February 5, 2010

Password Phrases: Time to get with it!

Anybody who has been in the computer security business long enough has probably encountered plenty of lectures, articles, and snippets discussing complexity requirements for passwords. Even the average user has been forced to meet complexity requirements at some point in time, so one might be inclined to believe we're reached the best practice possible for securing passwords - but this couldn't be further from the truth.

Traditionally "secure" passwords suffer from the fact that most users will choose something easy to remember, versus an entirely random sequence of characters. Hence, you have the creation of 'psuedo-secure' passwords. I'm sure you've all seen them before in some form (or perhaps even used them). I'm referring to passwords like "Acme73!", "Secur4", and "l33t". While technically these kinds of passwords may satisfy a number of complexity requirements, they are still relatively easy to crack.

You may be wondering, "Sure, but who really does brute-forcing anymore?" True, traditional brute forcing every possible combination has seemed to decline in recent years in favor of other, easier methods of intrusion. However, the threat is no less relevant. The older method has given way to a more targeted form of brute forcing that can make quick work of your "secure" passwords. Some of the tools that I've written (and freely downloadable from the Tools section) make use of targeted brute forcing, and have the capability of finding a password like "Acme73!" relatively quickly, simply because they first try the standard gimmicks that people commonly use to add complexity - like capitalizing the first letter, adding numbers at the end, and ending with a exclamation mark. Does that sound like one of your passwords? If so, you might want to rethink your password strategy.

This is where password phrases (also known as passphrases) come into their own. While by no means a new concept, their ability to secure access supersedes that of even the most complicated password. Essentially, password phrases are simply passwords that consist of a simple phrase thought up by the user. It could be a personal quip, a random statement, or a nonsensical sentence. The only requirement is that it have sufficient length - something around 15 or more characters, though there's no hard and fast rule.

While this may seem like a horribly insecure method of creating passwords at first glance, it actually provides a boost to security by reducing the likelihood that users will use traditional gimmicks (like those I've previously mentioned) and vastly increases the effort required to bruteforce a password.

Statistically speaking, this is easy to prove. Let's consider the numerical permutations in a traditionally "secure" password. You have uppercase characters(26), lowercase characters(26), numbers (10), and special characters (33 on most keyboards). This creates 95 possible variations per keyspace. In an normal eight character password, this results in 95^8 possible permutations, or 1,370,114,370,683,136 variations (1.37E+15 in scientific notation).
Now, let's look at a passphrase. Even if we use only lowercase characters(26) and limit ourselves to 15 characters, we wind up with 26^15 possibilities, or 1,677,259,342,285,725,925,376 variations (1.68E+21). That increases the number of possibilities over a million times compared to the traditionally "secure" password. You really want to brute force that? Good luck.

Not to mention, passphrases are also far easier for the brain to remember than strings of random characters, so usability also increases (which incidentally helps reduce the chance that your employees will leave those post-it notes of their passwords under their keyboard!).

Naturally, some will contend that popular quotes may be used, enabling dictionary-type attacks to take place. Thankfully, the English language has about as many popular quotes as it does words, making any such attempt a near futile effort from the beginning.

Currently, the mandate of password complexity requirements is a deeply rooted belief held at many organizations and institutions. However, computer security is subject to constant change and improvement, and those entities that heed policies that are demonstrably more secure will always benefit from their implementation. Those that do not, become more vulnerable, and will eventually reap the consequences.

No comments:

Post a Comment