twitters internal security. 

http://news.softpedia.com/news/Hack-in-the-Box-13-Twitter-s-Bob-Lord-Forces-New-Employees-to-Use-Password-Managers-344699.shtml

Last, any password advice needs to push multi-factor. Poorly misquoting John Steven (as well as taking his quote out of context), "Using passwords to protect your account will help you as much as motorcycle helmets will protect you at high speed."