back to article No, eight characters, some capital letters and numbers is not a good password policy

Internal cybersecurity audits rarely make it to the public domain, but when they do it’s often an eye-popping read. Take the Western Australian (WA) Auditor General’s 2017 recent report on the state of user account security in an Aussie state which tends a mammoth 234,000 Active Directory (AD) accounts across 17 state agencies …

Page:

  1. ArrZarr Silver badge
    Mushroom

    As one of the few gatekeepers to having passwords stored in the password manager in the office, I need to tell people (the developers usually being the only people who don't need telling) that <company name>123 is not a good password and I won't accept it about 50% of the time.

    Starting to consider sending these usernames and passwords to the whole company to force them to change it given that the password would then become public knowledge. Bad stuff would probably happen though.

    1. Charles 9 Silver badge

      Well, how do you make them care, especially if they're over your head?

      1. garetht t

        Over Your Head

        As a sysadmin you don't need to make users care. Users should be following the policy, and the policy should have the backing of senior management. Anything else is doomed to failure.

        This isn't my opinion, it's the advice of SANS and ISC2.

        1. Charles 9 Silver badge

          Re: Over Your Head

          EXACTLY! The real problem is if it's the senior management who isn't following the procedure. You can't force them and executives to do anything because they're over your head (unless you're an executive yourself). Any attempt will be met with a "Who hired this clown?"

          1. Kabukiwookie Bronze badge

            Re: Over Your Head

            This is why any Security Officer should be reporting directly to either the CEO and/or board of directors.

            What usually happens is that the person responsible for security winds up attempting to shove shit uphill,

          2. This post has been deleted by its author

          3. steviebuk Silver badge

            Re: Over Your Head

            And when you realise a company and its management are like that you go into record mode. Record everything you do and everything you warn them about, via e-mail. Then take backups of said recordings. So when the shit hits the fan you can prove it wasn't your fault and you gave them plenty of warnings. As I guarantee they'll try and blame you if they think they can.

            Not that I'm taking advise from him as I've known this for years, but, and ignore political views, Michael Cohen comes to mind. He appeared to love Trump (he was clearly just kissing arse to get what he wanted) but even he was wise enough to record sessions he'd have with Trump (is that actually confirmed as fact yet?), I assume for his own protection in case he ever got screwed over by said person.

        2. Doctor Syntax Silver badge

          Re: Over Your Head

          "Users should be following the policy, and the policy should have the backing of senior management."

          The only thing that would ensure such backing, short of a massive breach costing money for compensations and fines along with a loss of reputation, would be board level insistence. That insistence would need to be backed up with loss of bonuses and/or promotion as appropriate in the face of an audit report such as this.

          1. Charles 9 Silver badge

            Re: Over Your Head

            But like I said, what do you do when the problem comes FROM the board?

            1. Anonymous Coward
              Anonymous Coward

              Re: Over Your Head

              Bring in the BOFH.

        3. Ian Johnston Silver badge

          Re: Over Your Head

          As a sysadmin you don't need to make users care. Users should be following the policy, and the policy should have the backing of senior management. Anything else is doomed to failure.

          And the policy should be sane. The danger is that some paranoid IT dweeb comes up with rules so arcane and so irritating to users that the begin to take a perverse delight in thwarting them. The toughest policy in the world is no good if it leads to passwords on post-it notes by screens.

          1. ShadowDragon8685

            Re: Over Your Head

            Tie it to fiscal carrots and sticks. For the hoi polloi, they get a bonus day's wages if they use a password that a determined attempt by IT to crack [using any methods short of rubber-hose cryptography] is insufficient to the task.

            For executives, make receipt of *any* bonuses contingent on same.

            And for IT, the bonuses kick in when the company's passwords are safe.

            1. Charles 9 Silver badge

              Re: Over Your Head

              "For executives, make receipt of *any* bonuses contingent on same."

              Chicken-and-egg question: How do you enforce rules on executives when it's the executives who make the rules...and often are the ones who demand exceptions or replace the IT people with those who will? And note, this is not as rare as you think.

      2. juul

        Easy, you know what is logged and what is not, so log in as the person (not from your own pc), send the person a lot of pornsite URL's (both strait/gay/lesbian/shemale) from his/her own mail account, remove the mails from the "sent" folder.

        When the person reports this, tell them (after some time) that it looks like someone have hacked their mail account. That should teach the person to take security a bit more serious.

      3. Anonymous Coward
        Anonymous Coward

        "Well, how do you make them care, especially if they're over your head?"

        In my experience external auditors, if they sniff weak password usage its an instant fail (Lots of headaches though).

