- August 05, 2015
- Info notes
The passwords of some employees were among the information published after the hack of surveillance software company Hacking Team in July 2015. Passw0rd, P4ssword (both used on multiple systems), and variations on the username: these are examples of bad passwords.
Already in 2010, "password" was the second most used password found in leaked data. Password crackers can easily be configured to try simple variations on dictionary words – an example dating back to 2002 can be found at http://www.giac.org/paper/gsec/42/password-cracking-focused-dictionaries/100346.
That Hacking Team employees could use such bad passwords is a testimony to their failure at implementing an effective password policy.
Typical Password Policy
As part of the information security policy, a password policy typically contains the following:
- Minimal length;
- Frequency of change;
- Mandatory complexity;
- Allowed number of attempts.
One of the most common policy requires passwords to be at least 8 characters long and contain a mix of lower- and upper-case characters, as well as numbers and/or special characters. The passwords from Hacking Team employees mentioned in the introduction conform to this policy.
The fact that easy-to-guess passwords were reused on multiple systems and cloud services probably played a role in the compromise of Hacking Team.
Effective Password Policy
An effective password policy make it easy for users to choose passwords that are:
- Hard to crack: passwords which are easy to guess and too short must be discouraged;
- Easy to remember: people will always choose convenience, even if it means using poor passwords;
- Not reused across systems: users must find it easy to use different passwords on different systems, else they will use the same password again and again;
- Changed at reasonable intervals: passwords must be changed in order to mitigate the risk caused by an attacker cracking a password, but seldom enough so that users do not update their password by changing a small part only, making it easy to guess for an attacker who knows the previous password;
- Not reused over time.
Moreover, the policy must specify the number of attempts allowed to log in with the wrong password before an account is locked. The following sections address these requirements individually.
Hard to Crack
As mentioned in the ENISA Glossary entry on authentication methods, passwords up to 9 characters long can be cracked in a very short time using publicly available tools. Protection against even low skilled opponents requires longer passwords. Every character added to the mandatory length makes brute force attacks exponentially harder, so the onus should be on password length rather than complexity.
Easy to Remember
Users need to remember their passwords easily, or they will choose passwords that are easy to guess. Combining the requirements of passwords which are hard to crack with easiness to remember pleads in favour of passphrases: it is much easier to remember a sentence such as "A rose by any other name would smell as sweet" than "Arebyayor!", and the former makes for a much harder to crack password than the latter.
Unique across Systems
Using the same password on different systems or cloud services makes it easy for attackers who managed to guess the password to roam free inside an organisation's IT infrastructure. Unfortunately, it is hard to prevent users from using the same password on different systems in the organisation, and it is impossible to prevent it across different cloud services.
Users must thus be trained to use unique passwords, and this practice must be made easy for them. Password managers are a common solution to that problem. An effective information security policy should encourage their use.
Periodic changes address two threats: they limit the amount of time an attacker has to crack a password, and they limit exposure if an attacker managed to guess or steal a password. Provided the passwords are long enough, the period between changes can be long too, so the determining factor is the acceptable exposure. This varies from one application to another.
Reuse over Time
If users must regularly change their passwords, they may be tempted to use a limited set of passwords over and over. It is technically possible on certain platforms to prevent password reuse. For those which do not provide this functionality, for example cloud platforms, training and the use of password managers that do, must be encouraged.
The means of attackers evolve over time, so must security policies. What was once an effective password policy now fails to provide the required level of security for many applications. The combined use of passphrases and password managers, along with training and awareness campaigns provide better alternatives in the current world of distributed and cloud services.
About "Info Notes" from ENISA
With the “Info Notes” series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the “Info Notes” series (firstname.lastname@example.org).