On Monday we attacked the utility of current password policies and standards. Today we will offer up an array of improvements.
To be truly effective from a security perspective, password policies need to be designed to withstand both online and offline password cracking methods. We discussed offline methods in our post last month, so we will not do more than recap them here. In offline cracking the attacker has acquired a copy of the hashed password database and has all the time they need to solve for the plaintext passwords.
Online password cracking is performed against the logon windows of the resource being attacked. This happens against a live and functioning server or computer. Software is used to try many different password possibilities from a list entered in into the attacking software. This is nothing more than automated guessing. Most live systems counteract this by limiting the number of invalid logon attempts (somewhere between 3 and 10 usually), and then locking out the account for a period of time (usually 5 to 60 minutes.) But this is not always the case. For instance, the default settings in a WordPress website installation will allow an unlimited number of attempts without locking out the account, which is one of the reason WordPress sites are a popular attack target. But even with a password lockout, a patient and persistent attacker will simply wait for the lockout period to end and try again. Authentication methods such as “pass the hash” eliminate the need to solve for the password in situations where the attacker already has a list of password hashes.
These are options that would improve password policies:
- Increase password length requirements to a minimum length of 12.
- Eliminate password complexity requirements. Only length matters when the attack is automated.
- Require password changes only on evidence of an attack or breach. Eliminate periodic password change requirements. They are no longer useful or meaningful, and have been shown to encourage the selection of easier and weaker passwords by users.
- Block the use of easy, common, and guessable passwords. It is easy enough to get lists of of the most common passwords. A list of dictionary words may be another good exclusion.
- Throttle logon attempts. Five incorrect attempts should cause an account lockout of 30 to 60 minutes. But to defeat automated attacks, suspending the account after 50 or 100 failed attempts in a 30 day period may be the best practice.
- Improve password storage. Make sure your passwords are not just hashed, but also salted and stretched. This makes offline password solving very nearly impossible for an attacker.
- Require two-factor authentication. TFA makes it impossible for someone with just the password alone to log in to a system. To complete the logon process requires a 4 to 6 digit one-time code that arrives on a smartphone or RSA key, and this should be difficult for an attacker to acquire.
- Use a password manager. Solutions such as LastPass and Dashlane have premium versions that can work in a corporate setting. Or look at a solution such as ManageEngine. Now users have an easy way to create long and complex passwords without having to remember anything more than the password to the password manager.
This suggested password policy will meet the regulatory requirements of most compliance programs with the exception of the requirement for periodic password changes. We are hoping that when NIST has fully certified Publication 800-63-3, that many of these changes will start to become commonplace. In the interim, you can make some of these recommended changes to your password policy to actual have a policy that provides real security.
More information:
- WyzGuys on password cracking
- WyzGuys on NIST’s password policy recommendations
- WyzGuys on password changing
- Bruce Schneier on password changing
- Naked Security on password strength
- Wikipedia – Pass the Hash
DEC
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com