The Business Case for Increasing Minimum Password Lengths
I love getting root. I also love looking for other people getting root. What I don’t love doing is telling how they can stop other people from getting that sweet sweet root. I know I’m not alone but unfortunately this is what gets many InfoSec folks paid. InfoSec folks have to explain to lay people how to make things more secure in a way that is easy to understand. For many this doesn’t come easily. Your root can be the sweetest root, but if you can’t explain to others why and how it needs to be fixed then you’ve arguably failed as an InfoSec professional.
I’ve recently been in this situation. I’ve needed to justify to senior leadership increasing the minimum password length for Active Directory domain from the default 8 characters to 14. This was a tough sell because users don’t like long passwords. They’re considered harder to remember and a pain to have to enter every time they want to log in. To make this seemingly bitter pill easier to swallow, I also recommended that the maximum time time between password resets be increased from 90 days to 180. Recent guidance from the NCSC suggests that regular password resets does nothing to increase users’ password hygiene. Many users will simply increment a number at the end of their password. Attackers know this. If your password is “Password3”, then an attacker will guess that you future passwords will be “Password4”, “Password5”, etc. Although many users would welcome fewer forced password changes, justifying why going against the accepted security dogma might be tricky in some organisations.
To save someone else the effort of having to write a proposal justifying why increasing the minimum password length and maximum length of time between password resets is necessary I’m publishing a version of mine. Hopefully someone out there finds it useful.
Here it is...
I’ve recently been in this situation. I’ve needed to justify to senior leadership increasing the minimum password length for Active Directory domain from the default 8 characters to 14. This was a tough sell because users don’t like long passwords. They’re considered harder to remember and a pain to have to enter every time they want to log in. To make this seemingly bitter pill easier to swallow, I also recommended that the maximum time time between password resets be increased from 90 days to 180. Recent guidance from the NCSC suggests that regular password resets does nothing to increase users’ password hygiene. Many users will simply increment a number at the end of their password. Attackers know this. If your password is “Password3”, then an attacker will guess that you future passwords will be “Password4”, “Password5”, etc. Although many users would welcome fewer forced password changes, justifying why going against the accepted security dogma might be tricky in some organisations.
To save someone else the effort of having to write a proposal justifying why increasing the minimum password length and maximum length of time between password resets is necessary I’m publishing a version of mine. Hopefully someone out there finds it useful.
Here it is...
Management Summary
It is recommended that passwords be at least fourteen characters in length and that the duration between password changes be increased to 180 days. This will increase the overall security of user accounts and ultimately <BUSINESS NAME> as a whole. This would also bring the organisation in line with UK Government guidance.
Problem
Security best practice specifies that users be encouraged to select passwords that cannot be easily guessed by an adversary by making them long and complex. However, the current corporate password policy enforced by <BUSINESS NAME> does little to enforce this good behaviour.Maximum Password Ages
The password policy enforced by <BUSINESS NAME> require that users regularly change their passwords. The motivation for this security control is to limit the harm that can be done by an attacker who has knowledge of users’ passwords. When a user changes their password, the previous one becomes useless to the attacker.
However, this control does not take into account the inconvenience to users, and the methods they will use to limit this inconvenience. One method users might use to limit the inconvenience of regularly changing their password is to select a simple, easy to remember word and simply append a number to the end, which is incremented at each change. An attacker in possession of a password that is “Welcome14” will assume, correctly in many cases, that the next password will be “Welcome15”. Therefore, regular password changes do nothing to increase the security posture of an organisation, and may in fact decrease it.
Furthermore, regularly changing passwords works under the assumption that users’ passwords have already been compromised. If this is the case, then the security of <BUSINESS NAME> has already been compromised and the damage arguably already done.
Minimum Password Lengths
Rather than forcing users to regularly change their passwords, efforts should be focussed on ensuring that users select long passwords that appear to be random, but are actually easy for them to remember.
The current password policies enforced by <BUSINESS NAME> allow users to select passwords that are only eight characters in length. This is a default setting and is the absolute minimum that is required to prevent user accounts being compromised by brute-force attacks, and as computing power increases will not be sufficient to prevent password attacks in the near future.
Solution
The minimum password length should be increased to encourage users to select passwords, which are more difficult to guess. Every extra character in a password increases the number of guesses required to be made by approximately 100. Therefore, it is recommended that passwords be at least fourteen characters in length to increase the amount of effort required by an attacker, while not overly burdening users by requiring them to remember unreasonably long passwords.
User education may be required to assist users in selecting passwords that they are random, but easy for them to remember. For example, some kind of mnemonic could be used to assist in remembering a complex password.
The time between password changes should be increased or eliminated altogether. This will have the effect of encouraging users to select passwords that are easy for them to remember, but difficult for an attacker to guess.
It is also important to ensure that policies are consistent across all areas of the business to ensure there is no ambiguity about how users are expected to behave.
To ensure that users are selecting strong passwords, regular password audits can be performed by the Security team. Users with weak passwords (that is, with passwords that would likely be guessed by an attacker within a short period of time) can be contacted and requested to select a more secure value. Over time, this would have the effect of users having passwords that are difficult for others to guess.
In the event that it is suspected that user accounts have been compromised, then users can be manually forced to change their passwords.
Risks
Increasing the minimum password length may increase the difficulty users have remembering their own passwords, which could result in increased calls to the IT helpdesk as more password resets are requested.
Security best practices suggest that users should have unique passwords for every account. By increasing the minimum password length, users might be inclined to use the same password for multiple accounts. Should the password for one account be compromised, then arguably all accounts that use the same password should be considered compromised – especially if it is possible to ascertain that both accounts are owned by the same user.
Comments
Post a Comment