Monday, 10 September 2012

Why most passwords policies suck

There are two problems with most passwords policies.
Firstly, some policies are non-existent. This is bad because people use passwords such as "password" or "123456" which are cracked in microseconds, especially if the hacker has access to a long list of passwords and can deduce by statistics what many of the common passwords are.
The second problem, ironically is having a passwords policy that is too strict, you know the sort, "your password must be between 9 and 9.5 characters long including letters, numbers, mixed case, punctuation, arabic and klingon characters". It is bad because it has the smell of security but counter-intuitively is not very secure. Why? Well, most people, I would guess, write down any passwords that are this complex because they can't remember what they typed. Also, just because you require people to use certain characters does not usually enforce how those characters are used. Why is this a problem? Well most of us techies think quite linearly and mathematically. We think an 8 digit password using one of, say, 62 characters gives 2.2e+14 combinations, which if brute forced would therefore take an average of half this number of tries 1.1e+14 which would take a long time (most of us admittedly have no idea how long this would actually take). An article I read recently: http://arstechnica.com/security/2012/08/passwords-under-assault/ says that some cracking systems can process over 6 billion (yes billion) combinations per second meaning a mere five hours is all it takes on average to crack an eight digit password. Actually, it's worse than this because hackers are not standing still and relying on brute force only, they have started to ask how people form passwords and then optimizing their brute force engines accordingly. For instance, I would imagine that most people who are not really educated in these things would say that brute forcing a password would mean starting at aaaaaaaa and then trying aaaaaaab etc until you have got up to ÿÿÿÿÿÿÿÿ but actually this is not necessary. Why? Because although some people might use aaaaaaaa as a password, they are unlikely to use aaacccbb but more likely to use combinations like Mike1963 or @Hello28 Analysis shows that 2 and 4 digit numbers are the norm and most words have a capitalized first letter because it's easier to type. They also suggest that if people use punctuation, it is usually the first or last digit and it is either 1 or 2 characters long - again this makes sense since to most people the punctuation is not part of the word they are thinking of so it has to go before or after.
If you are going to enforce a policy, the best direction to go is definitely password length. Adding another digit to make a 9 digit password increases the number of combinations from 2.2e+14 to 1.4e+16, another 62 times longer in our example. The 5 hours becomes 310 which is already starting to perhaps not be worth it. 10 digits and it becomes 800 days! Personally, if you are going to use passwords then I would recommend that people write long sentences that mean something to them like IWentToTheShopsWithBillyAndHeWantedANewDog which is unlikely to be cracked by brute force and if you try and use a couple of numbers instead of letters etc then I would be much happier with this. The other issue is ALWAYS use variable salt when you hash passwords and NEVER store then in plain text. Even if you encrypt them (which is generally frowned upon), still use variable salt so that if your data is stolen then the hacker has no statistics to work with like which passwords are most common.
You could also look at PixelPin.co.uk, a startup who use pictures instead of passwords. This avoids the usual pitfalls of writing passwords down, massively increases the difficulty of phishing and because the ultimate data is not a password in the normal sense, it cannot be dictionary attacked.
Post a Comment