27

At our organization, we came across some frequent incidents such as:

  1. Reported successful password guessing attacks

  2. Frequent password reset complaints

We started an investigation to identify the causes and the flaws in our practice. The password policy is as follows

Passwords shall have a minimum of 8 characters with a mix of alphanumeric and special characters and 60 days of expiry. No repeating passwords for 3 consecutive changes.

Most of the user feedback on our password policy was negative and the complaint was that they find difficulty in remembering the password and often they use a simple one to meet the policy.

We conducted an internal (personal) survey to identify how strong the passwords being used are; the outcome indicates there were several common words being used in different combinations as users must change their passwords every 60 days.

For example, passwords containing repeated words like name, home, office, etc. I believe most organizations have these policies in place and most of the standards recommend these (PCI-DSS, etc) but none of them really strike the balance between the controls and practical applicability.

Hence the real outcome of such policies/controls are not achieving the desired outcome.

The major concerns is how do we strike the balance between these policies (in this case password policy) and practical implementation challenges?

Sayan
  • 2,033
  • 1
  • 11
  • 21
  • 17
    Possible duplicate of [Is forcing users to change passwords useful?](https://security.stackexchange.com/questions/7168/) and [How does changing your password every 90 days increase security?](https://security.stackexchange.com/questions/4704/) and [Password expiration and compliance (ISO, NIST, PCI, etc)](https://security.stackexchange.com/questions/161381) and [maybe more](https://www.google.com/search?q=site%3Asecurity.stackexchange.com+password+expiration+security). – Steffen Ullrich Jul 01 '18 at 10:11
  • 1
    Question has been rephrased to reflect the exact issue... Thanks. – Sayan Jul 01 '18 at 15:23
  • 3
    How many passwords do your users have to remember? – paj28 Jul 01 '18 at 20:29
  • 4
    I'd recommend adding [haveibeenpwned's password service](https://haveibeenpwned.com/Passwords) to your password validation and remove other non meaningful things like 60 days expiry and character classes requirements which are now no more NIST recommended. – Bakuriu Jul 01 '18 at 21:20
  • @paj28, We have have around 5 different systems including domain(o365), ERP, etc – Sayan Jul 01 '18 at 23:50
  • 2
    @Bakuriu, Can you please elaborate how this will solve the use of dictionary words. I just tried few dictionary word combination and the haveibeenpwned.com accepted those... – Sayan Jul 01 '18 at 23:57
  • Besides having just one set of credentials for the majority of the infrastructure, we have implemented a password checking system that is basically trying to crack the hashes day and night using all available password lists and enumartion algorithms we have available. In case we can crack one, the users password is set to expire. – PlasmaHH Jul 02 '18 at 08:58
  • @Sayan - I think that reducing the number of passwords will have a good effect. You could specify an approved password manager, or depending on the risk/trust of various systems, just tell people to use the same password. One password changed annually is reasonable to ask people. Five passwords changed monthly is only going to make people cheat the system. – paj28 Jul 02 '18 at 12:43
  • [Everyone should be familiar with this by now](https://xkcd.com/936/) – JollyJoker Jul 02 '18 at 13:01
  • 4
    I never understood the point of rules such as "No repeating passwords for consecutive 3 times". When I was a university student, irritated by having to change my password, I would simply change it twice in a row to revert back to my original. "No repeating passwords for X number of days" is at least enforceable. – Jon Bentley Jul 02 '18 at 13:41
  • 1
    @Sayan Did I mention anything about that? If the user wants a passphrase it should choose 4+ words and even if they are common dictionary words it would be safe. Also: I don't see how any of those rules help with that. 99% of the users will start the password with a capital letter and end it with `!`, hence they are useless in that regard. Using ihavebeenpwned at least avoids the most used X million passwords and breached passwords which is much better than having those made up rules. – Bakuriu Jul 02 '18 at 18:01
  • Anyway if you want users to have 100% strong password there is a simple solution: do **not** let them choose the password. You should generate the password for the user. Period. Sure, you'll have an increase in reset passwords due to people forgetting and you'll have to check their monitors for passwords written down on paper... – Bakuriu Jul 02 '18 at 18:03
  • 2
    Modern NIST standards for passwords focus mostly on "long passwords" and "not the same character for the entire password" and "not use a dictionary word." Forcing changes is actually less secure, because it means users will write passwords down rather than remember them. Try this policy: - password must be at least 16 characters and at most 255 characters - password must not contain the username - password must not be all the same character That's it! (google "correct horse battery staple" for more info) – Jon Watte Jul 03 '18 at 00:16
  • 1
    **Consider your threat model:** If the fastest realistic threat for an internal system is "Someone sitting down at a workstation unnnoticed trying random passwords by hand" - Even `password777` is safe enough to not be guessed in 3 tries. – Falco Jul 03 '18 at 07:34

