Sunday, December 20, 2009

Real-life password complexity

Take a look at your organizations written password policy. I won't be surprised if there's a complexity requirement, enforcing you to use at least 3 of these four character groups in your password: UPPERCASE, lowercase, digits (0-9), special characters (§!"#¤%&/€()=?`\,;.:-_*¨^<>) and so on.

Adding a complexity requirement to people's passwords makes it much more difficult to crack, the experts say. (Of course, you will find lots of people saying that it also makes it difficult, if not impossible to remember them, but that's another story). One of the things I was curious about many years ago when i started to do my "research" into passwords was a simple hypothesis: Will user passwords actually increase much in complexity when adding the "standard" complexity requirement which almost everyone uses?

With "complexity" here being interpreted as "time to crack / recover a password", and "standard" being the Microsoft Windows operating system option of enforcing a strong password policy, here's reality for you:

1. Username = password
Microsofts filter does not prevent a user from using his or hers username as the password, as long as the username itself complies with the complexity requirement (upper/lowercase + digits or special characters).

2. Username as part of the password
Name = Eve. Born = 1975. Password = Eve1975. Fully allowed by the default password filter.

3. Personal name as full/part of password
My name is Per Thorsheim. Using "Per Thorsheim" (without the quotes) as my password will be accepted by the default password filter, as the space in there counts as a special character.

If you're serious about adding complexity requirements to your written as well as your technical implementation of your written password policy (they should be equal), you really shouldn't trust the default filter found in Microsoft Windows. Other options are available, both commercial and source code for building your own.

With that said, here's some additional information to be aware of. I've cracked millions of passwords during the last 9+ years, analyzing them along with corresponding account information in order to create statistics and document the risk with passwords. Here's a table listing the top 10 most common password "constructions" from a single Windows domain:

The LM hash algorithm of Windows stores all characters as UPPERCASE. This illustration uses U to indicate an UPPERCASE letter, and N to indicate a number (obviously). As you can see, all passwords starts with letters and ends with 1 to 4 digits. With data based only on real people, all working within a single organization and a single Windows domain, all fully enabled and working on a daily basis, the above numbers represent more than 60% of the total number of users within this domain.

But this domain has complexity requirements turned on, using the default Microsoft Windows filter. Does that add much to security? Here's the top 10 list for NTLM, now adding UPPERCASE and LOWERCASE to the mix:

As you can see they all start with a SINGLE UPPERCASE letter, then followed by lowercase letters and with the 1-4 digits added at the end to satisfy the complexity requirement.

Although based on a very small amount of real-life people and their passwords, you will find the same patterns across most domains and organizations. The consequences of this should be obvious enough; gaining unauthorized access doesn't get much harder by adding a "standard" complexity requirement to your password policy. Mathematically complexity requirements are good, in real life it doesn't help much. But it does make it even more difficult for people to remember them (Ever tried to do statistics on "lost password" calls to help desk after changing the password policy?)

Although i do encourage people and organizations to use complexity requirements, this must never be seen as "good enough", in fact a standard solution will only marginally improve security. Again risk analysis should be put used, and doing statistics (like i do) greatly helps in seeing the real risk of passwords in your organization.

This was just a teaser for some of the statistics I'll be publishing later on, so remember to drop by in the near future again.

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.