2

There are two sides of password complexity, the administrator's side and the users' side. They are effectively disjointed requirements. Good complexity and policies of passwords are discussed often. But I have not seen any good guides or best practices for the users. All that is available are always those administrator's point of view best practices: Make a random complex long password and change it every other day...

In the end, the more complex requirements and policies are the more users will try to circumvent them by making simple passwords, writing them down, etc. but it is not their data they want to protect and ultimately, once the security is breached, you don't get your losses back.

I have been in both situations, as an administrator and now as a user who is forced into zero password history, full complexity and change every 60 days. Plus I have my other 10 complex passwords to remember. So I started using simple alphanumerical sequences like: pou987^ or opqR678(. I know it is bad, but what the hell, my brain is limited and getting old.

Is there a good guide to construct non-random passwords that take into account zero history that can be remembered? (I do not need the password to be ultra strong, I know it cannot be done, but there are other barriers in place, firewalls, limited number of password attempts, physical access restriction, so I want the password to be considered strong with these extra barriers in place.)

What should I suggest to my users, as an administrator? How should they approach the password creation (sorry but NOBODY in the company is going to remember things like gZ9]Rjm}t5d? which is now still considered weak and strong passwords start at 16 characters, that is idiotic)?

schroeder
  • 125,553
  • 55
  • 289
  • 326
atapaka
  • 431
  • 1
  • 4
  • 6
  • are you aware that official guidance has changed in the past 2 years? – schroeder Mar 07 '18 at 15:32
  • No. Where can I find such a thing? – atapaka Mar 07 '18 at 15:51
  • NIST are generally considered the authority in this area. You can see a summary of the most recent guidance here https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/ – iainpb Mar 07 '18 at 15:58
  • @leosenko I hate to say it, but it is easily googled: "password guidance" – schroeder Mar 07 '18 at 16:01
  • Use a password manager! In 99% of the cases that is the right approach. – Anders Mar 07 '18 at 16:01
  • 1
    @Anders I can see the usefulness of a password manager for websites. But how about windows/linux logins? VPN passwords etc. For most users this is usually a single password, but still... As one answer mentioned, make encoding which is easy to remember. I suggested that to users, they sent me to appropriate places, they simply said they will not remember it and I see their point, Where is the capital letter is this I or 1 etc. There might also be a cultural and age problem, as this is about users not in USA and usually beyond 50 years. – atapaka Mar 07 '18 at 16:10
  • @leosenko Machine logins are part of the 1% *unless* you rely on a smartphone to check them. I don't understand why you couldn't store a VPN password in a manager. Might not autofill it for you, but that is a minor inconvenience. – Anders Mar 07 '18 at 16:25
  • In addition to https://security.stackexchange.com/q/53507/16960 , see also https://security.stackexchange.com/questions/tagged/password-management and https://security.stackexchange.com/q/45170/16960 . – Xiong Chiamiov Mar 07 '18 at 17:38
  • I recommend a password manager because it really cuts down breaches that result from poor user choice/management; e.g., simplicity, repeated passwords, etc. They can also protect against phishing and keylogging. –  Mar 08 '18 at 07:50

3 Answers3

3

There are now very good guidance for policies that are foundationally good for users. Most of the requirements you state in your question are now antiquated.

Best: use a password manager! Let software generate and enter the password for the user. No memory required and the password can be generated at maximum complexity (entropy/randomness, whatever you use to understand password strength)

But if you need to generate your own passwords:

First: stop requiring that users change their passwords so frequently. Most guidance suggests never requiring a change until there is a specified need to change (as in never, except when the account is suspected of being compromised). There is some debate on this point, but some admins only go so far as requiring an annual change.

Second: there has been encouragement for a long time to stop using the term "password" and using the term "passphrase". Length is far "stronger" than complexity. So, create a sentence: Word word word word. There's upper, lower, and special characters (space and a period). Is this perfect? Absolutely not! Is it strong "enough" and user-friendly? Yes, for most use cases. Admins and senior execs should be using far better passwords (see password managers above).

Third: [this is where the community will skewer me] require Two Factor Authentication and if used, relax the length and complexity requirements. I had never thought about this until I taught security awareness to Special Needs teachers who came up with this idea during class. It can be difficult for some differently abled and the very young to enter a complex or long password. If 2FA is implemented correctly, the password can be very simple, and yet secured by 2FA. Even if someone else needs to enter the password for the user, the 2FA token leaves with the user. Even if you do not loosen the complexity requirements, use 2FA everywhere you can.

All these things (except relaxing password complexity if 2FA is used) have been commonplace password guidance around the world for a couple years:

UK:
https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

USA:
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

Microsoft:
https://www.semperis.com/microsoft-upends-traditional-password-recommendations-with-significant-new-guidance/

schroeder
  • 125,553
  • 55
  • 289
  • 326
2

The challenge is "what will users remember", hence the addiction to post-its.

I tell users to pick a couple of items on their desks and use them for their password. If you ask 5 people to look at a desk and choose what stands out to them, you'll get 5 different responses. Now include qualities of these items (color, size, memory associated with the item) and guessing it gets a lot harder.

Additionally, content on desktops tends to shift over time. A lot of it is static, but there's subtle drift over time as new items get added and older ones get removed.

For instance, if I have a blue toy car from a vacation, a silver clock I won in a raffle, a white fan, and a foam rubber can holder from a band I like and whose concert I saw in Zurich, there's an almost limitless series of possibilities. Maybe it's BlueCarZurichConcert. Maybe it's clockCarBand. Maybe it's BlueSilverBlack. The point is, the user can look at their desk and get a good idea of what their password is, and someone trying to guess it will have a very limited idea of where to start, even if they knew that the password was stuff on the desk.

baldPrussian
  • 2,778
  • 2
  • 10
  • 14
0

If that is something that needs to be remembered, the best recommendation I've seen is encoding a phrase that one can easily remember. For example, "My dog Sally likes to play tug of war" becomes Md$LtPt0w, which makes a pretty strong password. All the user needs to do is remember the phrase and the encoding rules.

postoronnim
  • 406
  • 4
  • 10