August 8, 2007

Balancing Security and Usability: Passwords

For this portion of the Balancing Security and Usability Series we will discuss the following things:

  • Using Passwords effectively

  • "Weak" v. "Strong" Passwords

  • How passwords get cracked

  • Password Complexity Policies


One of the most well known, effective and easily implemented forms of security for a computer is a password. Passwords are a string of letters, numbers, or special characters (!,@,#,$, etc) that individuals can set in order to prevent unauthorized people from accessing data. Passwords can be set for individual files/folders and then be shared among authorized users or be set for individual user accounts which each have permission to access particular files/folders.

All passwords are not created equally, and some types of passwords are better than others, but in general, any password is better than no password. What differentiates a "strong" password from a "weak" password is the length and complexity of it. For example: Using the password "password" is not as good as using "Pa$$Word!" the reason for this is because the first is very simple in terms of guess ability and crack ability.

To understand why some passwords are better, it helps to know how the tools used to crack passwords work. There are 2 basic types of passwords cracking tools. The first uses what is called a "dictionary attack". Essentially what it does is enters words that it pulls from a list that is pre-defined by the attacker in hopes that one of them will be correct. So using "password" which is a word that is found in the dictionary would probably be cracked in seconds. Where as "Pa$$Word!" is not a real word, and would have to be entered in that exact format on the list for it to be able to be cracked. The second is called a "Brute Force" attack. And the way it works is it just strings together random characters in hopes of eventually hitting the correct combination. This attack is very effective, and if given enough time, will eventually get your password. This is why longer more complex "strong" passwords are much more effective.

In addition to having a good, strong password, it is helpful to change it at periodic intervals. (6 weeks - 3 months is a typical time frame) the reason for this is just in case someone does get a hold of your password, they wont be able to use it forever, because it will eventually change, so they have to go through the cracking process again, and they again risk getting caught.

One way many companies prevent passwords from being cracked is by "locking" accounts that have too many failed log in attempts. So for instance if the incorrect password is entered 5 times in a row, within an hour the account get locked and the user must contact the administrator. Or Companies may place a limit to how many times you can attempt to log in a given time so a person may only attempt to log in 5 times within 15 minutes before his account is temporarily locked. After the 15 minutes, the account is unlocked and the user can try again. (This slows the attack process and increases the risk for the attacker)

So now you must be thinking "good, Ill make it so my users have to have a password that is at least 15 characters long, include letters, numbers and special characters, and they have to change it every month" unfortunately its not that easy. What ends up happening a lot of the time is if it is too hard for an end-user to keep their passwords straight, they end up writing them down on a post-it note and stick them to their monitor. This sort of defeats the purpose. Or what also happens is your IT staff will start getting a lot of calls to unlock accounts and reset passwords, which takes time and wastes resources. So you need to find a balance that works with your organization.

A typical mid-level security password policy might include the following standards

  • Passwords must be at least 8 characters long

  • Password must contain 3 of the following types of characters: Uppercase letters (A, B, C, etc.), Lowercase letters (a, b, c, etc.), Numbers (1, 2, 3, etc.) and Special Characters ($, %, &, etc.)

  • Password cannot contain your username or your real name

  • Password must be changed every 90 days (password cannot be reused for 3 rotations)

  • Password must be in place for at least 7 days before it can be changed again

Again, this is just an example, and may not work for your organization. Maybe you don't need to have so much complexity, or you are ok with users never changing their password. Do what is right for your company.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google