10 Answers10

42

Since this question is not a technical one, rather more about human behaviour, you won't get the answer. What you describe is very typical though and I made the same experience.

Complex password rules will usually not lead to more safe passwords, really important is only a minimum length, and a check against a list of the most used passwords. People cannot remember tons of strong passwords, and such rules can even interfere with good password schemes. People can get very inventive to bypass such rules, e.g. by using weak passwords like "Password-2018", which satisfies most rules. Often you end up with weaker passwords instead of stronger ones.

The same applies to the password-change rule, it is very common to add an increasing number or the current month to the password.

Recently NIST published an official paper (see chapter 10.2.1), advising against such rules, and against its former recommendations.

A try to answer the edited question:

  1. We can try to delegate authentication, either with single-sign-on or with OAuth2, this way we can reduce the passwords a user has to remember (same password for multiple services).
  2. One could recommend a password-manager. A link on the login page to a good tool won't hurt.
  3. We could engourage password-phrases. Why not place a funny example on the login page: "I like to sleep until it is too late to get up", this raises awareness and shows the user how much easier (and mobile-friendly) pass-phrases can be. Just make sure to reject this exact example.
martinstoeckli
  • 5,189
  • 2
  • 27
  • 32
  • 2
    *weak passwords like "Password-2018", which satisfies most rules* - this is a **wrong statement**. This password contains two words from typical dictionary, "Password" and year "2018". Any simple validator will reject such password. – mentallurg Jul 01 '18 at 14:12
  • 55
    Nevertheless, such weak passwords do satisfy most traditional naive rules - which is exactly @martinstoeckli's point. – Royce Williams Jul 01 '18 at 14:50
  • @mentallurg - Is there a particular validator you would recommend? – paj28 Jul 01 '18 at 20:28
  • @mentallurg A dictionary check is just 1 rule, so I don't see how that makes "satisfies **most** rules" "wrong" - "most" is not "all" (and "most" password validators probably don't even do dictionary validation). – NotThatGuy Jul 01 '18 at 23:35
  • 3
    Exactly, most services don't check for anything more than minimum length, has a capital letter, has a special character, and has a digit. – user253751 Jul 02 '18 at 00:21
  • @RoyceWilliams: It seems we know different traditions. The most traditional check is check against dictionary. Only afterwards appeared other checks - for minimal length, for bigger character set. – mentallurg Jul 02 '18 at 00:54
  • 1
    @immibis: I don't know what *most services* you mean. Do you mean the *services that you implemented*? ;-) – mentallurg Jul 02 '18 at 00:55
  • 2
    I mean almost every single service I have *used* that has required password authentication. – user253751 Jul 02 '18 at 01:44
  • 38
    @mentallurg If your validator disallows dictionary words in the password, then it's a bad validator. I routinely use dictionary words in the passwords I have to remember, and it's often easier to get a high-entropy easily-rememberable password with dictionary words than with gibberish or replacements. See relevant [xkcd](https://xkcd.com/936/?). – Greg Schmit Jul 02 '18 at 02:20
  • 6
    @mentallurg And please don't rant about password managers like you did in the other answer, because no one is saying not to use one. I'm **obviously** saying for the passwords that you need to remember, disallowing dictionary words is a stupid, stupid practice that is virtually guaranteed to make users use silly patterns that have low entropy and still forget them constantly. – Greg Schmit Jul 02 '18 at 02:29
  • 7
    @mentallurg could you make some examples of validators that make dictionary checks? I'm fairly sure most services don't, or just check for username != password. – BgrWorker Jul 02 '18 at 12:46
  • 3
    @mentallurg I don't know of a single service I use or system that I work with that forbids dictionary words in its passwords. Why do you think this is common or "traditional"? If it's common, naming a few examples shouldn't be a problem. – jpmc26 Jul 03 '18 at 00:06
  • @martinstoeckli In your third point, you are saying pass-phrases are mobile-friendly - could you expand on this for me? In my experience I tend to have a harder time typing a pass-phrase into a mobile device because of accidentally hitting the wrong letter as I'm typing and only seeing asterisks. Are you saying they are mobile friendly because you don't need a password manager or that something about pass-phrases makes them easier to type? – tehDorf Jul 03 '18 at 16:34
  • @GregSchmit, while I completely agree on your point of disallowing dictionary words, I thought it's worth mentioning that NIST recommends checking passwords against previous breaches. [Troy Hunt](https://haveibeenpwned.com/Passwords) released a compilation of the passwords he has from breaches (hashed, obviously), making this check pretty easy, – Daniel V Jul 03 '18 at 16:48
  • 1
    @tehDorf - Maybe it's just me, but i'm much faster if I don't have to switch back and forth between the keyboards with normal and special characters. – martinstoeckli Jul 03 '18 at 20:17
14

