Practical password policies - they can never reduce risk to zero
Having weak passwords certainly can make life difficult for everyone. Nobody likes having to recover or change all their identity cards and information when their password gets compromised. But there is a point of diminishing returns when adding rules to user-chosen passwords.
In general, the more sensitive the information that an account has access to, the stronger the authentication method should be. Passwords are the most convenient method for most organizations, and for their users. They work well most of the time, especially with accounts that have limited functionality that can be exploited, or limited useful information.
Higher sensitivities, such as accounts that handle financial transactions, or that control privileges of a large number of other users may require additional protection such as smart cards or “tokens” that help to make sure a user is who they say they are.
For online banking, most sites enforce some kind of password policy that requires users to choose passwords that contain at least one upper case, one lower case and one number or special character. Given that most transactions can be audited to a very precise degree, it seems reasonable that this type of policy is probably good enough. I would call this a “Standard Strong Password” policy.
However, more banks are now enabling email money transfers that allow someone logged in to an online banking account to send money to almost anyone they know. In Canada, the major banks use a service called Certapay to do this. It seems a bit scary, but the transaction sizes are limited, and the auditing is no doubt very good. So they can probably recover quickly if fraud is detected.
With the range of online services that you encounter on a regular basis, you can probably identify a few sites or programs that require stricter password policies than the ones above. Some banks may even enforce much stronger policies than the “Standard Strong Passwords” I described above, adding rules that say things like:
- You must reset your password every 2 months
- You can’t use any of the last 3 passwords you have used before
- Your password can’t have more than 50% of the characters the same
- Your password can’t have any dictionary words within it!
In many cases, this degree of control on the passwords may not be worth the effort. As strong as a password is, there are often easier ways for bad guys to obtain it than trying to guess it. (I like to refer people to Bruce Schneier’s analysis of commonly used passwords and how they are broken - click HERE and HERE for more info). Easy to guess passwords are bad, but hard to manage passwords could be almost as bad.
So, ask yourself the question, “If major banks can survive with “Standard Strong Password” policies, do I need to have more than they do, in terms of rules imposed on my users?” (…and many banks seem to be getting by quite well these days!)
Some of my pet peeves that make for bad password rules are:
- A limit on the length of the password (one of the basic ways of adding strength is to increase the password length. Some site developers are just too lazy to code for security features.)
- A limit on the use of special characters or spaces (again, the less likely the characters you use, the stronger the password becomes)
- Limiting the type of character a password must start with (such as “must start with a character” - this significantly limits the strength of the password)
- …anything that prevents me from using a Standard Strong Password that the banks would allow. (This just complicates our lives, and doesn’t add much security value.)
- Being forced to change my password in the current session without a few days’ or weeks’ warning. (Common courtesy, especially if I’m desperate to make a transaction quickly.)
I strongly encourage having users change their passwords every few months, but I prefer to be told how long it has been since it was changed, and then you can encourage me to change it after a period of time. Forcing a password change is sometimes necessary, but it should not become an inconvenience when a user needs to do something quickly. (See my Password Strategies article by clicking HERE for general user tips on choosing passwords.)
As pointed out in the link to Bruce Schneier’s site above, AccessData’s tools demonstrate that passwords can be obtained by scanning an entire hard drive for strings that were entered by users. They have an amazing success rate at finding passwords in several different ways. So, no matter how strong the password, it may still be vulnerable to compromise from hacking tools, key-loggers (that capture everything a user types and sends it quietly to someone else), SPAM or Phishing attacks or even shoulder-surfing.
You should be balancing strong password policies against other safeguards that will help prevent or detect unauthorized accesses. Just make sure passwords (or any other safeguards) aren’t just a “picket fence that the bad guys can jump over”.
Alex on 10 Jul 2007 at 2:25 pm #
When you do find a control that reduces risk (probability and impact) to zero, lemme know!
Security Views » Password strategies - staying sane as you choose passwords for online services on 10 Jul 2007 at 11:08 pm #
[…] But what about online shopping sites? Do they need to use the same rules? It’s certainly not a bad idea for them to have the same rules, even if they don’t keep much sensitive information of yours. They may someday want to add value to their service, and it might require stronger protection. If they already require you to use strong passwords, they won’t have to inconvenience you later to change your password. For more information on setting password policies for an organization, refer to my article on “Password Policies” by clicking HERE. […]
mroonie on 17 Jul 2007 at 3:16 pm #
I definitely think it’s a good idea to place rules on passwords that will make them stronger. I noticed that this is a new feature of Vista. When creating a password for your user account, if it’s not “strong” enough, Vista will not accept it. Of course they don’t define what is considered “strong enough” but nevertheless, I think it’s a good addition.
As far as rules go with online banking and such, Bank of America has used a great approach where they use user names, site keys and passwords which is another great way to add that extra level of security.