About three years ago, developer Cameron Morris had a personal epiphany about passwords, he recently told ZDNet's John Fontana: The time it takes to crack a password is the only true measure of its worth.
Not whether it has a minimum of x or a maximum of y characters, not whether it's got blah-blah amount of numbers, not whether it includes your frou-frou leetspeak ch@r@ct3rs, not whether it contains the verboten from lists of taboo words.
Syntax laws like those make up the typical password policy creations most organizations use and that many security practitioners preach.
But if you religiously follow such policies, Morris notes, you get situations like this: Facebook graded as "weak" a password he made up of 35 characters using the first letters of a random phrase, while it deemed a password "strong" when it matched the social network's creation policies, which allow for use of common words.
Morris's Facebook-appeasing password?
"cracked1!"
The time it would take to crack that supposedly strong password, according to tools that Morris has created to estimate password strength: less than one day.
Morris, a developer at defense contractor Partnet, told reporters that he came to his realisation after a half hour spent creating a tough-to-crack password.
That 30 minutes of password creation labor was followed by the realization that he'd have to go through the whole rigamarole again when he had to change it in a month's time.
Stop right there. That has the aroma of a password myth.
As Paul Ducklin and Chester Wisniewski discussed in a Sophos Techknow podcast,"Busting Password Myths", the idea that regular password changes lead to better security dates back to the days when passwords were stored in plain text files on Unix systems.
Regular password changes actually decrease security, for a few reasons: 1) your poor users are going to start using sucky passwords because they're easy to remember and to increment, and 2) doing something security-related on a regular, predictable schedule (quarterly? monthly?) is a gift to hackers.
This regular password change-out distracts the IT department for a predictable chunk of time on a predictable schedule. Predictability is a gift you don't really want to hand to attackers.
At any rate, being influenced by the myth that regular password change equates to good security, Morris thought it would be neat to set password expiration based on the strength of a password. He couldn't find a way to measure password strength, though.
Hence, he started building a collection of tools to do just that.
Those open-source tools are out now. Morris handed them over to theOpen Web Application Security Project (OWASP) in January.
Morris is inviting people to give them a try. One tool, called Passfault Analyzer, predicts how long it will take to crack a given password.
He also created a Password Creation Slide-Tool that lets administrators configure password policy based on the time to crack, the possible technology that an attacker might be using (from an everyday computer on up to a $180,000 password attacker), and the password protection technology in use (from Microsoft Windows System security on up to 100,000 rounds of the cryptographic hash function SHA-1/).
The tool lets users move a slider bar to increase or decrease the amount of time passwords should take to crack.
All good, yes? But then came the next step in what came to be a password kerfuffle: Morris's premise and tools quickly lit a fire under SecurEnvoy, maker of two-factor authentication technology.
SecurEnvoy blogged that, basically, Morris was right about password creation policies, but he didn't take it far enough, because, in fact, conventional ID/password security is toast.
By
Mr. 16x9
Post a Comment