Presentation on theme: "password policies We now know about password cracking. So we can make some statements about the strength of a certain password stored in a certain way."— Presentation transcript:
We now know about password cracking. So we can make some statements about the strength of a certain password stored in a certain way. Is this information sufficient for our organization? What more do we need to know?
“If our adversaries get sufficient access to our password storage, then what are the chances that they also get access to whatever we have secured with them at this moment?” 1.“What are the chances” 2.“Sufficient access to storage” 3.“Whatever we have secured with them” 4.“At this moment” Consider this: passwords are means to an end.
Password policy dimensions PASSWORDSTORAGE SECURED DATA AND SERVICES LOGIN RECOVERY PHISHING PASSWORD INTERACTION PASSWORD STRENGTH PASSWORD COVERAGE HACKING PASSWORDSTORAGE
Password policy dimensions Password strength What is the password and how is it stored? Password coverage To what extent do we rely on this password? Password lifetime For how long do we rely on this password? Password interaction What kinds of interaction with our password storage exist?
Forces For each dimension, there is a trade-off between security and usability. We’re not concerned about usability because we’re nice people, but because bad usability results in adverse effects to our organization. First: the world of well-behaved users Then: the world of low usability
Dimension 1: password strength The actual passwords can be influenced by enforcing a password generation strategy. The goal is to influence entropy (given the strategy) and usability. StrategyEnsured entropyUsability No constraintsLowHigh Complexity constraintsHigherLower PassphraseGenerally lowerHigher Randomly generatedSuper highSuper low DicewareHigh Inkblobs???High
Inkblots a small research by Adam Stubblefield @ Microsoft Research, 2004
A small test on 25 people: 20 people remembered the password the day after 18 people remembered the password a week later those who forgot, forgot just one picture / two character The entropy wasn’t thoroughly investigated, but only reasoned about.
Dimension 2: password coverage Boils down to: how many and what services do we protect with each password? What services: This can simply be chosen by policy designer. How many services: Unique password per service: high security, low usability Single sign-on: low security, high usability
Dimension 3: password interaction In what ways is it possible to interact with our password storage? LOGIN INTERFACE RESET INTERFACE reset access normal access hack access phishing access
Dimension 4: password lifetime Boils down to: for how long is a password valid? But also: password history.
The world of low usability WELL-BEHAVED USER REBEL USER LOW USABILITY
What do rebel users do? REBEL USER 1.Try to lower the password entropy 2.Introduce new password storages 3.Call the help desk. A lot. “Adam Roderick, director of IT services at Aspenware, tells Ars that he frequently hears from client companies that a quarter to a third of all help-desk requests are the result of forgotten passwords or locked accounts.”
Dimension 1: password strength Complexity requirements: Minimum complexity becomes actual complexity. Users start using very common passwords, such as ‘123456’.
Dimension 4: password lifetime REACTION: users immediately reset the password to an earlier password. ACTION: enable password history: last x passwords can’t be used. REACTION: users immediately reset the password x times and then to the earlier password. ACTION: also enforce minimum password age. REACTION: users now have issues when they actually need a reset. ACTION: remove minum password age, set x to infinity. REACTION: password get written down, get saved in a file, or users start using password managers.
Dimension 3: password interaction POST IT OFFICE hacker access PASSWORD MANAGER intruder access
Conclusions When considering passwords, do not only consider the passwords themselves, but also how they are accessed, what they are used for and for how long they are used. In all of these dimensions, there will be a trade-off between security and usability. Low usability may backfire. Your users will use passwords unpredictably deviantly, rendering your policy useless.