Six tips for better password policies
The password policy on most systems that I use is pretty straightforward. And it goes something like this:
- 8–12 characters
- Alphanumeric, with at least one letter, one number, and one special character.
I recently got thinking on this — I vaguely remember encountering the same password policies way back in the 1990’s, when I was first encountering computers… which meant one of the following:
- The password policies of yesteryear were highly over-engineered
- The password policies of today are broken
I am not the most paranoid of personalities, but even I would lean towards the latter. Password policies like these make some flawed assumptions about both user and hacker behavior. We usually make it hard for users to secure their accounts because…
Users Have a Hard Time Remembering Random Character Strings
And yet, that is what we expect them to do! Users have a limited memory at best, and when it comes to numbers and special characters, it gets much harder for them. So their model is usually to pick up some common word and add some simple number sequences or memorable special characters (like hash or asterisk). Here’s the thing: While we all tell our users to use passwords that are easy to remember but hard to guess, we actually make things harder for them to remember. But to some extent that doesn’t matter, because…
Hackers don’t bother guessing passwords any more
Yes, you read that right. Once upon a time, hackers would spend time guessing passwords and undertaking social engineering, but not anymore — that world died out in the noughties. Now hackers simply go for dictionary attacks — they know that we have 26 lowercase, 26 uppercase, 10 numerals, and around 30 special characters, so it is simply a matter of trying over and over again until the right combination is found. And while they can optimize the algorithm to make it quick, they don’t even really need to — an eight-character password will inevitably be broken within 2–3 days.
So what kind of policies should we have for passwords? Here are some tips:
Longer passwords are better
In dictionary attacks, a nine-character password is twice as hard to crack as an eight-character one. And a 10-character password us twice as hard as a nine-character one. Each character added makes cracking twice as hard. So push for long passwords — yes, in passwords, size does matter.
But what about the poor user? Don’t they have to a problem with long passwords? No! Because…
Users have a problem with complex passwords, not long passwords
Don’t bother about mandating combinations of letters, numbers, and special characters — just aim to make the passwords as long as possible. Remember again that, from a dictionary attack perspective, it is the length that matters, not the complexity. So aim for the password length being a minimum of 14 characters and going up to 30 or more.
One caveat — please don’t try to straddle both boats — making passwords longer while mandating the number and special character conditions will ensure that you are just making things more difficult for your users without gaining any real safety.
But there are some more things that you can do that makes your password systems a whole lot better. You can…
Set up password authentication delays
You know how it works — someone enters the wrong password and the system delays the response. You can also use a model that forces longer and longer delays between attempts. What this does is that it forces dictionary attacks to slow down — the algorithm is no longer able to make thousands of attempts per second. Instead, it now has to wait before the system allows the login screen to appear.
And to make it better, you can…
Enforce password change policies
So that every few days the users have to change passwords. Combine this with password authentication delays and you will actually be foiling hackers pretty well.
But why stop there? You could also…
Block IP addresses
You need to block:
- open proxies on the Internet — it may not necessarily be complete but it should be as comprehensive as possible.
- All IP addresses that were used repeatedly with wrong passwords — this list must be dynamic.
With this, it becomes even harder for a hacker to attempt a brute-force dictionary attack.
And then you can…
Go in for Two-Factor authentication
It’s easy, its cheap, and in the era of mobile phones, it is pretty easy to implement. Two-factor authentication depends on two things — what the user knows and what the user has. For example, the user knows her password and she has a mobile phone, so all you need to do it ensure that her mobile phone gets a one-time password (OTP) each time she tries to log in. If she is indeed the person trying to log in, she uses the OTP she has just received and logs in successfully.
There are tons of other things that can be done to get your password systems up to date, but just these will be good to work on. And while good password policies do not stop hackers from exploring other attack vectors, they at least reduce one of the big problem areas that administrators face when dealing with security. And in security, every little bit helps.