Eliminating Password Complexity
SecurityDude, CISSP-ISSAP is an IT consultant, Security & Privacy Advocate and blogger at large with over 20 years IT experience. SecurityDude shares tips, tricks, and info that the average networking professional will find interesting and indispensable.
Over the years, I have read many articles that recommend enforcing complexity as the solution to poor user-selected passwords. Some operating systems like Microsoft Windows Server 2003 enforce password complexity by default.
The conventional wisdom dictates that a password must be at least 8 characters and include both upper and lower case. It should also include at least one number and a “special” character such as “#”.
UTTER RUBBISH.
I would not make such a strong statement without the research of much smarter people than me, and of course “math”. I like to think of “math” as a good synonym for “reality”. First, how does one quantify the difficulty in “breaking” a password? This of course, ‘depends’.
If you are sitting at a Starbucks sipping a Venti, decaf Carmel Macchiato and enter your cleartext password into your unencrypted webmail portal over an unencrypted wireless HotSpot, the difficulty level is about zero. All the attacker requires is a protocol analyzer (like Network Instruments Observer 12) and a wireless card. If you surf to a naughty web site and inadvertently download a software keystroke logger, the difficulty of breaking your password is again “about zero”.
On enterprise networks, passwords are usually stored (and transferred over the wire) in the form of a cryptographic HASH or challenge-response transaction. The strength of hashed passwords are generally rated by the number of hours it would take an arbitrary computer to run through all of the possible input values of cleartext through a given HASH function until it yields a match on the hashed password (via a compare function).
Using the BFTcalc.xls spreadsheet created by Mandylion Labs a few years back, let’s compare the security of a password using the 8 character complexity rule espoused above. For the test, we use an 8-character password consisting of 1 special character, one number, one upper-case character and five lower-case characters. The spreadsheet yields a value of 98,853,048,320 (98.8 BILLION possibilities). Does that sound impressive? In the 1970’s, when even Mainframe computer’s CPUs were capable of only several hundred thousand instructions per second, 98.8 billion combinations would have taken many years to process.
Fast forward to the present. BFTcalc.xls uses a calculation of 2*(2^33) hashes per second (over 17 billion per hour) as the baseline brute force of a SINGLE desktop computer. This yields a time to crack of 2.88 hours on that “average” desktop computer built about three years ago. Are you surprised that a password like “Ph0dedq&” will fall in under 3 hours?
I recommend you remove password complexity rules from your systems and instead require a minimum password length of 13 characters. At fist blush, this idea probably sounds ludicrous.
I solve the long password problem by using strings of unrelated words. Which is easier for a user to remember, “woodgermyelling” (15 characters) or “Ph0dedq&”? I would bet “woodgermyelling” wins every time. As a bonus, BFTcalc.xls calculates that particular password would take 2,033,944,647.08 days to crack on a single computer. That is equal to 5,568,636.95 YEARS. Yes, 5 MILLION YEARS. If you additionally require that users change passwords every 90 days, the odds are very much against a successful brute force attack on your passwords.
I hope you find this information useful.
Tags: Brute Force, Crypto, Passord, Password Complexity
