What do you think this is?

Just thoughts of a restless mind...

Passwords again - now on companies

More than a year ago I wrote an article about how you should stop remembering passwords. A few smart people figured out that was I was suggesting, was equivalent to using a password manager. Without the hassle of using one and without the risk of your password manager being compromised. Smart, right?

Of course there were other people, that either didn't get it or didn't believe it. Yet, if you ask them the difference between my suggestion and a password manager they won't be able to tell you.

And then there were the people who figured out that this excellent way of avoiding passwords doesn't work in corporate environments. Here we go then, what do you do in your corporate environment?

What is different in corporate environments?

In corporate environments you actually do need to type your password quite often. So forgetting it is not so easy. In addition, corporations have to comply with all crazy guidelines that us security professionals came up with in the past. Our bad; let's fix it.

Shall I user a password manager?

You may wonder: is a password manager a solution? Unfortunately it is not. You need to remember that in 99% of the cases, employees have a personal computer of some sorts, in which they need to login every day. Using a 16 complex character password that a password generator compiled, is impossible. In addition people need to be able to work on a computer before they use a password manager, but if they need to login first, this is a catch-22 scenario. And since this password is probably their way into other systems through SSO, a password manager has no value in this case at all.

Are these crazy rules valuable?

No they are not. Let's see them one by one:

Password expiration

Nowadays everybody who knows what he's talking about, agrees that changing a password every 3 or 6 months is a bad habit and nurtures bad behaviors (such as password shifting and recycling). A strong password should only change when there is suspicion that it's compromised. Yet, if you have to comply to regulations, you may need to keep password expiry for a little (or a lot) longer until everybody gets on the same page.

Password complexity

This is a useless piece of advise that should be banned for ever. A complex password has no difference than a non complex password for computers; yet it's a huge difference for mere humans that need to remember it. Extending the potential character set from alphanumeric, to alphanumeric plus special characters, is less useful than extending the length from 8 to 9. Many people think that the password Pa$$w1rd is secure because it meets all length and complexity requirements. What they don't understand is that by maths and only, it's less secure than Password1 . Of course, they're both insecure because they're predictable. An attacker does not even have to perform a combination based brute force attack, he only has to look up into common password tables.

Password length

A password length of 8 (the "golden standard" of corporate environments) is useless. 8 character passwords can be broken very easily. The exact time you will need to break it depends on the algorithm and the computing power you have, still it's easy; let's say less than a day. You need to bump it up to 14 or 16 characters. But then you have the problem of complexity making it impossible to remember, so you end up again using the same password with slight variations (2017-1st-Quarter, 2017-2nd-Quarter etc).

So all is wrong?

Yes, all is wrong. These rules in combination, have only two effects: Nurturing bad behaviors such as password shifting and recycling and making users' lives miserable.

But there is a solution!

Yes, really, there is one. Forget all the stupid rules and have your users choose passwords they love and remember. How? Easy. No complexity, no expiration. A minimum length of 14 - 16 and advise to the users to use a phrase.

Oh! the 'use 3 random words' advise.

Yes, but not quite. As Paul Moore recently argued, the exponent of 3 is not enough. I concur. Take it up to 4 or 5. Yes, that is enough. Since there is a different explanation here, than on Paul's article who suggests "Don't use words in passwords. Ever" I say "Do use words in passwords. A random phrase, consisting of at least 4 words. Always", I will explain.

Some maths

A password is as strong as its potential entropy. If you use four or five words, chances are you're over the 12 character threshold. If you compare that to the typical corporate guideline of 8-character complex password, a 12 character letter-only password is much more secure even if it's only lower case characters!

But of course, why would an attacker try to calculate all combinations of 26^12 (12-char passwords of 26 different characters) when you can break all combinations of 3 words out of 20.000 (20.000^3)? Yes, if you use combinations of 3 words out of 20.000 you are less secure even from the 8-character complex passwords. Yet, there is a logical flaw here.

Let's start by agreeing, 3 words are not enough. Are four words enough? (hint: don't limit yourself). The entropy can be affected by two parameters. The exponent and the base. In our case the base is the corpus of the written language. The exponent is significantly more important than the corpus. But, get ready, because here is the beauty of the method...

And some logic

Maths are clear. 4-word combinations out of 20.000 words are slightly better than typical 8-char complex passwords. 4-word combinations out of 80.000 words are slightly worse than 10-character complex passwords. So they should be avoided.

