Re: Password Security Policy Question

[Crispin Cowan <crispin () wirex com>]

Nate Lawson wrote:

> At 11:36 AM 9/10/2002 -0500, L. Adrian Griffis wrote:
> > I am aware of a company that has instituted a policy that limits a
> > specific character in people's passwords to being a numeric character. 

This policy, as described, does seem to be a very bad idea. I can't tell 
whether it is because the policy has not been faithfully described.

> This is a bad idea.  Ross Anderson's group did a good study on different
> password selection approaches:
> http://www.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf

Interesting paper. Good to see some solid empirical study in this 
critical area. Some commentary on the conclusions:

  1. The  first folk belief is that users have difficulty remembering
     random passwords. This belief is confirmed.
  2. The second folk belief is that passwords based on mnemonic phrases
     are harder for an attacker to guess than naively selected
     passwords. This belief is confirmed.
  3. The third folk belief is that random passwords are better than
     those based on mnemonic phrases. However, each appeared to be just
     as strong as the other. So this belief is debunked.
  4. The fourth folk belief is that passwords based on mnemonic phrases
     are harder to remember than naively selected passwords. However,
     each ap- peared to be just as easy to remember as the other. So
     this belief is de- bunked.
  5. The  fifth folk belief is that by educating users to use random
     passwords or mnemonic passwords, we can gain a significant
     improvement in security. However, both random passwords and
     mnemonic passwords su ered from a non-compliance rate of about 10%
     (including both too-short passwords and passwords not chosen
     according to the instructions). While this is better than the 35%
     or so of users who choose bad passwords with only cursory
     instruction, it is not really a huge improvement. The attacker may
     have to work three times harder, but in the absence of password
     policy enforcement mechanisms there seems no way to make the
     attacker work a thousand times harder. In fact, our experimental
     group may be about the most compliant a systems administrator can
     expect to get. So this belief appears to be de- bunked.

I like most of these conclusions. Confirming most of the common folk 
beliefs is good. #5 is particularly significant: password policy 
enforcement is critical.

The only one I have trouble with is #3: the study found passphrase 
passwords to be just as strong as random pass phrases. I submit that 
this conclusion is primarily a function of the strength of the cracking 
software employed, and will change. It is unclear whether the study used 
a standard password cracker (Crack, John the Ripper, etc.) or rolled 
their own. But in any case, if we convince all users to use pass 
phrases, then crack software will evolve to attempt to crack pass 
phrases. How hard would it be to encode the first letter of the popular 
quotations from Bartlett's Quotations into a crack dictionary?

Disclaimer: none the less, I believe that pass phrases is the most 
cost-effective form of password discipline. Random is just too hard for 
most humans to remember.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

Attachment: _bin
Description: