Myths about Password Strength
We all know that passwords are not all that good of a security control measure, yet in systems and networks worldwide they lamentably remain the most commonly used form of authentication. In previous blog entries I’ve summarized and discussed some of the previous studies on passwords that Dr. Robert Proctor of Purdue University, Dr. Kim Vu of California State University-Long Beach and I have done over the years. Some of our findings were that longer passwords were under a number of conditions no more difficult to crack than were shorter ones, something that attests to the power of today’s password cracking tools, and that more difficult-to-create passwords were not significantly more difficult- to-crack, either, although they were more difficult to remember.
What these results have clearly showed is that a lot of myths about password security exist in the world of information security, and unfortunately these myths have been the basis of password policy provisions that are downright specious. Over the years I have taught numerous operating system security courses. When I have covered recommended password policy settings, I have not infrequently been challenged by those who think that requiring passwords to be changed every 90 days or allowing passwords less than 10 characters long is inadequate for security’s sake. Yet the results of empirical research clearly show that the individuals who have objected to these settings are off base.
Microsoft recently conducted a study to discover whether frequent password changes have any relationship to ability to resist password attacks. A brief summary of the results of this study is that the frequency of password changes made no difference. Why? As Microsoft stated, once a password is captured through sniffing or through password cracking, a perpetrator is likely to use that password then and there, so it does not make any difference if the password is changed the next day or the next year.
The real problem is that organizations still are not using one-time passwords, but instead use passwords that are the same from day-to-day, except of course when they have to be changed. One-time passwords are highly advantageous in that it is no big deal if they are captured—any given password used in a login will not be good for the next login. But this brings up a big question—if Microsoft and other operating system vendors know that static passwords are bad for security, why do they keep giving up operating systems with only static password-based authentication? One would think that customers would not have to be forced to turn to third-party vendors for products that provide one-time passwords.
There is also another side to the issue of frequency of password changes, namely that users who must change their passwords frequently often resort to shortcuts that increase the likelihood of the passwords being cracked. One of these shortcuts is writing the most recent password down on a “yellow sticky” and then pasting it inside the top right desk drawer in the office. Another is selecting convenient passwords to avoid effort in creating and remembering them. For example, a user with a password of YruBugginMe? who is forced to change the password the next month might choose YruBugginMe?01 if the next month is January, YruBugginMe?02 if the month after that is February, and so on.
It is well time to discard all the myths about password characteristics that are circulating. We torment users into jumping hoops that they should not have to face. Let’s get real, and, better yet, let’s at least move away from static passwords, even if one-time passwords pose some risks of their own. The degree of risk from static passwords is far greater than for one-time passwords.