it.ucsf.edu

Why are password standards needed?

Policy Type

Best Practice

Password standard should effectively defend against hostile attempts to steal or “crack” users’ passwords. Various defenses or mitigations for such attacks have been developed. It is widely acknowledged that it is impossible to provide perfect protection for passwords. Given enough time and computing horsepower, a hostile attacker will compromise at least some passwords. Therefore, the aim of a password standard is to make such an attempt difficult and significantly reduce the chances that it will be successful.

The following assumptions are made for this analysis.

  • Passwords are stored using encryption.
  • The encryption used is “one way” and can not be reversed to reveal the clear text password.
  • Passwords are stored on a system with strong security, accessible only to authorized users.
  • Despite being encrypted on a restricted machine, it is assumed a hostile person might get a download of the encrypted passwords.

The following table lists the kinds of attacks which are known and the elements of a standard which reduce the likelihood the attack will be successful.

Attack

Mitigation

Dictionary attack (requires access to the encrypted password): this attack encrypts all dictionary words, including variations of capital letters, and compares them to the encrypted password.

Checking passwords against dictionaries when users change their passwords. This weeds out easy to guess passwords. For this purpose simple capitalizations in the middle of dictionary words are rejected.

Complex passwords, which require at least one instance of 3 of the possible 4 character sets (upper case, lower case, digits and symbols) further ensure that “hackers dictionaries” don’t include the password chosen. Non-word passwords are even better.

Brute force attack (requires access to the encrypted password): just what it sounds like: trying all combinations of a password string and comparing the encrypted result with the target password. This must eventually succeed in a match.

The longer the password, the more combinations must be tried and the longer it takes. Requiring at least 1 character from 3 of the 4 printable character sets ensures a high number of possible combinations. But complexity itself is not enough because given enough time, brute force is always successful.

Password aging (changing passwords periodically) greatly improves the chances that the password will be invalid before it is cracked so long as the length and complexity ensure a large number of possibles.

Brute force and dictionary (without access to the encrypted password): this attack simply tries different passwords, using permutations of possible passwords or dictionary words, until one succeeds. It is carried out as a series of login attempts through a normal user interface.

Locking a password for a period of time after a number of failed login attempts prevents an external attack from proceeding. The password can eventually be unlocked so the user is not greatly inconvenienced. This greatly increases the time required for this attack to succeed. It will eventually succeed unless aging is part of the standard.

Users don’t change their passwords. Even though aging is enforced, users just change their password to their old password which they have already memorized. This enables brute force attacks to eventually be successful by defeating the purpose of password aging.

Keeping a history of previous passwords and not allowing reuse of passwords on the history list defeats this vulnerability. The history list is some relatively small number, often between 4 and 10.

Users subject to password history may change their passwords multiple times until they recover their old password.

Establishing a minimum password age prevents users from changing their password until it has been used for some number of days. The number of days could be 2 or more. This effectively creates a multiplier in combination with the history list. Thus, with a history list of 6 and a minimum age of 2, it would require 6 password changes over a period of 12 days before a user could get their old password back. This is not an insuperable barrier. Password log change analysis could identify users who are abusing standard. This could lead to admonition or simply a change in history and minimum age requirements to make it even more unattractive to defeat standard.

Hostile users may “sniff” network packets looking for passwords transmitted in the clear.

Password standard itself can not defeat this attack. The only defense for normal (reusable) passwords is to ensure the connection from the user’s desktop to the password store is encrypted end to end. This is required by the Authentication system policy. This places a burden on applications to ensure they are encrypting their entire interaction with users for all restricted secure access events.