The Business Case for Increasing Minimum Password Lengths

I love getting root. I also love looking for other people getting root. What I don’t love doing is telling how they can stop other people from getting that sweet sweet root. I know I’m not alone but unfortunately this is what gets many InfoSec folks paid. InfoSec folks have to explain to lay people how to make things more secure in a way that is easy to understand. For many this doesn’t come easily. Your root can be the sweetest root, but if you can’t explain to others why and how it needs to be fixed then you’ve arguably failed as an InfoSec professional. 

I’ve recently been in this situation. I’ve needed to justify to senior leadership increasing the minimum password length for Active Directory domain from the default 8 characters to 14. This was a tough sell because users don’t like long passwords. They’re considered harder to remember and a pain to have to enter every time they want to log in. To make this seemingly bitter pill easier to swallow, I also recommended that the maximum time time between password resets be increased from 90 days to 180. Recent guidance from the NCSC suggests that regular password resets does nothing to increase users’ password hygiene. Many users will simply increment a number at the end of their password. Attackers know this. If your password is “Password3”, then an attacker will guess that you future passwords will be “Password4”, “Password5”, etc. Although many users would welcome fewer forced password changes, justifying why going against the accepted security dogma might be tricky in some organisations. 

To save someone else the effort of having to write a proposal justifying why increasing the minimum password length and maximum length of time between password resets is necessary I’m publishing a version of mine. Hopefully someone out there finds it useful.

 Here it is...

Management Summary

It is recommended that passwords be at least fourteen characters in length and that the duration between password changes be increased to 180 days. This will increase the overall security of user accounts and ultimately <BUSINESS NAME> as a whole. This would also bring the organisation in line with UK Government guidance.

Problem

Security best practice specifies that users be encouraged to select passwords that cannot be easily guessed by an adversary by making them long and complex. However, the current corporate password policy enforced by <BUSINESS NAME> does little to enforce this good behaviour.

Maximum Password Ages

The password policy enforced by <BUSINESS NAME> require that users regularly change their passwords. The motivation for this security control is to limit the harm that can be done by an attacker who has knowledge of users’ passwords. When a user changes their password, the previous one becomes useless to the attacker.

However, this control does not take into account the inconvenience to users, and the methods they will use to limit this inconvenience. One method users might use to limit the inconvenience of regularly changing their password is to select a simple, easy to remember word and simply append a number to the end, which is incremented at each change. An attacker in possession of a password that is “Welcome14” will assume, correctly in many cases, that the next password will be “Welcome15”. Therefore, regular password changes do nothing to increase the security posture of an organisation, and may in fact decrease it.

Furthermore, regularly changing passwords works under the assumption that users’ passwords have already been compromised. If this is the case, then the security of <BUSINESS NAME> has already been compromised and the damage arguably already done.

Minimum Password Lengths

Rather than forcing users to regularly change their passwords, efforts should be focussed on ensuring that users select long passwords that appear to be random, but are actually easy for them to remember.

The current password policies enforced by <BUSINESS NAME> allow users to select passwords that are only eight characters in length. This is a default setting and is the absolute minimum that is required to prevent user accounts being compromised by brute-force attacks, and as computing power increases will not be sufficient to prevent password attacks in the near future.

Solution

The minimum password length should be increased to encourage users to select passwords, which are more difficult to guess. Every extra character in a password increases the number of guesses required to be made by approximately 100. Therefore, it is recommended that passwords be at least fourteen characters in length to increase the amount of effort required by an attacker, while not overly burdening users by requiring them to remember unreasonably long passwords.

User education may be required to assist users in selecting passwords that they are random, but easy for them to remember. For example, some kind of mnemonic could be used to assist in remembering a complex password.

The time between password changes should be increased or eliminated altogether. This will have the effect of encouraging users to select passwords that are easy for them to remember, but difficult for an attacker to guess.

It is also important to ensure that policies are consistent across all areas of the business to ensure there is no ambiguity about how users are expected to behave.

To ensure that users are selecting strong passwords, regular password audits can be performed by the Security team. Users with weak passwords (that is, with passwords that would likely be guessed by an attacker within a short period of time) can be contacted and requested to select a more secure value. Over time, this would have the effect of users having passwords that are difficult for others to guess.

In the event that it is suspected that user accounts have been compromised, then users can be manually forced to change their passwords.

Risks

Increasing the minimum password length may increase the difficulty users have remembering their own passwords, which could result in increased calls to the IT helpdesk as more password resets are requested.

Security best practices suggest that users should have unique passwords for every account. By increasing the minimum password length, users might be inclined to use the same password for multiple accounts. Should the password for one account be compromised, then arguably all accounts that use the same password should be considered compromised – especially if it is possible to ascertain that both accounts are owned by the same user.

Comments

Post a Comment

Popular posts from this blog

MWR Hackfu Challenge 2013

Image
This year I entered the MWR Challenge 2013 and won a place at Hackfu! Unfortunately, I was unable to attend due to a scheduling conflict, but I did still get a free T-shirt. I had a blast completing the challenge, and thought I'd share my solution. There is a great narrative that accompanies these challenges, but I'll not mention that here so as to not give away any spoilers! Challenge 1 You're given a zip file that contains an image file and a text file explaining how the image file can be mounted. The mounted image file contains a TrueCrypt volume and a text file stating that the password to this volume is very secure - unlike the password for the previous (now deleted) TrueCrypt volume, which was "password1". Using Autopsy, a GUI for TSK (The Sleuth Kit), it was possible to recover deleted files on the image. A file called old-zip was recovered. This zip file contained a TrueCrypt volume called truecrypt-volume-old. This volume can then be mounted
Read more

Password Presentation - P@ssw0rds

In my last post I provided a template business case that InfoSec people could use to justify increasing the minimum password length while also reducing the frequency of enforced password changes. The reasoning being that if users are not forced to regularly change their passwords then they will be more inclined to select complex passwords that are difficult for an attacker to guess or crack (but still easy for them to remember). This is a sound business case but, to really make the point, wouldn’t it be great to also provide empirical evidence that with the default password policy users are actually using weak passwords!? With some technical knowledge, password hashes can be dumped from a domain controller and subjected to a cracking attack. Chances are, that in domain with a default password policy, many users’ plaintext passwords will be revealed within a reasonable amount of time. Metrics can then be derived, such as the percentage of passwords that were successfully cracked
Read more