The best solution is to train your user base to use passphrases.

Passphrases are easier to remember, easier to type - and harder to crack. And the NIST rules that @martinstoeckli mentioned are designed to be passphrase-friendly.

Five random words, drawn from a dictionary of at least 20,000 words or so, would be a nice middle ground.

Training will be key, using materials like Stanford's.

You could even create a way to generate and suggest passphrases to them. It would be relatively easy to create a simplified, private instance of ae7.st/g or rempe.us/diceware for your user base to use as a starting point. These execute entirely on the client side, so the passwords cannot be collected remotely.

[Edit: Yes, I'm also a big fan of password managers. But the original question is focused on password-reset helpdesk calls in the enterprise, which almost certainly means AD passwords - which are one of those "front end" passwords that usually must be memorized.]

Royce Williams
  • 9,318
  • 1
  • 32
  • 55
  • 4
    Pass phrases are only good A) if you don't change them for a long time; B) if you have to remember only a few of them. After you changed your 5 passwords many times 6 times in a year (see requirement to change them every 2 months), you *may* have huge difficulties to remember what exactly was that funny or that strange phrase for that particular system. Pass phrases were good may be in 1970-s, when one needed mostly a single password. Not now days. There is one exception, pass phrase can still be good for password manager. Put all passwords to password manager. – mentallurg Jul 01 '18 at 14:21
  • 4
    Generally, I agree. In this case, the context of the question implies an "entry point" password - in this case, an AD password, or others such as the password for the password manager itself - which must remain memorized. – Royce Williams Jul 01 '18 at 14:45
  • 2
    Obligatory [xkcd link](https://xkcd.com/936/?) – Kai Jul 01 '18 at 16:44
  • Indeed! :) Though the word count, and the number of words, in that XKCD have subsequently been shown to be insufficient (assuming that the password storage may be using a naive (fast) hash. – Royce Williams Jul 01 '18 at 17:45
  • 1
    Funny thing... I have [made that](http://nonnymoose.gitlab.io/passgen/)! – Nonny Moose Jul 01 '18 at 19:25
  • 1
    It is really **astonishing** how many people in the year 2018 still blindly point to this idea illustrated XKCD. This idea was reasonable in 1970, when a user needed to remember a single password. It makes no sense any more since approx. 2000, when many public services appeared - many providers of free emails and other services. Do you know any one who can apply it in the real life? Many people have 20-30, many even around 100 accounts. They have to change passwords for some of these accounts every 60 or 90 days. And you point to XKCD. Come on guys :) It doesn't work without password manager. – mentallurg Jul 02 '18 at 01:09
  • Here on **security** part of SO one would expect more serious opinions instead of just pointing to ideas that were fine 40 years ago and became **obsolete 20 years ago**. – mentallurg Jul 02 '18 at 01:16
  • 9
    No one is suggesting not to use a password manager. But that's not what the intent of the original question was. – Royce Williams Jul 02 '18 at 01:24
  • 4
    @mentallurg What a silly rant. No one said not to use a password manager. However, there will still be a password or two a user wants to remember (for me, the pw for my password manager, and my password for university so I can type it into the kiosks to print at the university printers). For those, using passphrases is a great idea. – Greg Schmit Jul 02 '18 at 02:26
  • @GregSchmit: That is exactly what I said i the very first comment to the post. Vote it up :) – mentallurg Jul 02 '18 at 03:22
  • New most used passphrase: *CallmeIshmael* – Xenos Jul 02 '18 at 07:41
  • @mentallurg That's a really good point -- I was replying to your last couple comments and actually didn't notice that you authored the first one. It is voted up. :) – Greg Schmit Jul 02 '18 at 15:48
  • 4
    @mentallurg Your complaint is misplaced, and your facts are wrong. There's nothing in that XKCD comic that states **do not use a password manager**. OSes from the 1970s generally had limited password lengths that made phrases impossible. Pass phrases were not outdated 20 years ago. Almost nobody even knew what they were. I was there. 40 years ago, they weren't even possible, because the password fields were not long enough to allow them. Your objection to not using a password manager has nothing to do with pass phrases. You're yelling at the dog because of what the cat did. – barbecue Jul 02 '18 at 16:47
11