But the logical flaw is this: Once you move to words (and especially phrases) instead of characters, there is no defined set and no defined exponent! When you ask people to use 8-char complex passwords, most of them will use exactly 8 characters out of 96 potential characters (let's forget keyboard analysis and key location and other cryptanalysis methods). But when you ask people to use a phrase consisting of at least 4 words there is no guarantee the words will be 4, or 5, or 6. There is no guarantee the words will be from the English language (the corpus of 20k or 80k words we were talking about), or a different one, or combinations. With an undefined set and an undefined exponent, there is no feasible mathematical way to perform a brute force attack.

What's up with the corpus?

According to a research, the average active vocabulary of an English-speaking adult is 20,000 words. If I guess that a person,without any effort, can write a single word in 3 different variations (all lowercase, all uppercase, or just the first letter uppercase), that makes the set a mere 60.000 words. Still, far far from enough. But then you have the foreigners. Let's say in Greek and in Czech the corpus is again 20.000 words. But this refers to the word root. Take as an example the verb "help". It has 3 different variations in English, 24 in Greek and 20 in Czech (not adding colloquialisms in any language and please excuse any minor mistakes)

Present tense English (2) : help, (be) helping Present tense Greek (6): βοηθάω, βοηθάς, βοηθάει, βοηθάμε, βοηθάτε, βοηθούν Present tense Czech (6): pomáhám, pomáháš, pomáhá, pomáháme, pomáháte, pomáháji Past tens(es) English (+1): helped Past tens(es) Greek (+12): βοηθούσα, βοηθούσες, βοηθούσε, βοηθούσαμε, βοηθούσατε, βοηθούσανε, βοήθησα, βοήθησες, βοήθησε, βοηθήσαμε,βοηθήσατε, βοήθησαν Past tens(es) Czech (+8): pomáhal, pomáhala, pomáhali, pomáhaly, pomohl, pomohla, pomohli, pomohly
Future tens(es) English (+0): help, helping like present tense Future tens(es) Greek (+6): βοηθήσω, βοηθήσεις, βοηθήσει, βοηθήσουμε, βοηθήσετε, βοηθήσουν Future tens(es) Czech (+6): pomůžu, pomůžeš, pomůže, pomůžeme, pomůžete, pomůžou

The set in Czech and Greek is at least five to six times bigger compared to English, just because of verb conjugation, noun declination and different sexes. So from 60.000 taking it to 300.000 - 360.000 is just a matter of using a different language. And then we have the funny character thing. As you may know, Greeks commonly write Greek words with no accents, or with latin characters (greeklish) yet not on a standardized way; and Czechs most common than not, don't use the diacritics especially in passwords (as do Germans, French, Spanish etc). Wouldn't that take the set to roughly 700.000? Oh, let's not forget all the mistakes one can make (not everybody is a great speller), and that my corpus of 20.000 words is not the same to your corpus of 20.000 words. Finally let's remember that in a password file you will have passwords from people from more than one countries, speaking more than one languages, and the attacker has no idea which language(s) and how many words were used for the password.

Mind shift

Eventually what you should focus on is to change the way people think about passwords. If you ask people to use 3 random words, they will do just that: use three random words. So don't! But If you ask them to use a random thought instead, they will write 3, 4 or 7 words that construct a phrase. Although you hurt the randomness (you will have a subject depending on the language, an object probably and a verb, and maybe some adjectives or adverbs and maybe you can guess the word order, although not always correctly) you make the process, the character set and the exponent so random, that an attacker has very limited possibilities to recover many passwords.

There is a problem here...

Of course there is. The problem is called social engineering. The moment you ask people to use phrases or words, you open yourself to social engineering attacks. People are predictable. Still, since non-memorable passwords are non-feasible, a password-manager won't work and biometrics are not very usable yet, you have to pick your battles. As social engineering has a significantly higher cost for the attacker than password cracking, I prefer to fight on this field.

Remember, it's corporations

You always need to remember the starting point. If you're talking about your facebook account, I'll send you back to my old article about how you should stop remembering passwords or even suggest a password manager if you still believe your password should be written somewhere.

But if you're concerned about your company, here is what your target should be :

  • something that is at least more secure than what you use today
  • something that the users will be happy to adopt and will make their life easy
  • something that is fairly usable and enforceable
  • a way to stop the bad habits of password shifting and reuse

In that case, move from what you (probably) have today that is 8 complex character passwords, to the "first thought the user had at 15.43 in the afternoon".