Monday, November 23, 2009

Password Craziness

There is a light at the end of the password tunnel. The only question is when will the endless craziness of longer and more complex passwords finally be tamed, for surely, either by reason or futility, it will end.

Surely you've seen the current craze, eight character passwords containing a combination of lowercase, uppercase, numbers and special characters. Let's say for the sake of argument that this is truly needed and worth every bit of aggravation. How long will it last? The basic math says about 10 years, given that Moore's Law holds and computing gets one-half as expensive every eighteen months, and that there are about 80 possible characters to choose from when building a password. To keep the same relative immunity, in 10 years it will take a 9 character password, in 20 years a 10 character passwords, etc., until such time that users revolt, or hopefully, start to question why in this world of marvelous technological innovation they must increasingly carry the security burden.

But why wait until the fires are burning around your feet and the smoke is rising to take a fresh look at the problem and solve it sooner rather than later. A few things to consider.

  • It appears that the single biggest issue is using hashes to store passwords. Then if the bad guys get the hashes, it's straight-forward to crack common passwords. If this is indeed a real problem, then fix it. Use something else. Like encryption. Duh.
  • Passwords can be cracked by brute force by simply trying every possible combination. This assumes that no prevention mechanism is in place to stop this tack from being successful. Since most passwords are validated by servers, this limits the number of attempts per second to the speed of the server and the intervening network, in most cases limiting the attempts to hundreds or maybe a thousand attempts per second. Compared to the over 1 quadrillion possibilities of an 80-choice, 8-character-long password, the math says it takes over 3 million days to try them all. I'll be lucky to live 30,000 days. I'll take my chances.
  • Passwords that are easy to remember are easy to guess, probably taking only a few thousand attempts via a "smart force" method. Very true, and assuming that the above server just blindly tries as fast as its little Ghz will allow, a very real threat. But since humans can't try more than once every few seconds and will undoubtedly give up after a dozen or so attempts and go find that sticky note they knew they would need someday. So why can't the server just let the user try a few times and revoke their account? That actually works well unless someone, inside or outside your company's "four walls", decides to enter your userid and a few bad passwords and lock you out of your computer. It happens, trust me on this one. The best solution is for the server to simply "slow down", ever more slowly processing new attempts. The hacker can't try any more than the user will try before giving up. This is the clever method used by Lotus Notes for years. If you're lucky enough to have Lotus Notes available, try a few bad passwords and see what happens. I promise it won't hurt.
  • If the hackers know all the common passwords, why do systems allow any of them to be used? Ah, the simple questions are the best, aren't they? If "egbdflth" is not in the list, wouldn't it be just as good as "Eg^-3U8i"?
  • Passwords that protect files are prone to hacking, since many copies of the file can be made and large numbers of computers can simultaneously try to guess the password. Sooner or later they will get in, and that time can be greatly lengthened by stronger passwords. Ah, we've uncovered a truly good use for strong passwords. Finally. Anyone out there do this on a regular basis?

Why force unreasonable passwords on people? In my book if it's not in the hacker's list, it's good enough. I believe that's the reason behind the lowercase, uppercase, number and special character craziness. They're just trying to get you to pick a password that's not very likely to be in the hacker's list. But that makes the password much harder to remember than it really needs to be. That in turn leads to extremely weak password reset tools which "challenge" you with questions like your mother's maiden name. Wow, that's really secure. Not.

The larger strategic challenge is designing solutions that are simple at the edge and not just passwords. Simplicity is the best security and removing the human element is essential to that design. Stop requiring users to solve our security problems and start looking for solutions that address the real problems.

1 comment:

Anonymous said...

Well Paul I have just found your blog and have enjoyed reading all of it.. This one especially hits home at my current position. I only wish I could get them to feel the same way.. Thanks for the good reading..

Dan Wilson (Old Mead co-worker)