NCSAM Tip #3: What You Should Consider to be a Secure Password
Passwords are the prevalent means of authentication. Even though there have been many complementary authentication mechanisms and schemes, passwords are used almost everywhere that a user wants to prove that he knows a secret that only he is supposed to know. On the other hand, if someone else can guess that password, along with the username (often easy to find), then he could pretend he is the user and do all sorts of things on his behalf. We have seen multiple examples of corporate executives having their personal email accounts hijacked. We have seen celebrities having their Twitter accounts stolen and posting things they would never do. We also have seen studies that show that a vast majority of users still use standard and pretty easy password to guess.
It is common knowledge that passwords need to be hard to guess; that is a requirement. Andy Balinsky’s post describes some guideliness about choosing numeric passwords (aka for handheld devices). In the same context, David McGrew’s post provides a script that can generate random keys that can be used for pre-shared key authentication. Electronic user passwords are a little different because they involve letters and completely depend on the user (system checks are usually also employed). Users need to be able to chose and remember them in order to use them when needed. But the “hard to guess” and the “easy to remember” requirements don’t go well together and that is the basic challenge.
But what is a secure password? In other words, what is a hard-to-guess password? Entropy has been one of the criteria to express the hardness to guess the password. The higher the entropy the more secure the password. NIST’s SP800-63 (2006) provides Electronic Authentication Guidelines and defines levels of protection, with Level 1 being the simple username/password scheme that we use very often. NIST’s recommendation for Level 1 passwords in 2006 was to have 10-bits of entropy. That means that in-band guessing of a password should have 1 out of 2^10 chances of succeeding. With a lockout limit in the system, we understand that password guessing will be pretty hard in this case. At the same time, user passwords don’t tend to be completely random. They can be based on words or names. The entropy of man-chosen passwords seems to be less than the entropy of randomly chosen ones. If we use a word as a password, given the first letter, the probability of the second letter is not 1/# letters in the alphabet. Thus what users choose in order to be able to remember is not as hard to guess as choosing a random combination would be.
On top of that, off-line attacks add an extra concern on passwords. If someone managed to get the hash value of a password (passwords are required to not be kept cleartext) he could try all possible combinations in order to guess it. If the password contained words from a dictionary he could first use the dictionary to match on a hash and thus find the password. Or he could even use pre-computed Rainbow Tables in order to faster do an exhaustive search to find a match from the dictionary. Thus it is clear the default passwords, words that exist in dictionary and common passwords, would be the first ones an attacker would try in an offline password guess attack.
To summarize, almost everyone knows that we would like our personal passwords to:
- have high entropy (long and complex enough, containing non-traditional/special characters)
- NOT be common words, default, or commonly chosen passwords (i.e “12345”)
- easy enough to remember
Almost all of the above are checked against by authentication systems when we are setting a password. Password strength nowadays is considered adequately strong over 8-characters of length. But again, entropy is not only a function of length, it also depends on letter probabilities, so a long password doesn’t mean that it always has high entropy.
Password choosing is a well-publicized problem, even though there are still many, many insecure passwords out there. What is often observed is that security-aware individuals come up with hard-to-guess, almost random-looking passwords for each system to which they are required to log in. Then they need a password management system to be able to remember all the complex passwords. That doesn’t always have to be the case. Passwords can be easy to remember. They can be different in every system but they can have a common part that is reused. We don’t need to use letters and numbers randomly. We can alternatively use small phrases altering letters and exchanging words. NIST’s SP800-118 draft (2009), in section 3.2.4, summarizes methodologies of choosing a password.
It has been said before, but it is still very often neglected, passwords need to be chosen carefully. As part of the National Cyber Security Awareness Month Tips, we would like to suggest everyday users revisit their passwords in various systems and think if they are long and secure enough. Then come up with a rule of how they want to chose and maintain their passwords, and how to intermingle letters, words, numbers and special characters in a fashion that they can remember. Nobody wants to be the next celebrity with a hijacked Twitter account…