Help everyone in your organization use a good password manager. (I should disclose that I work for the makers of a very fine password manager.)

Seriously, you have a password management problem, and using a password manager within your organization is the best shot at addressing it. This is what password managers are designed to deal with.

Addressing comments

There have been a number of excellent comments my rather off-hand answer. So it looks like I'm going to have to put in some real effort here.

There are two questions to discuss.

Forgetting the password manager password

A password manager does not eliminate the need to remember all passwords, but certainly does help. It wasn't entirely clear to me whether the original question was focused specifically on the workstation/AD/LDAP user password for the organization or other passwords as well.

One thing about using password manager is that you typically need to type it its password several times a day. So after a short while, people do learn it well.

And talking specifically of 1Password, we have things set up so that it is impossible for us learn anyone's secrets, but it is possible for certain individuals within an organization to be empowered to perform recovery. See either our documentation for what this looks like to an administrator or our security white paper for the gory details of how that all works behind the scenes.

Workstation login

Of course you can't run your password manager on a system that you can't log into. But depending on your organizations policies, the password manager can also run on a user's phone.

I understand that there will be some objections to this, but consider that it is in the organizations' interest that people's sign on password not be something that they also use for the HTTP only MyKittyPictures.org which is built on a version of Wordpress that hasn't been updated in a decade. So you do want your people use a password manager at home as well as at work.

Again, 1Password (and some of our competition) allows ways of managing separate accounts, so that you don't find workplace secrets leaking into places you don't want it to. I didn't really want to turn this into a sales pitch, but there are ways to set things up that work for the security needs of various organizations.

With unique passwords, the need for forced rotation diminishes

(This is relevant because forced password rotation leads to people forgetting passwords or using crappy ones.)

Forced password rotations generally do more harm than good. Some of the "good" that they do is because people tend to reuse the same password on multiple services, and so once one gets compromised the everything using that same password is vulnerable.

Getting people to use a password manager helps move people away from password reuse.

With generated passwords, complexity rules aren't needed.

Password complexity rules may also do more harm then good, and they certainly lead to passwords that are hard to remember. 1Password nudges people toward very strong, but usable, master passwords.

Again, I'm not trying to turn this into a sales pitch. Look at what we offer (talk to us about your specific organization's needs), but look at others as well. We are the best, in my not so humble opinion, but my over all point is that many of your password problems can be addressed through the use of a password manager. And it will get your people engaging in more secure habits. A password manager enjoys the happy spot of both increasing security and making life easer for users.