      4. J27

        You don't, you document it so that after it becomes an issue you can point out that you notified your superior about the issue at the time. Passing the buck is all you really can do.

        If senior management wants to be incompetent there isn't much you can do other than cover your butt.

    2. Anonymous Coward
      Anonymous Coward

      A few years ago I moved a very profitable company with poor IT from POP3/SMTP email with passwords that never changed to Office 365 with proper password policies. Within 2 months I was forced to set the CEO's password to something without the required complexity that would never expire because he couldn't handle picking a new password every 30 days and then remembering it for more than 5 minutes. This for a user that had an online banking security dongle permanently attached to his PC and who would have fallen for one of those "your friend is stranded in a foreign country with no money" scam emails if I hadn't told him to call said friend.

      Sometimes it doesn't matter if IT try to do the right thing, the suits overrule us.

      1. Adrian 4 Silver badge

        A password policy that's unusable by the users can't be considered 'proper'. It's a failure.

      2. Dan 55 Silver badge

        All that's going to happen with a 30 day password policy is people will cycle the number on the end of the password and you'll get everyone swearing under their breath as each piece of software forces them to re-enter the password.

        1. vir Silver badge

          Or yellow stickies on the monitor with the password du mois in plain view...

          1. usbac

            @vir

            Many years ago I worked for a managed services provider that had a contract with a major US bank. We provided support for the entire half of the state.

            Their corporate IT folks had a very strict password policy. They required a password change every 30 days, unique passwords, and over 10 characters. What this did however, is to create an environment where no one could remember their passwords. So, on EVERY monitor there was a yellow sticky note with the last few passwords crossed-out, and the current one at the bottom of the list. Even the director for the whole state had the sticky note.

            So, in the end, no security whatsoever!

            1. Ian Johnston Silver badge

              Their corporate IT folks had a very strict password policy. They required a password change every 30 days, unique passwords, and over 10 characters. What this did however, is to create an environment where no one could remember their passwords.

              I know an Oxford college which decided to boost security by having a different 4-digit access code for every door into the buildings, instead of one for all doors as previously. This meant that an average student needed to know codes for their staircase, both their tutors' staircases, the common room, the laundry, the library and as many staircases as they had friends on. The result was inevitable: within two days every lock had its code written beside it, usually in something indelible. They went back to one-code-for-all after three days.

          2. ITS Retired
            Facepalm

            Or like one person I knew back in beige CRT days, who wrote the passwords in pencil around the front edge of the monitor.

            Well, when you have some 2 dozen passwords with forced changes, depending on the login, from 30, 60, 90 days... and different password requirements for each password.

            Too frequent password changes is a security breach. It leads to people to have passwords such as - Password1, or passw0rD1, Password#1, etc,

          3. somethingbrite

            This is exactly what forcing people to change their passwords frequently results in.

            Bad password policy is rooted in poor psychology.

        2. Anonymous Coward
          Anonymous Coward

          Exactly. What worked for us is introducing:

          - a 15 character minimum for passwords

          - must use 3 of 4 elements: upper, lower, number, special character

          - a password repository app for shared/service accounts

          You could hear the users rummaging for their torches and pitchforks, and then we revealed the final part of the new password rules:

          - you must change it every 180 days (up from 45 days)

          Everybody put their riot utensils away and went off to think of a clever 15 character password, and it's been smooth sailing since.

          1. vir Silver badge

            I still think that capital letters and special characters are more trouble then they're worth. I haven't trawled through any big password dump files, but I'd be willing to bet that the majority of number/special character requirements are fulfilled by adding a 1 and/or ! to the end of a "normal" or easily guessable password and that capital letter requirements are fulfilled by capitalizing the first letter of same.

            But consider: an 8 character password with all four character types in play - lower case letter, upper case letter, number, special character - has 72^8 possible passwords (give or take, ignoring any disallowed special characters); somewhere in the region of 7.2E14. If we remove the requirement for upper case and special characters, the number of symbols drops to 36 but we can maintain the same keyspace size within an order of magnitude by adding one additional character and even quintuple it by adding two (1E14 for nine characters and 3.7E15 for 10). If we allow lower case letters alone, the keyspace is still 1.4E14 with 10 characters. What's more challenging for the user: remembering what special character/capital letter/random numeral they jammed into their password, or remembering one or two more characters?

            1. Adam 1 Silver badge

              > I still think that capital letters and special characters are more trouble then they're worth. I haven't trawled through any big password dump files, but I'd be willing to bet that the majority of number/special character requirements are fulfilled by adding a 1 and/or ! to the end of a "normal" or easily guessable password

              So much true that hashcat even does this (and a=>@, l=>!, s=>5 style substitutions) and their permutations.

