Password Policies & End Users

TL;DR Passwords should be unique, long, strong, and where possible backed up with two factor authentication. Forcing users to change passwords too regularly and/or deploy special characters (without enhancing awareness) may inadvertently result in weaker passwords.

Originally published 17th May 2018 but still relevant!

In my presentations I describe a technique on how to create a long, strong memorable password.

I demonstrate the creation of a 16 character password beachbucketspade, and I mentioned adding some extra complexity, which made the result !1aCh!uCk1tspad1. My intention was to demonstrate that it is possible to generate a long password including character substitution that remains easy for the user to recall. (Under no circumstances should you use beachbucketspade or !1aCh!uCk1tspad1 as a password, you must make your own!)

I was asked to comment on revised NIST guidelines regarding password policy, particularly on the topic of complexity. And so this article was born!

NIST, the National Institute of Standards and Technology, is a US Government agency which, amongst other functions, provides organisations with cyber security guidance. In my mind, this function draws a parallel with our very own National Cyber Security Centre here in the UK.

In recent months, both NIST and the NCSC have published guidelines in relation to password policy which appears to roll back decades of cybersecurity thinking, and at first glance seems to fly in the face of sense when trying to secure user accounts. Being in the UK, speaking to British organisations as part of my job, I’m going to focus on NCSC advice, but my understanding is that it is broadly similar to that put forward by our friends across the pond at NIST. The points I’m going to focus on are those relating to the user:

1)     Forcing users to change their password every 30/60/90 days provides no real benefit and the burden placed upon the user will likely result in them using a predictable variant of the first -e.g. Password1 becomes Password2 and so forth

2)     Forcing users to include special characters in a password will lead to predictable strategies in password generation. For example, a user will very probably make obvious substitutions – Password1 might become Pa$$word1, something that would be easy for a criminal to guess, consider and/or automate.

I’ve seen evidence that bears out this logic. I once dealt with a dataset of compromised login credentials relating to UK organisations. I discovered one case where an individual user had reset their own password 12 times within the space of five minutes, having been prompted with a 30 day change notification, so that they could go back to using their original password. And, as you can probably imagine, the dataset was rife with examples of those who thought that changing the letter s for $ in the word “password” was going to somehow fool the criminals. These were all credentials used to access business networks remotely, many with administrative privilege.

The fact is that there is no such thing as an unbreakable password. It is simply a matter of the power of the computer being used to crack it, and the length of time it takes to do so – and that assumes we are talking about brute force rather than any other method.

If we are going to follow the NCSC advice, and make the lives of our users in relation to passwords easier, we need to consider the guidance in context: the NCSC advise considering technical controls to prevent users from being able to choose from the most common passwords – probably a good idea, since their survey suggested that 75% or organisations had users with passwords in the most common 1000, and 87% in the top 10000 (Just how long would it take a computer to make 10000 guesses or less?) Furthermore, the NCSC reached the conclusion that adding complexity did not add value, on the basis that users reverted to predictable strategy and/or suffered added burden as it made them difficult to remember. It’s important to note that this is not the same as saying that complexity makes a password weaker. What it does indicate is that users with already weak passwords will not, left to their own devices, make them significantly stronger by using character substitution.

Indeed, in their current home user guidance, “Three Random Words” , the NCSC state that dictionary attacks will include “common substitutions such as “1” for “i”, but go on to say that if such an attack fails, an attacker may choose to make a  brute force attempt (using the computer power to try every combination of characters until it succeeds) , and in this case “long random passwords and the inclusion of special characters make this harder for a computer to work out”. It therefore stands to reason that complexity can be a good thing, provided it can be made easier for the user – and if passwords across your organisation can be made universally stronger, that’s a GREAT thing for you, because criminals might feel that their time (money, and resources – a lot of cybercrime works on a business model after all) is better spent hacking organisations with weaker passwords than yours.

So how can we achieve that? The key (in my view) lies not in the implementation of password policy at all; it rests with education of the workforce, in the form of an ongoing cyber awareness programme. My presentations include examples of the real world consequences of cybercrime not just on organisations, but also the personal impact on individuals. I’ve been informed via feedback that in virtually every single venue I have visited, the audience has begun implementing the advice given relating to passwords, (and many do so before they even leave the room in which I am speaking), using the technique I’ve described. That’s users doing so through choice, not because their employer or I instruct them to do so. We’ve given them a method to create a memorable complex password and explained why it is not only in the best interests of the company, but their own interests to do so. Some may choose not to add the complexity, just the three random words, and that’s fine by me if they find it easier – provided we are moving away from Pa$$word1 and anything involving the names of pets or relatives, then I count that as a win. The organisations themselves are breathing a bit easier as they are getting tangible proof that users are taking positive action to create strong passwords, which gives them more faith in removing long trusted policies such as forced password reset.

It’s worth pointing out that without any complexity added, passwords will inevitably follow a somewhat predictable pattern in any event, since unless your user is capable of memorising completely random 16+ letter jumbles, they are going to use a combination of words most likely from their primary language, in our case the English dictionary. Since certain combinations can be excluded (for example there are no English words known to me where the letter b is immediately followed by the letter x (go ahead…I’ll wait)) an automated attack can be streamlined to avoid checking those combinations (or leave them until last). This might work in the same way as a satnav in your car starts to predict postcodes (zip codes) when you begin entering a destination, since it already knows that certain combinations don’t exist, even from the first letter you type. (For the purists, I understand that a non-sentient device can’t know anything, but you know what I mean.)

Our technique involves using words that should be impossible for the user to forget. I’d also argue (though I certainly wouldn’t recommend it) that if the user were to experience difficulty with the “hard” part of the technique, namely remembering their code (in our example b=! e=2 c=C) and ended up writing just that code down on a post-it note next to their computer, their password itself would remain uncompromised – since that knowledge alone would only assist an attacker in reducing the character set (and therefore time taken to crack the password). I’ll leave that one open to debate!

One more point on user training though – cyber awareness inputs need to be an ongoing commitment. You need to keep abreast of the threats facing your organisation, and you need to keep your users informed about how they can help protect your organisation (and themselves) from said threats. The threat horizon changes every single day – there’s a new piece of malware or a new social engineering technique. I’m not suggesting that inputs need to occur daily, but they certainly need to occur regularly. Unfortunately, some surveys I have seen suggest that only about 20% of businesses provide their staff with any cyber awareness training at all. This figure would appear to include those who only provide an input at staff induction. To put this in context, at a recent event I spoke with the employee of a reasonably large company. I asked him, “So, do you receive any regular cyber awareness training?” to which he replied, “Oh nothing regular, but we did receive some training as part of our induction.” I asked, “How long have you worked for the company?” He replied, “Oh, I’ve been here for eight years now….”

Sadly, it’s a regular feature of crime reports (not just cyber related) to find victims who just never thought something this dreadful could happen to them. With cyber crime being borderless, automated, high volume, affecting victims as collateral (e.g NotPetya), or IoT devices being unwittingly controlled by 3rd parties as part of a broader capability (e.g Mirai) this is a numbers game you are almost certain to lose. The bottom line is that if your organisation adopts a cavalier attitude to cybersecurity in this day and age, you can’t really blame your employees if they do the same.