Jeffrey Goldberg
  • 6,420
  • 17
  • 21
  • 5
    The user would still need a password for the password manager, and the issue of repeatedly forgetting passwords, or passwords that can be successfully attacked are still issues, so "use a password manager" is not an answer to this question. – Greg Schmit Jul 02 '18 at 02:54
  • 2
    @GregSchmit Using a password manager is a an excellent choice for the OP's question, probably the only reasonable one The key reason for a password manager is IMHO that there is only ONE password left to memorize, which can be of more complexity then. – nulldev Jul 02 '18 at 06:22
  • 8
    @nulldev How do open your password manager on a computer without opening the session first ? – Tensibai Jul 02 '18 at 09:23
  • @nulldev But the whole point of the question is the problem of weak guessable passwords and forgetting them -- you can say "use password manager and do x, y, and z", but "use a password manager" is **not** a solution, since there is still **at least** one password that needs to be remembered. – Greg Schmit Jul 02 '18 at 15:44
  • 3
    Sorry for the DV, but you need to address Tensibai's comment or else your answer is useless for unlocking your company machine where presumably the pw manager resides. – TTT Jul 02 '18 at 21:12
  • @Tensibai In practice, I have 3 passwords in my life I remember, 2 login passwords for the workstations (one at work and one at home) plus the master password of the password manager of choice. These passwords seldom change. I can afford remember 3 passwords, with the result of having unique, non-guessable passwords everywhere "for free". – nulldev Jul 03 '18 at 06:14
  • This does read like a sales pitch. We get it, password managers are awesome. No one is disputing that. However, you didn't explain how to make secure rememberable passwords in your addendum, you just elaborated on why password managers are great and do all things. An answer worth upvoting would clearly say that using a pass**phrase** rather than a pass**word** is how humans can achieve secure and rememberable passwords (which addresses the question of how to avoid problems of repeatedly forgotten passwords and insecure passwords). – Greg Schmit Jul 03 '18 at 16:31
  • "1Password nudges people toward very strong, but usable, master passwords." **In what way do you do that?** Do you encourage them to memorize strings of 16 cryptographically random characters? – Greg Schmit Jul 03 '18 at 16:35
  • @GregSchmit, when you first sign up for 1Password it will offer to generate a master password for you, and will generate (by default) a four word passphrase with words uniformly chosen from a list of about 18300 words. These are like Diceware, but use a much longer word list. It also has you practice it. – Jeffrey Goldberg Jul 10 '18 at 06:31
  • @JeffreyGoldberg That is a solid procedure! – Greg Schmit Jul 10 '18 at 20:00
9

... the real outcome of such policies/controls are not achieving the desired outcome.

Exactly. You have good identified that.

1. Review your password policy. Consider what exactly are you protecting and what would be consequences if an attacker finds out a password. If password gives only an access to your parking slot, it is not so harmful, a pretty simple password will be sufficient. Depending on consequences the policy may be more serious, in some cases password may be insufficient and you may need hardware solutions like smart cards or USB password managers.

2. Use password manager. Users will have then to remember a single password only. For system login (Windows, Linux, ...) you obviously cannot use password manager on this system, but you can use PW manager on your smartphone (provided and configured by your company and compliant with your security policies).

3. Use 2-factor authentication. For instance, password plus SMS. Pro: passwords can be simpler. Contra: Users may complain, because they will be forced to permanently enter code from SMS into login dialog. You can still make it simple, if you use 1-factor authentication in your intranet or in your office and 2-factor for remote access only or when user is logging in not from his PC.

4. Automate password resetting. Give your users possibility to reset their passwords automatically, e.g. via email or SMS.