              At the end of the day, size matters. A 12 character password consisting solely of lower case a-z has more entropy than an 8 character password consisting of any character (upper and lower), symbol, digit and whitespace.

              Those in a position to influence password system design should consider flat out blacklisting terrible passwords. I'd personally consider integrating with pwnd passwords either directly or by just downloading the list and rolling your own.

              1. Dom 3

                I had a go a few years ago. Any new password was first run through this:

                https://www.systutorials.com/docs/linux/man/1-pwqcheck/

                which recognises that a long password of only two character types is as strong as a short password of four character types. (I didn't use the defaults, FWIW).

                After that I ran it through a dictionary checker against a common password list, and a standard word list. If the last (up to) four characters were digits they were stripped before this test. And leet-speak variations were also tested, e.g p455w0rd would fail.

                And people *still* managed to come up with piss-poor passwords.

                I would like to have gone full john the ripper on it but I wasn't going to be able to sell that one to the customer.

            2. Anonymous Coward
              Anonymous Coward

              We have to use a 8 character local admin password that looks like it's been typed by someone headbutting a keyboard. Which also changes on a regular basis..... So we poor contractors have to write it down....

              I have suggested about changing it to something like <InsertAdminName>isacompletenobhead as it will be easier to remember and using your maths - be more secure?

              For some reason, they've not agreed to this.....

            3. Anonymous Coward
              Anonymous Coward

              exponential vs polynomial complexity

              “An 8 character password with <72 characters> has 72^8 possible passwords 7.2E14. <Even with only lower case> we can maintain the same keyspace size … by adding one additional character. If we allow lower case letters alone, the keyspace is still 1.4E14”

              Exactly! Password complexity is polynomial in the size of the character set and exponential in its length. Given C characters for a password of length M there are C^M possibilities which increases much faster with M than it does with C: exponential vs polynomial.

              Longer passwords can be easier to remember and to type: “my idiot sister has two brats” or even “My idiot sister has 2 brats!” (using stupid special-character rules) vs “T%7<a&K*” with only 8 characters. Character limits on passwords are insecure via both complexity and post-it notes.

          2. Robert Carnegie Silver badge

            Why special characters? We all know computers run on just 0 and 1. enough of those and... it's remembering them that's a pain.

            Especially when one user at work needs up to six passwords. Changed on different days, if at all.

            My system - 6 letters, one capital; two numerals; no vowels. Special character? Exclamation mark, you creep. Just because a smiling brown pile isn't on my keyboard... I never used APL. Wait, a black heart, that'll do. ...Apparently you're a character that The Register doesn't support, and neither do I.

            Oh - no vowels. Happy now? Wlsdyn47! [ = well s*d you anyway ].

        3. taxythingy

          Yup. My main work account's iterator is up to 30-mumble, and our lab group password rolls based on seasons. Anything else is generally considered "too hard" and will end up with post-its by every PC.

          At home almost everything is on a password manager, but that doesn't cut it for unlocking a PC 20-30 times a day.

        4. Kabukiwookie Bronze badge

          Indeed.

          This is good advice:

          https://xkcd.com/936/

          1. Chris Evans

            XKCD example doesn't work for me.

            I can't remember the example

            Over the last four or five years https://xkcd.com/936/ has been quoted in these forums three or four times most years. Each time I've tried to remember the example password, but can't. Horse and Staple I can remember, was another of the words Door... No and what order are they?

            I know if I had to use the password more often I might remember it but there are quite of few passwords I only need to use three or four times a year!

            One password I use about monthly is something like sH68*452aX2 I can just about remember that. Some peoples brains seem to wired differently and can remember different things easier than other people.

            I write them down physically but in an obfuscated way and don't carry the copy around.

            My recommendation to friends and family is to use as a complex a password system as they find challenging but manageable.

            Having throw away passwords for sites you don't worry about, but not 123456.

            Capitalise say third or fourth character...

            1. Robert Carnegie Silver badge

              Re: XKCD example doesn't work for me.

              Can you remember "xkcd936"?

              With the punctuation marks :-)

            2. Anonymous Coward
              Anonymous Coward

              Re: XKCD example doesn't work for me.

              Another good idea is to use a series for your passwords, for example: animals, boys names, vehicles of whatever denomination you fancy etc... Do a bit of number substitution in a non standard sort of way and add in some specials and if you really want to confuse people then you mis-spell the original word to make it easier for you to remember with the substitutions - this way you can fairly easily be over the 8 characters and it's not difficult to remember, and it's also not too bad to remember the previous ones either. An example of this I once used when I had the dinosaur series was the name quasisaurus (nope, don't think there was ever a dinosaur called that but it translated as Qu45!Sauru$). I'm not saying this is perfect or that it'll work for everyone but it's a start.

