Randall Stross, writing for the New York Times last week, has a good article up about the necessity of strong passwords. For those of us in the security industry, when we say “strong passwords” what we mean is one that has a lot of characters (usually at least 10), contains upper case and lower case letters, contains at least 1 number and a really strong password would also contain a non-standard character such as a +, *, $ or %. The reason for having such a long password is that all of the combinations and permutations that can be put together would take a brute force attacker an exceedingly long time to break. For example, if you have a six character password and it is all lower case, then knowing this it would take only 26 ^ 6 = 308 million possible combinations of letters. This is impossible for a human but not for a computer. However, if you have 10 characters (includes letters, numbers, and all the non-standard chars on a typical US keyboard), then it is 84 ^ 10 = 17.5 million trillion combinations. It would take a computer an inordinate amount of time to break that and by the time it did (barring a lucky combination), the information contained therein would be useless (global warming will have caused us all to go extinct by then).
Unfortunately for us in the security industry, we often miss the bigger picture. We want users to have complex passwords, but the reality is that users forget them. They write them down and put them in obvious locations and that kind of defeats the purpose of a secure password. Humans are the ones that are responsible for maintaining password security and humans use heuristics – short cut mental processing tools designed to reduce computational time and speed up decision making. If a password has to be changed routinely, and we have to do it a lot, we simply cannot keep up with the amount of mental baggage that this takes. And so we use the same ones. And we sometimes use ones that are simple for us to remember. In fact, we do a lot of things that are designed to make it easier, against the advice of the security industry.
According to Microsoft Research, part of the problem for us in the security industry is us is not realizing that the brute force attack method. From the article:
A short password wouldn’t work well if an attacker could try every possible combination in quick succession. But as Mr. Herley and Mr. Florêncio note, commercial sites can block “brute-force attacks” by locking an account after a given number of failed log-in attempts. “If an account is locked for 24 hours after three unsuccessful attempts,” they write, “a six-digit PIN can withstand 100 years of sustained attack.”
So you see, we need to realize that a password is designed to protect humans. A machine can do things in quick succession, but if you throttle down the rate at which a machine can attempt to guess a password, suddenly the comparable advantage that a machine has over humans has been neutralized. To a human, we can’t react quickly enough anyhow. If a machine has to wait seconds before each login attempt, then it is going to take them forever to brute force someone’s 6 character password before they get it (barring a lucky guess). Now we are accounting for human reality while at the same time protecting the very things we are trying to protect. This mechanism, of course, would need to be tested. For a commercial web site, you could only allow a login attempt/failure once per 10 minute interval (AT&T does this). Or, you could throttle based upon IP address and username login for more granularity, but this weakens when a distributed attack is going on, that is, many computer systems attempting to login to the same account using parallel processing.
At the end of the day, password policy is not very useful anyhow if you have keystroke logging malware on your computer, says Microsoft Research. You could have a great password but if the sites you are logging into are having your passwords captured and sent back to the attacker, the best password in the world won’t help you. Running good antimalware software is clearly the most important thing to counteract things like this. Thus, while we do like to emphasize good password policy, asks Stross, are we prioritizing the right things in the correct order?