mentallurg
  • 10,256
  • 5
  • 28
  • 44
  • 2
    I'm pretty sure #2 probably doesn't apply in this case, since you can't access your pw manager until after you've unlocked your machine with the changing pw in question. – TTT Jul 02 '18 at 21:16
  • @TTT: What machine? Why do you think it is about system login only? – mentallurg Jul 02 '18 at 21:18
  • 2
    Every place I've ever worked (15+ companies) have windows machines on a domain. You have to unlock your workstation with your domain password before you can use it. So I have to memorize 2 passwords: my domain password which typically changes every 90 days, and my pw manager password. There's a very high probability that this question is about the enterprise password which is used to login to the workstation. – TTT Jul 02 '18 at 21:21
  • @TTT: Why are you talking about Windows login? The OP does not ask about login into a system. This is about **any** logins. Users need logins to a big number of applications. But even for system login a password manager can be used, if you use **smartphone** (provided and configured by your company and compliant with your security policies). – mentallurg Jul 02 '18 at 21:25
  • 2
    OP didn't mention it but it's implied because the question mentioned a helpdesk to reset your pw. That's not possible if we aren't talking about the enterprise level pw, which is also used to unlock your workstation. Yes, you can use a mobile pw manager app (I do this to store my short lived domain pw in case I forget it), but the pw still has to be easy to remember since I type it in 10 times a day, so I choose not to use the typical random 20 character or more pw. I think your smarphone statement would make a good edit to point #2, specifically for this probable case. – TTT Jul 02 '18 at 21:33
  • 1
    You should include best practices for passwords that you do have to remember, such as system login, password manager password, or other logins that the user might need to punch into a foreign system (in my case, my university login so I can print at kiosks in the university library). I'm not-so-subtly hinting at pass**phrases** rather than pass**words**, which I feel belong in any answer worth upvoting. :) – Greg Schmit Jul 02 '18 at 21:42
  • @TTT: *implied because ... helpdesk* - OK, understand. Yes, "helpdesk" can imply that. But I know several companies where users are *forced* to reset their password via helpdesk even for such simple applications like Confluence. Of course these companies have even stronger policies for system logins, databases, critical applications, where passwords again can only be reset via helpdesk. But I have no statistics regarding password resetting policies in such kind of companies and cannot prove that this is a common case :) – mentallurg Jul 02 '18 at 23:23
6

Most relevant points were made in other posts. I just want to highlight

  1. Letting users choose and keep a good password is in most situations the better security bargain than forcing them to change their password regularly.

  2. A simple calculation shows that elaborate complexity requirements can be traded for one or two more characters, i.e. instead of requiring the "usual" letters/digits/special chars and minimum length 8 just ask for 10 characters.

  3. Requirements like special characters actually weaken passwords, for next to no user picks a random such character at a random position - just have a look at the rockyou password list and watch the amount of passwords that end on "!" or ".". So, that's pretty predictable. In fact, the reasoning that complexity improves security (more precisely: entropy) is based on the assumption that users pick passwords like 1D>u&b8H or 6mp{:2tL instead of passwords like g0tch4!! or #1Hottie.

  4. If you want complexity, then do it the right way: ask for n out of m different characters (e.g. at least 8 out of 12 or more), and reject patterns like 123456 or qwerty etc. This is not perfect but it'll weed out the worst kind of junk right away.

  5. Even better, encourage your users to use passphrases.

  6. I've also seen password suggesters based on Randall Munroe's idea to pick four (or more) random words.

Finally, if security is really such a concern, then passwords might not be the right choice for authentication; 2FA or public-key-based authentication might be the (admittedly more expensive) adequate solution. However, if management insists on the policy as it is, then they simply have to live with the results.

countermode
  • 694
  • 1
  • 7
  • 22
4

In my company we have mainly 2 rules, company wide:

  • The store is either "in memory" or in a given password manager with a personal Master Password. (KeePass in this case)
  • Password complexity must be at least of a minimum length and meet 3 out of these:
    • Number character
    • "Special character"
    • Lowercase Letter
    • Uppercase Letter

New employees are acquainted with these rules and trained as necessary.

The key here is the enforcement and support of the password manager. In practice, this leads to random, long, and safely stored passwords.

The only exception may be if a customer explicitly requires different handling of passwords to THEIR systems, which must be approved by the manager of the project.

nulldev
  • 154
  • 9
  • 2
    Can you please elaborate what 'standard criteria' you are using if shareable in public. – Sayan Jul 01 '18 at 23:59
  • @Sayan See my edit. Nothing fancy though. The important part is the password manager. Since KeePass allows to link containers, we have "shared" password containers for common systems that groups of users use, and personal containers for each user. Seems very effective to me. – nulldev Jul 02 '18 at 06:19
2

I've given a couple of talks on this exact subject, so there's a lot of info in my head and I hope I can get it down to a few vital points:

  1. What are your actual threats? Most of the password complexity rules are ancient, misguided, and assume brute-forcing as the main threat. If you think a little bit about the topic, you will almost certainly come to the conclusion that it isn't. In 90% of settings, if brute-forcing is possible at all, your software is broken.

