As a consultant, I am often asked what is good practise on passwords. I am afraid I tend to follow what is considered received wisdom as published in CESG memos 26 and 35 which suggested:-
Password complexity must cover the following criteria:
1. Must contain a minimum of 7 characters
2. Must be alphanumerical with at least 1 numeric
3. Must be changed at least every 90 days
4. Cannot reuse the last 20 passwords
5. Cannot use any part of the users assigned account name
6. Must not be shared or written down
Most organisations use a variation on this theme. Usually 8 characters with complexity and changed regularly, every 90 days being common. Indeed some customers demand password rules along these lines to be implemented as part of contractual obligations.
The trouble with passwords like these though are that they are difficult to remember. Not only that but their ‘strength’ is not always as high as you’d think. Password crackers can crack these passwords in many cases quite quickly.
A client and I were having this very debate and he sent me a link to a cartoon which you can see here: http://xkcd.org/936/.
This got me thinking and having looked around the web I have to say that having a passphrase rather than a password seems a better way to go.
Cracking passwords is about two aspects:- guessing the password or brute force cracking. If the hacker that wants to get into your account knows you and you use a common name or variation on a name such as eldest child’s name such as J0hn123! then cracking the password is actually quite easy for a computer programme.
Brute force hacking is more time consuming – programmes will throw combinations of letters, numbers and characters at the log on until they find the right one. This is then merely a function of time – how long it takes a computer to throw the right characters until it ‘guesses’ the right values. The longer the password, the more complex the calculation, the longer it takes a computer.
The trouble though is that in making passwords harder for computer programmes to crack also intrinsically makes it harder for users to remember their password. They are thus tempted to write them down especially if they have multiple systems to log in to. Of course writing them down introduces potential insecurity which tends to undermine the rationale for having passwords as a security device.
Some people of course can handle passwords easily but the truth is they may be in the minority.
To preserve security banks providing on-line banking are introducing a token approach. For this you have a keypad device into which you insert your bank card. You enter your PIN and the device provides you with a rolling pass key which is then entered into the website. This provides lots of security- you need the device, your card and your PIN as a minimum.
However introducing such a system into most organisations is very expensive.
So what about using pass phrases? These are easy to remember. Passphrases such as “I went to Zanzibar for 12 coconuts!” or “My eldest child is John and he is 12 years old!” can be used. Easy to remember- hard for computer programmes to crack.
Or use four randomly chosen words “Orange Haystack Tomato Garden”. You can always include special characters or numbers “Orange Haystack Tomato 24 Garden!” to make it even more complex.
So why is this not common practise? Well a number of issues arise from use of pass phrases.
One, as the characters are masked at log in (usually) it is easy to incorrectly enter the pass phrase (after all when you are typing a dot appears and you may forget where you are).
Secondly, not everyone knows this is possible and there is reluctance to move away from the password=8 characters school.
To overcome the former some ‘experts’ suggest that passwords should not be masked when entering them in.
There is no one answer. What might be more appropriate is to allow pass phrases and offer some examples of both password generation and pass phrase generation coupled with user education and a password ‘strength’ meter such as http://www.passwordmeter.com/ or https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx
So some suggestions:-
- If you just use passwords then – absolute 8 characters minimum, use at least one capital letter and special characters and numbers
- Consider pass phrases as well as passwords
- Educate users on password generation, provide examples
- Provide a password check meter
- Allow users to un-mask password characters
- Provide a password safe such as http://passwordsafe.sourceforge.net/ or http://keepass.info/ for users to store their passwords in
Most security systems including Windows(TM) allow up to 127 characters in the password – the longer the passkey, the better.