Your Password Policy Stinks

Password policy needs to be updated to increase complexity to address cracking threats.

Research has shown that accounts protected by passwords less than 8 characters are about as hard to break into as a safe made out of toilet paper. The minimum password length should be between 12 and 16 characters, which means your password policy may need refreshing. Complex passwords are just not something the human mind was designed to remember.  While I can remember a frightening amount of StarWars trivia (sorry for all of the wind kicked up by my propeller), passwords are just not easy to remember. I absolutely dread the 30 day password change e-mails my company sends, warning me that if I don't rack my brain and come up with some ridiculous combination of numbers, letters, and special characters, that my digital umbilical cord will be unceremoniously cut.  I feel like I'm an unwilling contestant in the finger torture Olympics, where the only prize is the privilege of working another 10 hour day. This hamster wheel of pain that has us continuously changing passwords and replacing them with even more complex versions is about to get even more difficult as organizations embrace new threats to password security.

Not helping…. Thanks for trying….

Cryptography is a complex discipline that has one primary goal, and that is to keep private things private. One of the most difficult parts of setting up secure communications is the exchange of the shared secret (password validation). During authentication, a password is run through a one way hash that prevents the recovery of the original password string allowing it to be sent across an insecure medium like the internet. The hashed password is sent to the authenticating device, and if it matches, the user is allowed access. The length and complexity of a password directly impacts the amount of time it takes to guess through brute force or dictionary cracking. Time is ultimately the protective mechanism that attackers must "defeat" in order to recover a users password. In order to decrease the amount of time spent, Rainbow tables (pre-computed passwords and hashes) are often used in the cracking process and result in a quick search through the Rainbow tables that can recover passwords in minutes instead of days.  An attacker simply needs to sniff authentication hashes as they pass across the wire or in the air, feed them to these tools and wait.  

Feasibility of on the fly brute force cracking has dramatically increased, in no small part to NVIDIA's CUDA programming architecture, which allows off the shelf advanced graphics processor units (GPU) to be used to greatly accelerate password cracking. Through CUDA a programmer can use the GPU as a powerful parallel processing cracking engine. For a few hundred dollars these GPUs offer more raw number crunching power than your typical multi-million dollar super computer did in the year 2000.  NVIDIA's latest multi GPU TESLA workstation can generate 5 teraflops of mathematical processing. Which in combination with a 6 core processor can brute force passwords so fast you would think you were watching a pack of rabid teenage girls in a foot race for Justin Bieber concert tickets.

As if password complexity issued and hardware-cracking capabilities were not enough for you to worry about, you also have to consider the fact that many people reuse passwords across multiple accounts and websites. This can result in the compromise of one account opening the doors to access banking sites and other private information. Password weaknesses are not simply a technology or cryptography issue but a people problem. No reusable password is uncrackable, but the more complex you make it the longer it takes, making it impractical for an attacker to recover.

Password policies need to be updated to address these new threats and organizations must educate users on the dangers of password reuse. Biometrics and onetime password hardware tokens can help insulate the user from password complexity and mitigate password cracking, but not without the added cost, integration, and maintenance these technologies require.  I personally use a password management application on my iPhone called 1Password to keep track of all of my accounts and passwords that also syncs with my laptop, and even includes a built in password generation tool for strong password creation for new accounts. I also use a one-time password hardware token for VPN access and for access to critical systems.

One of the best solutions we have today for combating password cracking is through the use of onetime passwords but these technologies are just not ubiquitous across all applications making it a partial answer.  What do you think? How do you, or your organization tackle the password complexity problem? 

• Security
• audit
• auditing
• brute force
• cracking
• hacking
• password
• policy