Are password policies promoting weak password choices?

Passwords are one of the most cumbersome parts of modern life. It used to be enough to have a password for the UNIX account at work and a four digit PIN code for the debit card. But not anymore. Nowadays, almost everybody has several email accounts, social network logins, home banking, login to the favorite online newspaper, and so on.

Many people use the same password for everything. If one site gets corrupted – it might be because this password was not strong enough or because the site got hacked – all other logins are open to the attacker. A solution is the use of a password manager. But in some cases this is not practical (and of course we need at least one password to unlock the password manager…). Therefore, finding a way to generate safe but easy to remember passwords is arguably a big challenge to computer security.

In many organizations, password policies are used to enforce a minimum level of password strength. In a recent blog post, John Fontana argues that most password policies actually decrease password security. He cites Cameron Morris who proposes password policy improvements and wrote a tool called Passfault to measure password strength.

After reading about weak passwords a few years ago, I started to use a small command line toll called pwgen to generate random passwords. as it turns out, 7 random characters is pretty much the most I can remember.  In fact, there were several embarrassing incidences where I had to call IT support only half an hour after choosing a new password because I forgot it. Passfault estimates that a random password generated with “pwgen 7” contains 78 billion pattern and can be cracked in about 1 day – sounds not bad to me.

The makers of webcomic xkcd propose an alternate way to make up strong passwords. They suggest to choose 4 random words which are easier to remember than random strings. Knowing my memory, I put this to the test with just 3 random words “garden dolphin dictionary” using the Passfault tool. result: 27 quadrillion pattern taking an estimated 9 centuries to crack – wow! And it is really easy to remember: I lost this paragraph while writing the post but was still able to remember my password while I typed it again later on.

Unfortunately, most password policies do not allow a password like “garden dolphin dictionary”. Some password policies do not allow use of common words. Users can get around this by “keyboard shifting”. For instance, “bird” becomes “notf” on an US keyboard shifting all key presses one position to the right. This does not significantly enhance password strength and some password cracking programs are optimized to detect this.They often require the inclusion of numbers and special characters like ‘&’. As a consequence, users tend to substitute some letters with numbers, a technique well known to password crackers.

A quick web search reveals that there are many opinions on this topic.  For instance, take a look at Per Thorsheim’s Security Nirvana, Schneier on Security who simply advocates to write the password on a piece of paper, and this discussion at Stack Exchange. Personally, I have to say that I like the idea of using a few simple random words – I seem to be able to remember this much better than other passwords. For passwords I have to type often, e.g., to unlock screens, I still prefer shorter random strings. In the end, the single day necessary to crack the above mentioned 7 character random string password by brute force might still provide good enough security for me.

Advertisements