Security Awareness Blog

Passwords - The Good, The Bad and The Ugly

Today I would like to discuss one of the most commonly misunderstood issues in security awareness and education, passwords. I believe that protecting your passwords are important, especially now as we move to cloud computing and just about everything you do online requires a password. However, what we are teaching people about passwords is outdated. How people use passwords, and how threats attack them have radically changed in the past ten years. Unfortunately, what we are teaching people has not kept up and I'm hoping we can start changing that. In addition this post is in part motivated by the excellent paper The Rational Rejection of Security Advice by Users by Cormac Herley which I will be referencing. Before we begin, two key points.

  • Unlike Cormac's paper, I am not focusing on the home user. Instead, I'm focusing on password awareness for organizations. Oragnizations have FAR MORE to lose if/when a password is compromised. Unlike individuals, organizations have to cover the costs if their bank account is compromised. Unlike individuals, organizations can be fined if they are not compliant. Finally, passwords are the keys to organizations' intellectual property, which in many cases can make or break an organization.
  • When discussing threats, I categorize them into two general categories. Threats that randomly target everyone (typical cyber criminal) and threats that focus on a specific target (such as APT). This distinction becomes very important when discussing passwords

In Cormac's paper he raises seven common issues in the education of password use. I'm not going to review what Cormac discusses, as you can read his paper. Instead, I'll share my thoughts on the seven points.

  1. Password Length.
  2. Password composition (digits, special characters, etc)
  3. Dictionary
  4. Don't write it down.
  5. Don't share it with anyone.
  6. Change it often.
  7. Don't re-use passwords across sites.

Points 1-3: These points are old school, these are from the days when threats would brute force websites or attempt to crack stolen password hashes. Ten years ago password complexity was important, nowadays not so much. Think about it. For threats randomly targeting anyone, how do they get passwords? As always threats go for the path of least resistance, which now a days means malware. Millions of computers are infected with viruses such as Zeus which capture keystrokes and log passwords. As a result, making sure your computer does not get infected is how you protect your passwords, not complexity. If you are dealing with advanced threats, such as recently happened with Apache, once again password complexity is not going to help you. If the threat is motivated enough to target you, and has the skills and knowledge to steal your password hashes, then complexity is not going to buy you much. Five years ago it would have taken a long time to crack your passwords. Now a days with rainbow tables, advanced processing power, and distributed computing (i.e. botnet) your password is not going to last. Yes, if you have fifteen plus random characters in your password you may delay the inevitable, but come on, if what you are protecting is that valuable then you need to rethink your authentication mechanism (such as two factor). So how long or how complex should you or your organization's password be? I leave that up to you, that is a risk decision only you can make. There are still some simple brute force attacks happening (SSH, Conficker attacks over network file shares, etc) so some complexity is required. However my suggestion is don't make a huge deal out of it, the threats have changed and you can get far greater Return On Investment (ROI) focusing on other areas.

Point 4: Do not write your passwords down. WTF? I just counted my passwords (which I have written down by the way), I have 80+ accounts with passwords. How can I possibly remember them all? I can't, I check my password list at least several times a week. Do I stick them on monitor? No. I have the locked up in a secure cabinet. Don't like writing your passwords down on paper, then use encryption programs designed for securely storing passwords (iPhone has lots of options).

Point 5: Don't share your passwords. Okay, for individual home users this may not be such a big issue (as Cormac points out in his paper). For organizations, password sharing is a BIG deal. Passwords control who has access to what. When your organization has different types of confidential information, by sharing passwords employees could accidently (or purposely) bypass data control measures. In addition, passwords are how organizations track who did what. Everyone must have a unique identity. If employees are sharing passwords, you just lost your ability to track what is happening in your organization.

Point 6: Change your passwords often. Once again, not a big fan of it. Think about the threat models again. If your computer is infected, your compromised password will be leveraged within hours, in some cases even in real time. If you are dealing with advanced threats your passwords will most likely be cracked before the time limit. As a result, nowadays changing passwords every ninety days mitigates little risk and yet has a high cost to your users.

Point 7: Don't reuse passwords across sites. For this one I do agree on. I don't use a different password for every single account. Instead I make sure my 'low valued accounts' don't have the same passwords as my highly private accounts. In other words I don't use the same password for Twitter or Flickr as I do for my online banking or confidential work activities.

In addition, I would like to add two additional rules organizations should include with password awareness. Five years ago these issues were not a common problem, now a days there are. Once again, we have to adapt and change as our environments do.

Public Computers: Don't use public computers to log into work or confidential accounts. In other words, don't login from a cyber cafe or a hotel lobby computer to do your online banking. Remember malware such as Zeus? Odds are one of those public computers may be infected and your passwords are now owned.

Private Questions: I HATE this. Many online services don't like paying for a help desk that resets people's passwords. So many online services (i.e. cloud computing) have people answer personal questions. If you forgot your password, the idea is you do not call the help desk, you just answer your personal questions. In reality what has now happened is people have twice as many passwords to remember. In addition, users often don't realize this and often put these very answers (their personal information) online, so it can be found on Google, Facebook, etc (can you say Sarah Palin?). We need to teach people to be careful that when they answer these questions, these are nothing more then another layer of passwords.

Long story short, protecting your passwords are important, especially for organizations. However, what we are teaching people is outdated. Threats that randomly target people seldom crack passwords, instead they infect your computer and log your keystrokes. Threats that target specific organizations (such as Apache) have advanced capabilities that can crack complex passwords. Some complexity is important to protect against the more basic attacks (SSH brute force, Conficker file shares, etc) but more important now is how passwords are used. Finally, while passwords are important I strongly feel other topics can give you even more ROI, such as the basics of securing your system and an understanding of common social engineering attacks.

