Wednesday 2 September 2015

Password complexity....are we fooling ourselves ?

Many of the beliefs we have around what constitutes a “good” password are created by what default policies in software such as Microsoft teach us.
We are led to believe that a minimum length of 8 characters, a good mixture of UPPER and lower-case, numbers and uncommon (i.e. $@#&!) characters automatically make a good password.
Many Systems Administrators and Systems Engineers never delve into the analysis behind a password due to the above IT MEME created in large by the software industry. So what constitutes a strong password and why is our MEME a concern. Surely our passwords have stood the test of time.
What we need to keep in mind is that computing power has been increasing at an incredible rate and access to this computing power has become easier and easier. Lately, harnessing the power of multiple GPU’s has become the standard method to crack passwords. A recent password cracking cluster built with easily accessible hardware, managed to show that it could crack every standard Windows password in less than 6 hours. (GPU Cluster cracks passwords)
This is seriously scary tech for anyone connected with security on networks. Gone are the days of setting a password and never touching it again - at Windows complexity levels, that is. Even changing passwords regularly is no guarantee against a machine that only needs 6 hours to crack open ANY Windows password.
What shall we then do ?
First of all, we need to understand what makes a password difficult to crack. The key here is LENGTH. Sure, complexity plays a factor, but complexity becomes self defeating if a user cannot remember their own password. Force them to change this complex password every week or month and they WILL start writing it down. This then defeats the object of the exercise, as written down passwords can be snooped and are a very high risk.
Some facts:
A password of 8 characters (only a-z + A-Z) can be cracked by a Supercomputer in approx 5 millionths of a second (0.0005s) or in about 11 seconds by a PC + GPU. This password has an entropy (password strength) value of 45.6 bits.
A password of 8 characters containing a-z, A-Z, 0-9, special characters (`~!@#$%^&*()-_=;:'",<.>?) will take a Supercomputer 0.05 seconds to crack and a PC + GPU only 17 minutes.
Keeping the password simple (a-z + A-Z), but increasing the length by only 2 characters ( from 8 to 10 ) will make the Supercomputer take 1 second to crack it and the PC + GPU crack time increases to 8 hours !
Adding another 2 characters now makes our 12 character password crackable in 1 hour by Supercomputer, but our PC + GPU will now take 2 YEARS ! Password entropy has now increased to 68.4 bits.
Should we become creative and construct our password as an easy to remember object of some length such as “MydogsnameisButch” (17 characters) with an entropy of 96.9bits, our Supercomputer now needs 47,125 YEARS and our PC + GPU needs 942 MILLION YEARS to crack this !
On top of being very difficult to crack (by a computer), our password has the advantage of being easy to remember.
This does not mean that ALL restrictions must be removed from password complexity. A good requirement would be 12-16 characters, at least 2 Uppercase and no more than 2 consecutive repeated letters. The 16 character limit allows the password to be used in a Windows environment. The above password would have to be changed to “MydogsNameisBob” (Entropy value of 85.5 bits)
In general, an entropy of over 80 is considered to be a very strong password.
References:
  1. https://en.wikipedia.org/wiki/Password_strength
  2. https://en.wikipedia.org/wiki/Password_policy
  3. http://arstechnica.com/security/2013/06/password-complexity-rules-more-annoying-less-effective-than-length-ones/
  4. https://redmondmag.com/articles/2013/08/14/password-complexity.aspx
  5. https://xkcd.com/936/
  6. https://cams.missouristate.edu/selfservice/complexity.aspx

No comments:

Post a Comment