  2. Users will always interpret your password policy in the way that makes it most easy for them. This has the unintended consequence that an attacker who knows your password policy actually has a dramatically reduced search space. For example, if you require numbers, the vast majority of users will put them at the end, a minority at the beginning and almost nobody will mix them within the word the way your trivial complexity estimations assumed.

  3. Ditch the "special characters and numbers and upper and lower case" rules. They are utter nonsense. These rules actually make a number of attacks more easy.

  4. Enforce long passwords. 8 characters absolute minimum, better 12. If the password is sufficiently long, it can be memorable, it can be a word or variation or mix-up of words. It is easy to create nonsense words in most languages. For example, "nonmost wordages" from that last sentence. These are reasonably easy to remember and reasonably fast to type correctly. (mixing parts of 4 or so words like that is my favorite variation on the famous xkcd answer to that topic, which is brilliant, but results in too long passwords that normal users won't type - remember that most users can't touch type)

  5. Check passwords that people enter against a blacklist to ensure that "password" and anything on the top 100 or so list is not acceptable. Add a couple of your own (e.g. company name or company name + current year)

  6. Go back to your thoughts about threats and add to these generic hints some that are specific to your threats. For example if there is a reasonable threat that your password database could be stolen, you have the only scenario where brute-force is actually a thing, and you need to think about search space - after you made sure you are using good hashes, good salt and maybe pepper. Also, maybe making your database more secure is easier and more effective than trying to force people to do something that thousands of people have been trying to force them for decades, unsuccessfully? -- if, however, you identify shoulder surfing as a serious threat, you definitely do not want complexity in passwords, because 9[~K>'?+D*kg is a lot slower to type than "nonmost wordages", while they have the same complexity (on the order of 10^22).

If you need some data and research to convince others in your company, give me a shout.

Tom
  • 10,201
  • 19
  • 51
  • 1
    I would say without special characters, 12 is absolute minimum; you really should have big problem coming up with 16 characters of word salad. – Jan Hudec Jul 02 '18 at 21:53
  • 1
    @JanHudec why is 12 characters an absolute minimum? What is the threat you are defending against that requires more? Too many people in this area still think that complexity is absolutely required, without making even a superficial risk analysis. – Tom Jul 03 '18 at 06:09
  • Exactly! If the fastest realistic threat is "Someone sitting down at a workstation unnnoticed trying random passwords by hand" - Even `password777` is safe enough to not be guessed in 3 tries. – Falco Jul 03 '18 at 07:33
  • @Tom, but you don't have any specific argument for the 8 either, do you? – Jan Hudec Jul 04 '18 at 21:11
  • 1
    @JanHudec no I don't and I would not mandate it without knowing the risks. For example, my home desktop machine has a 3 character password. You would need physical access to the machine first, at which point you are already in my house and access to my computer is not my main problem with that. My main threat is cats stepping accidentally on the keyboard and somehow logging in and then with further stepping create some damage (delete files or something). 3 characters is more than enough to make that reasonably unlikely. – Tom Jul 05 '18 at 08:35
1

What is annoying your users is the strict policy, which prevents many strong passwords while allowing weak ones

The password policy is strong with ‘Passwords shall have a minimum of 8 characters with a mix of alphanumeric and special characters and 60 days of expiry. No repeating passwords for consecutive 3 times’.

"Password-1" has one uppercase letter, is 10 characters long, and has a special character and you think it is secure. "green horse president butter" is not allowed, but much longer and harder to guess or brute-force.

Password expiry is another thing which modern password guidelines recommend against. Make me choose another password by your rules and I choose "Password-2".

