Why Strong Passwords?

By Quinn Shamblin, Information Security Officer, University of Cincinnati

CISSP, GCFA, PMP

The opinion that strong passwords actually weaken the security of a system is not all that unusual. However technological realities of the world today make that opinion simply wrong.

The fact that someone may write down their password is an issue–criminally negligent in fact–but weak passwords are an even larger issue. Look at it from a risk management perspective. Writing the password down exposes the system to risk by the relatively small number of people that may see that note and the those they might tell. By contrast, using a weak password exposes the system to risk from millions of people world–wide–anyone that cares to have a go can download freely available software and begin their attack. 10 years ago, the biggest threat to your accounts may have been people with access to your office, but this is no longer the case. These days, the biggest threat are the faceless masses of cyber criminals attempting to get access to your systems. According to a recent government report the profits from global cybercrime exceeded profits from illicit drug sales last year [(2005) http://arstechnica.com/news.ars/post/20051129–5648.html]

The information security community in general and the InfoSec program at UC in particular are primarily driven by international standards. The UC password policy is based on ISO 27002:2005, the current international information security standard [(2007) http://www.iso.org/iso/catalogue_detail?csnumber=50297]. Section 11.3.1 sets out the qualities that a password should possess. Portions of that standard are quoted here:

  1. keep passwords confidential;
  2. avoid keeping a record (e.g. paper, software file or hand-held device) of passwords, unless this can be stored securely and the method of storing has been approved;
  3. quality passwords with sufficient minimum length which are:
    • easy to remember;
    • not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers, and dates of birth etc.;
    • not vulnerable to dictionary attacks (i.e. do not consist of words included in dictionaries);
    • free of consecutive identical, all-numeric or all-alphabetic characters;
  4. change passwords at regular intervals or based on the number of accesses (passwords for privileged accounts should be changed more frequently than normal passwords), and avoid re-using or cycling old passwords;
  5. do not share individual user passwords;

These standards are reiterated in the vast majority of material on the subject. For example, the SANS institute provides a very similar set of rules. [(2001)http://www.sans.org/reading_room/whitepapers/authentication/127.php] (SANS is the largest and most respected certification authority for information security).

Internationally renowned security technologist and author Bruce Schneier wrote an article entitled "Secure Passwords Keep You Safer" [(2007) http://www.schneier.com/essay-148.html]. The title sums up the entire point. This is not a new discovery. These concepts have been being discussed by security experts and researchers for years [(1990) http://www.deter.com/unix/papers/passwords_klein.pdf]

Information Security professionals practice a philosophy of "Defense in Depth". This means that an organization puts many different types of protections in place. Each protection used adds to the overall security of the system, but no one defense on its own is sufficient. For example, some people argue that a more effective measure is to set up a login limit so that anyone attempting to guess a password will be locked out. It is quite correct that such a login limit is a very effective way of limiting a brute force attack against an actual system or network itself. That is why most systems at UC do have such limits. But such limits are insufficient by themselves. There are many well-known ways to circumvent this protection.

The most common is to crack your password before ever trying to log into the system. When you log in to a system, your password is typically sent to the server in a special encrypted form called a hash. This "password hash" travels over fiber, wires or wireless media and can be captured by any hacker running a computer on that same network. (This is a fairly common hacker pastime anywhere they provide free wi-fi.) A hacker will "sniff" the network, capture a password hash and then use a password cracker to attack that hash and learn the password itself. A cracker program can try 2–700,000 passwords every second. This means that if your password is a regular word in the English dictionary, for example, it will be cracked in less than a minute. If you use a strong password, such a technique can take months, years, decades or more. [We already have some details on this subject on the UC InfoSec website, but if you want an outside source, try http://www.lockdown.co.uk/?pg=combi&s=articles (2007)]

Passwords are your keys to the network. What kind of lock do you have on the front door of your house? Luggage lock or Deadbolt?

Why do you think we see so many phishing attempts aimed at gathering passwords? Because they are valuable! Hackers want your password. They will get them every way they can as means of getting a foothold into your system [http://rf-web.tamu.edu/security/SECGUIDE/V1comput/Password.htm]. If they can get you to give them up voluntarily, great! If they not, they will try to crack them or get them some other way.

So let´s talk about the problem of human psychology and the tendency by some to write their passwords down. Most people tend to use the same password (or same few passwords) everywhere. At home, on their PC, on various websites, their password-protected USB drive, etc. They don´t want to remember too many passwords, and understandably so. It can be a hassle if there are too many. So, at UC we are doing two things to help you out: (1) We are working to synchronize systems so that you will not have to remember so many passwords; (2) we have changed the password expiration limit to allow you to keep your password longer.

As we do these things, you will have to remember fewer passwords, but we need to make sure they are stronger. If someone figures out your password, they can access your UC Flex account, your email, and any other system to which you may have access. We have a duty to do due-diligence to protect sensitive data. Even more than that, if a crime occurs using your account, the burden of proof is on you–not the prosecution–to show that it was not you that committed the crime. Having a sufficiently complex password will dramatically slow many hacking techniques.

The US Government and the largest computer company in the world agree on this point:

"…if you don't choose good passwords or keep them confidential, they're almost as ineffective as not having any password at all. Many systems and services have been successfully broken into due to the use of insecure and inadequate passwords, and some viruses and worms have exploited systems by guessing weak passwords. " United States Computer Emergency Readiness Team [(2004) http://www.us-cert.gov/cas/tips/ST04-002.html]

Microsoft also emphasizes the use strong passwords. [(2006) http://www.microsoft.com/protect/yourself/password/create.mspx]

Extensive research has been done to learn what choices people will typically make if given complete freedom when choosing passwords [http://www.cryptosmith.com/sanity/pwdilemma.html#anchor12899302]. Basically, "users do not vary the complexity of passwords depending on the nature of the site (bank account vs. instant messenger) or change their passwords on any regular basis if it is not required". [http://www.surl.org/usabilitynews/81/Passwords.asp]

Research such as this has lead to tools such as AccessData's Password Recovery Toolkit, or PRTK, which can test up to hundreds of thousands of passwords per second. It tests for passwords and password patterns that are the most statistically likely first, then automatically moves to the harder types, making it much more likely to find weak passwords quickly. [Bruce Schneier on Security (2007) http://www.schneier.com/blog/archives/2007/01/choosing_secure.html] Password research has also lead to smarter malware that will try to break passwords automatically in order to spread itself and then emailing those passwords off to the author of the malware.

Do you think you have a good password? Want to test one like it against a list of known common passwords and password algorithms? Do not use your real password here! I cannot vouch for the safety of this site, but you can test a password similar to the one you want to use: https://selftest1.nus.edu.sg:9876/chkpass.html

Basically "the users--and the passwords they choose--continue to be the greatest vulnerability" to the security of our systems. [(2002) http://news.cnet.com/2009-1001-916719.html?hhTest=1] The steps we are taking are designed to help mitigate those risks.