Top 3 Steps to Improve Your Password Policy

Passwords are a weak security mechanism. Human beings are not good at remembering passwords while computers are good at guessing them, especially as technology improves. However, despite their flaws, passwords persist thanks to their low startup cost and widespread understanding of how they work. 

So how can we make our passwords stronger? How can we make the best of a bad system? 

Conventional password advice and most password strength meters have decided the best system is one that imposes huge burdens on users. They ask for length requirements, blacklist certain words, require certain characters, and set expiration dates on passwords. Passwords have become impossible to remember, and yet these same sources state you should never right your password down. The situation is contradictory. 

To cover all possible breaches, security advisors have suggested every possible restriction. However, this imposes an unrealistic burden on users, who then attempt to work around restrictions to make their passwords easier to remember. In doing so, the user typically produces a weaker password. 

How More Restrictions Produce Weaker Passwords

When users work around common password restrictions, they produce common passwords. Attackers know that when character-set rules are implemented, the symbols can be found tacked on at the end of the password. They know common replacements, such as replacing an “O” with a zero or an “i” with an exclamation point. When attackers design systems to crack passwords, they don’t guess at random. They look for these common elements, attach them to common words, phrases, and sequences of letters or numbers, and find the weakest link in the system. The entropy theoretically produced by these restrictions vanishes when people are, on average, predictable. 

While Microsoft is committed to lowering our reliance on passwords, in the meantime they have worked toward making them more secure. Of note is their conclusion about what doesn’t produce meaningful results: character-set rules. By forcing users to come up with symbols and capitalization in their passwords, character-set rules make passwords very difficult to remember without noticeable improvements to security. These rules are a very bad return on user effort. 

Top 3 Password Policy Mechanisms

Fortunately, there are some password policies that hold water. The three standout examples are length requirements, blacklist policies, and guess limits. 

1. Length Requirements
   Length requirements in the absence of character requirements cause users to produce longer passwords of more variable length. This produces tangible entropy and makes passwords harder to guess, because each character added to a password is another character that a computer needs to guess. Without character requirements, users can string together words that are easier for them to remember but long enough that computers still struggle to guess them. At least eight characters are recommended, but more is better.

2. Blacklist Policy
   Together with length requirements, a blacklist policy is critical. If a user chooses “password” or “12345678” as their password, the security gained from a long password becomes moot. Blacklisting the most common passwords prevents users from creating the passwords that an attacker always guesses first. It is relatively easy to learn what common passwords look like from events such as the exposure of 32 million passwords from the RockYou! social media application. Blacklisting the top passwords exposed by this breach and those like it can greatly improve security, because attackers use the same information to design their password cracking software.

3. Guess Limits
   Guess limiting policies prevent attackers from making an infinite number of guesses. Without a guess limiting policy, attackers can use brute-force attacks to indefinitely guess passwords until the correct password is discovered. It is only a matter of time until the correct password is learned. When this policy is in place, attackers can’t effectively make brute-force attacks without first stealing a hashed password table through a separate exploit. While users may be frustrated when locked out of their accounts after forgetting their passwords, the security improvements gained from implementing a guess limit make it a no-brainer.

The Problem with Password Strength

Modern password cracking is about making the best guess to crack the most passwords for the least effort, but cracking isn’t the only way to get passwords. In fact, password strength only affects security against password cracking. It provides no defense against more common attack methods, such as phishing and spoofing. These methods rely on tricking the user into giving the attacker the password, completely negating the password’s strength. Actual password cracking is relatively rare in comparison.  

Furthermore, the strength of a password only matters if the passwords are stored hashed and salted. If the passwords are stored in a plain-text file, an attacker has access to every account on the file as soon as they find a way into the server: but back-end password security is a topic for another day. 

While password strength and the policies that encourage it are a vital component of present-day security, it is just one mechanism in a broader system. An often-overlooked element of that system is the human element. The convenience-seeking behavior of users doesn’t need to be an unknown variable, unaccounted for in policy design. A strong password policy that accounts for human nature, rather than fighting against it, is critical for so long as passwords continue to be the foundation of security.

More posts about Security