Personally I would solve this by requiring a long password. If you need to have at least 20 characters, "Password-123" won't work and you start getting creative. Or start using a password manager. Simple brute-force has no chance with such long passwords and you have a good chance that even a not so good password cannot be easily composed from a wordlist.

allo
  • 3,315
  • 11
  • 24
0

My master's thesis was on Information Security and how humans are the weakest link. I feel your pain here because the second you make the password rules too difficult, users will write their password down on a sticky note and attach it to their computer.

My company has several additional rules to help keep up complexity:

  1. 70% of your passphrase must be different: this keeps people from password1, then password2, then password3
  2. Your password cannot contain any dictionary words: this forces people to use leet spelling and similar workarounds
  3. Your password cannot be a common passphrase: this allows you to sample your system's passphrases and prevent more than one person from using the same password.

Since passwords are only slightly better than the illusion of security, maybe the better idea is to add a different type of authentication.

There are three types of authentication:

  1. Something you know (like a passcode or passphrase)
  2. Something you have (like a token or access card)
  3. Something you are (like fingerprints or other biometrics)

When passwords are used in conjunction with 2 and 3, then the complexity of the passcode doesn't matter as much and is often reduced to a pin number.

Unfortunately, the only way for the system to enforce truly random passwords is for the system to generate them for a user… but then you can nearly guarantee that they will be written down.

Patrick Mevzek
  • 1,768
  • 2
  • 11
  • 23
  • 1
    Not to be critical of your thesis, but that statement that humans are the weakest link, or that users are lusers, etc. - that always tickles me. Humans are the reason we do security at all. They are what we ultimately protect. To design **with their human nature and its limitations in mind** is our challenge, the same way that engineers would have it so much easier to build a safe car, plane, elevator, whatever if only humans weren't so squishy. – Tom Jul 02 '18 at 21:06
  • @ Tom....you have guessed what the thesis was actually working toward - a way to take into consideration human desires for an easy to use system while at the same time forcing the security into the same system. That is why systems other than passwords are much more user-friendly than forcing a complex password upon people who will often write it down if it is too complex. This is why systems like tokens are much better, since the token is memorizing all of the complex passwords for you. – Jeff Elliott Jul 03 '18 at 15:19
  • I wonder what happened to HAISA (Human Aspects in Information Security something). I visited one of their conferences and they seemed to be on the right track in many things. – Tom Jul 03 '18 at 18:28
0

Philosophically speaking, there are two main forces, to which people tend to adhere to differently. The first category is freedom: Conviction over coercion, choice over obligation, moral over enforcement. The second category is power, which is the reverse of freedom. These fundamental differences can be seen best in politics as of issues of pro-state movements (socialism, nationalism) vs pro-freedom movements (libertarianism).

Now, history has clearly shown that using violence, coercion and control yielded worse results in every aspect, with communism and fascism being at its pinnacle of manifestation. On the other hand, capitalism (which we currenlty have ~50% of), may have caused wealth inequality, but in a positive way, which caused everybody to become wealthier (by raising living standards), and those who provide the most value to become incredibly wealthy. Meaning: Even the poor(est) benefit from that. Whereas if you force total wealth equality, everybody becomes poor and many people may starve (but not those who caused that of course).

So, to get back to this topic: Whenever you have a positive goal (better password protection) try to mess with the freedom of people by force (forcing certain password rules), you can witness a decline in your goals - up to the point of reaching the opposite.

I think one feasable way would be to advocate better password protection and warn them about the fragility of their passwords. Maybe show them an estimated duration needed to crack it. Tell them to use multiple words (which seems to be the best method). But if they want a password which can be cracked in 2 seconds, it's their choice.

Providing information (and warnings) is in my opinion way better than simply forcing passwords rules. Because that's what will happen, as you described, people will get annoyed and will try to find the easiest way to resolve the problem. Forcing 9 letters will yield many 9 letter passwords, but telling them that a given password can be cracked in 2 seconds may motivate them to use something better than the minimum you'd otherwise force them to have, especially if it's about something of high importance.

Plus a lot of special rules (which often do not even make much sense, like 1+ capital letter and 1+ special symbol) make passwords much harder to remember, if theirs didn't had that already. So it's not only the "stupidity" of users which is the issue, but the attempt of control by "force."

Battle
  • 101
  • 1