I’ve often thought that certain password policies actually reduce security because users, being human, create less-than-secure mechanisms by writing passwords down or by reusing the same passwords whilst adding a simple digit on at the end. It now seems that GCHQ agrees with me!
CESG, the Information Security arm of GCHQ, recently published Password Guidance: Simplifying Your Approach. In this document, aimed at system owners, they address not only the limitations of passwords but also the effects of various password policies on overall security when accounting for real user behaviour! It is an enlightening read.
I’ve always been concerned that certain password policies do little to improve security whilst burdening users with unnecessary complexity. The two policies that concern me the most are complexity settings and password expiry.
Password Complexity
Microsoft group policy allows an enforceable password length and complexity policy for users which in a nutshell requires a password to be a certain length and contain at least 3 characters from the following; uppercase, lowercase, number and special character.
Policies such as these have led to users substituting certain special characters in the place of regular letters (! = i, 4 = A etc.).
Originally this was designed to protect against dictionary and brute force attacks but as hackers quickly adapted to include dictionary variations based on the common substitutions the value of complexity settings has always been questionable in my mind.
GCHQ say this on password complexity:
Traditionally, organisations impose rules on the length and complexity of passwords. However, people then tend to use predictable strategies to generate passwords, so the security benefit is marginal while the user burden is high.
Instead of password complexity they recommend:
…defending against automated guessing attacks by either using account lockout, throttling, or protective monitoring
and
blacklisting the most common password choices
This is great common sense really and relieves the burden on the user, instead placing responsibility for system security with the admins, where it should be.
My feelings on password complexity can be summed up with the following comic strip from the brilliant xkcd site.
Password Strength from xkcd
Password Expiry
I’ve never understood how password expiry is supposed to improve security. The idea is, I guess, that if a user has to change their password regularly it will limit the time that a compromised password can be use. I have two issues with this:
- This assumes that the password breach will go undetected – as soon as it is detected the password will be changed anyway! Also, it assumes that the breached account cannot be used to facilitate the breach of further accounts – negating the effect of changing the password on the first.
- Regularly making users change their passwords usually means users will either write them down or just change the last digit; neither of which does anything to improve security.
GCHQ agrees that password expiry offers
no real benefits as stolen passwords are generally exploited immediately
They recommend;
monitoring logins to detect unusual use
and
notifying users with details of attempted logins, successful or unsuccessful
Again, removing the password expiry burden from the user and replacing it with a user responsibility to monitor their own accounts usage and an admin responsibility to monitor for unusual behaviour.
Conclusion
The GCHQ document has seven sensible tips on password security and I’ve only touched on a couple here.
You can review the whole document here. It’s well written and an easy read.
Bear in mind that all of the above assumes passwords that must be typed in manually and that need to be remembered by a user.
I would also recommend, other than the initial log in password for your PC, you can use a password manager application to increase security. It will allow you to securely generate, store, use and mange random, complex and/or long passwords safely. Personally I use the free and open source KeePass for managing the hundreds of passwords on my work PC.
Of course you do need to remember the password to get into KeePass!
