The next stop in my trip through password policies and some of the mistakes that are made is password strength (length and complexity).
It seems that for a lot of IT and IT Security people, there’s one inevitable truth about password strength which is you can’t have too strong passwords.
Unfortunately not true.
Like any security control password strength should reflect the environment that the system is deployed in and the likely threats it will face.
For most circumstances my feeling is that any password over about 9 characters with Upper and lower case alpha and numeric characters is overkill.
For this to be the case I’d say that the password should not be sent across the network in the clear either as plain text or a straight hashed value and should be stored in place in a salted-hash.
If you consider the threats, this will usually be more than adequate.
- Online Brute-Force. This attack isn’t best mitigated by password strength. Account lockout and alerting are a much better way to deal with this. For online systems I saw an interesting twist on this which was to only lockout the ip address the attack comes from as a mitigation of the DoS potential
- Rainbow Table. The primary mitigation for this is to use salted hashes, as they mitigate this pretty effectively. However where that’s not a possibility (off-the-shelf software) consider disk space required for the tables and the time to calculate. I’ve not seen any tables that go much beyond 7-8, and indeed one estimate I saw for 7-9 character passwords was that it would require 135000GB of space!
- Offline Hash attack. This one is wheeled out a lot by advocates of extremely long passwords. One point I’d make is that in many scenarios if the attacker already has access to your password database, he’s probably already broken in to your system pretty effectively! However even so, it’s worth considering.
Offline password guessing is done either through (hyrbid)dictionary attacks or straight brute-force. For brute force my experience has been that even with modern kit it gets too long to be practical for most attackers beyond about 8 characters. Dictionary attacks work very well if users choose dictionary password so it’s worth investing in education/auditing to discourage this
So what does all that leave you with … Well all of these attacks are reasonably mitigated in typical scenarios with 9 character passwords. Only problem is most people can’t reliably remember 9 chunks of totally random information, so the key is to reduce the number of chunks whilst keeping up the number of characters.
There’s a number of ways of doing this but things like passphrases like “414 million for that? We was robbed” are easy to remember (especially if you’re Scottish) but very difficult to crack.