4 Comments

Posted April 19, 2010 at 8:09 AM | Permalink | Reply

Eric Peterson

Thanks for the common sense tips, I hope this gets widely read. The complexity rules that many people willingly put up with remind me of Linus's (the peanuts character) security blanket. It feels nice and might keep you warm on a chilly morning but will be worse than useless if you, for example, take with you swimming.
I too have the passwords (and user id's) on paper in a small notebook that I carry with me. I keep both of them trivially coded so a random Joe can't just find it and start accessing my personal accounts. However, there are a few work-related passwords that never get written down.
I also hate private questions for one extra reason: I have no favorite actors, TV shows (no TV), etc. so my answer to all of those questions is a single easily guessable word written in an angry rather than rational moment. But another technique I have used is to answer them with random text then write that into the little book. Just don't lose the book!

Posted April 19, 2010 at 10:40 AM | Permalink | Reply

T W

Great post and thanks for taking the time to write it up. Hopefully it will spark a great discussion.
Some interesting points here and I broadly agree with you, but think the most important part of it is the threat analysis and risk assessment.
You raise the point about threat modeling but I dont think you take it far enough.
My commentary:
Points 1 ''" 3 are still valid if, as a legitimate attack vector, there is a risk an attacker can gain access to your password hash file and use it to attack your system. That they are outmoded in some threat scenarios doesnt mean they are useless. Two / three factor is great but it adds a key management burden (issuing and accounting for smart cards for example) which may be unneccessary. For some systems simply using a longer password will set the bar high enough that the expected attacker wont bother.
Point 4 ''" I agree. Writing passwords down is not an inherently incorrect action. If your threat model is to defend against attackers from overseas hacking in to your database, what does it matter if the password is on a post it note next to the screen? However, if your threat is some one social engineering their way into a terminal, it becomes a bad idea (but weaker passwords become worthwhile).
Point 5 ''" totally agree. I can think of few, if any, scenarios where sharing passwords is a good thing. From a business point of view it should be prevented simply because it prevents anayone from ever auditing the system properly.
Point 6 ''" I am a fan of changing your passwords if the threat model requires it. If you have complex passwords, change them often because that is the effect of your most likely threat (some one getting the hash and trying to crack it).
As a worked example, a password of 9 characters (A-Z,a-z,0-9) will take about 32 days to be broken [source http://www.lockdown.co.uk/?pg=combi. If you change your password every 30 days it wont matter if an attacker has the hash, by the time its cracked there is a new password in place. (Obviously this is not perfect and dependent on other things but the principle is the important bit).
Alternatively, if your threat assessment is that someone will try to brute force a web interface its a different issue ''" simply lock them out every 3 failed tries (for 30 mins) and even a short, simple, password is "secure enough."
Point 7 ''" I agree totally. This is the issue people forget the most, You can have different "strengths" of passwords for different applications protecting different levels of sensitivity.
It all boils down to the risk analysis. Identify what it is you are protecting, identify what threats it faces, determine the risks and mitigate them.
Passwords are all part of the overall picture.

Posted April 19, 2010 at 1:05 PM | Permalink | Reply

Cormac Herley

Great discussion.I completely agree that there's a huge difference between consumers and enterprise spaces. The cost modelling I did doesn't apply to the case where it's your employer's and not your own resources you are risking.
More generally, i think how we choose and treat and password depends enormously on what it protects. Someone getting your work password is probably orders of magnitude more serious than your hotmail for most of us.
There's just an enormous dfference between the online and offline attack cases. A lot of our thinking on strength seems to worry about the case where the attacker has the hashed password. Some of the largest sites on the web seem to have worked very hard to make sure the hashes don't leak. That is, they
allow relatively sane password stregnth policies.
I really like the focus on ROI. We have to give the advice that reduces harm most, not the advice that's easiest to give.

Posted May 11, 2010 at 4:11 AM | Permalink | Reply

Serge Moreno

I think it's a fact of live that passwords are a rather weak security control. This needs to be improved by different extra controls. The real good controls to improve is explaining people the risks and methods to avoid loosing passwords, but do it like mentioned in the article in a modern fashion, not a stubbern old fashioned way.
There are much more reasons for avoiding enforcement of regular changing passwords: People tend to use algoritms for a regular chaning password. The worst pasword, but passing many (almost acontrols) is Month/year (easy to remember, changed every month, has capital letters a special character and numbers.. So once you have one password, or 2, the attacker will in most cases understand the algoritm and the password is cracked forever.
Due to the regular change of passwords, systems have been developed for to self-service. Mostly a stupid question and a stupid answer linked to it, which undermines totally the pasword protection. A password is something you know, does not have to have a relationship with the system, you can change it (on your own pace ''" not enforced) Suddenly the weakest link becomes the question and answer, without any protection whatsoever. Even worse, password files are regularly well encrypted in protected database, but those questions and answers are not always well protected.
Finally as password aging is different for every system you use, it becomes almost impossible to adhere to one of the best rules mentioned: point 7 have different passwords based on the importance of the data behind it and in relation to the trust you have in the organisation storing your password.
Look also at your ROI of the helpdesk due to password ageing.
Note I'm always in for a good discussion on the topic, as I fight password ageing for about 10 years now. See also the gartner report of april 2006 (I think).