              1. Anonymous Coward
                Anonymous Coward

                Re: XKCD example doesn't work for me.

                My preference is for private, family, invented words. As in what your kid called the fridge when he/she was 3 and couldn't pronounce fridge. (something like fwidjerer). Maybe a pair of words to be on the safe side. Just not obvious ones that every three year old seems to say. And any extra obfuscation you can add for length, and remember ( like a three because she was 3 when she said it).

            3. illiad

              Re: XKCD example doesn't work for me.

              well how about this system..

              choose an easy to remember phrase eg bosisstupid

              now add 4 letters/nums you can easily remember, that will be added to the above phrase..

              eg jon5 bull nad4 , etc... that should give you enough different passwords.. :)

        5. hmv

          Indeed. That's why NCSC recommend against enforced frequent password changes.

        6. Anonymous Coward
          Anonymous Coward

          True. Which is why we've finally decided to set a 16 character min password that never changes. We'll also have 2FA on as well.

          1. werdsmith Silver badge

            All goes to show that a system of authentication by password alone is not fit for purpose and something better is needed.

            My own passwords (I have many dozens of different ones) is based on a formula which takes some context from the environment it is meant for and by applying the formula to that context comes up with a unique string. It means I don't have to remember the dozens of passwords, just one formula.

            If I use a login rarely I just make up some crap and forget it, then go through the recovery process every time I need it.

            1. Orv Silver badge

              It means I don't have to remember the dozens of passwords, just one formula.

              I used to use that scheme, but realized if someone ever got more than one of my passwords it would be pretty easy to reverse-engineer.

              Not to say that's true of yours, but I can't do Blowfish in my head. ;)

        7. DJSpuddyLizard

          Password027!

        8. picturethis
          Thumb Down

          "30 day password policy"

          I don't know why this continues to be considered good practice in the industry. Because it's NOT. All's this does is encourage writing down the password on a post-it and then putting it on the bottom of one's keyboard.

          Forcing someone to remember a new password every 30 days is ridiculous - In this age of smart phones, most (99%) people can't even remember a new phone number every 30 days.

          And why 30 days? Why not every day, why not every year, why not every 5 years? Where's the proof that this does anything to improve overall security?

          This policy actually results in less actual security - find a better way, this one has got to go.

          To the original poster: (AC indeed is appropriate).

      3. Dom 3

        "he couldn't handle picking a new password every 30 days" - nor should he have to. The environment where this was a good idea has not existed for decades. Even .gov.uk have caught up:

        https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

        Nor is it difficult to teach (even CEOs!) methods for creating strong but memorable passwords. No, not correcthorse(...) but using the initial letters of a phrase, or using the strong stub + domain-based suffix method.

      4. AlexGreyhead

        Wait, so Steve isn't trapped in Magaluf again...?

        1. Hans Neeson-Bumpsadese Silver badge

          Wait, so Steve isn't trapped in Magaluf again...?

          No, he should be on his way home - I sent him the money to cover the cost of his plane ticket. No worries though, as I've got a few quid coming my way from this Nigerian prince, so I can afford it.

      5. Bibbit

        "This for a user that had an online banking security dongle permanently attached to his PC"

        Perhaps you robbing him might have taught him something? Sounds like he was too thick to notice and he would have blown that money on CEO rubbish like coke, private jets and a dominatrix anyway. CEOs cannot really be victims like real people (class war, fight the power, stick it to the man, eat the rich, etc).

      6. JimboSmith Silver badge

        Had a new C level manager who complained that he didn't like having to reset his password every 90 days. My suggestion was that if he didn't do it (j.e. asked to be an exception) he was in breach of IT policy and leaving the business more open to attack. He then said he preferred to just use the one password. He elaborated on his theme for his passwords. The theme he confided was sports based so I logged in as him using his password. You should have seen the look on his face at that point. He'd used his football team plus a number as a password. I had guessed that he'd used the year his football club was founded at the end. He said "in this one instance" I could treat him like a child and explain how I'd done that. I pointed out his love for Arsenal was well known and I had guessed the year might be the suffix. A talk then followed on social engineering given he mentioned he supported Arsenal in interviews he gave to people. Nice guy and grasped the concepts I was talking about very quickly. He agreed that he did need to change his password more often.

        1. Anonymous Coward
          Anonymous Coward

          "his love for Arsenal"

          You have also worked under the same bosses as me.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019