password policies we now know about password cracking. so we can make some statements about the...
TRANSCRIPT
password policies
We now know about password cracking.So we can make some statements about the strength of a certain password stored in a certain way.
Is this information sufficient for our organization? What more do we need to know?
“If our adversaries get sufficient access to our password storage, then what are the chances that they also get access to whatever we have secured with them at this moment?”
1. “What are the chances”2. “Sufficient access to storage”3. “Whatever we have secured with them”4. “At this moment”
Consider this: passwords are means to an end.
Password policy dimensions
PASSWORDSTORAGE
SECUREDDATA AND SERVICES
LOGIN
RECOVERY
PHISHING
PASSWORD INTERACTION
PASSWORD STRENGTH
PASSWORD COVERAGE
HACKING
Password policy dimensions
Password strengthWhat is the password and how is it stored?
Password coverageTo what extent do we rely on this password?
Password lifetimeFor how long do we rely on this password?
Password interactionWhat kinds of interaction with our password storage
exist?
Forces
For each dimension, there is a trade-off between security and usability.
We’re not concerned about usability because we’re nice people, but because bad usability results in adverse effects to our organization.
First: the world of well-behaved usersThen: the world of low usability
Dimension 1: password strength
The actual passwords can be influenced by enforcing a password generation strategy.
The goal is to influence entropy (given the strategy) and usability.
Strategy Ensured entropy Usability
No constraints Low High
Complexity constraints Higher Lower
Passphrase Generally lower Higher
Randomly generated Super high Super low
Diceware High High
Inkblobs ??? High
Inkblotsa small research by Adam Stubblefield @ Microsoft Research, 2004
Inkblotsa small research by Adam Stubblefield @ Microsoft Research, 2004
A small test on 25 people:• 20 people remembered the password the day after• 18 people remembered the password a week later• those who forgot, forgot just one picture / two character
The entropy wasn’t thoroughly investigated, but only reasoned about.
Dimension 2: password coverageBoils down to: how many and what services do we protect with each password?
What services: This can simply be chosen by policy designer.
How many services:Unique password per service: high security, low usability
Single sign-on: low security, high usability
Dimension 3: password interactionIn what ways is it possible to interact with our password storage?
LOGIN
INTE
RFACE
RESET INTERFACE
reset access
norm
al ac
cess
hack access
phishing access
Dimension 4: password lifetime
Boils down to: for how long is a password valid?But also: password history.
The world of low usability
WELL-BEHAVED USER REBEL USER
LOW USABILITY
What do rebel users do?
REBEL USER1. Try to lower the password entropy2. Introduce new password storages3. Call the help desk. A lot.
“Adam Roderick, director of IT services at Aspenware, tells Ars that he frequently hears from client companies that a quarter to a third of all help-desk requests are the result of forgotten passwords or locked accounts.”
Dimension 1: password strength
Complexity requirements:Minimum complexity becomes actual complexity.
Users start using very common passwords, such as ‘123456’.
Dimension 2: password coverage• Users employ predictable patterns: commonpswd + servicename
Dimension 4: password lifetime
REACTION: users immediately reset the password to an earlier password.
ACTION: enable password history: last x passwords can’t be used.
REACTION: users immediately reset the password x times and then to the earlier password.
ACTION: also enforce minimum password age.
REACTION: users now have issues when they actually need a reset.
ACTION: remove minum password age, set x to infinity.
REACTION: password get written down, get saved in a file, or users start using password managers.
Dimension 3: password interaction
POST IT
OFFICE
hacker access
PASSWORD MANAGER
intruder access
Conclusions
When considering passwords, do not only consider the passwords themselves, but also how they are accessed, what they are used for and for how long they are used.
In all of these dimensions, there will be a trade-off between security and usability.
Low usability may backfire. Your users will use passwords unpredictably deviantly, rendering your policy useless.