Your Password Complexity rules don’t work.

This sounds very strange. Security professionals and users alike are told we need to set up very complex passwords to protect our systems. This has been engrained in us so deeply we rely on it to protect all our most precious information. Current password complexity, however, is completely broken and our reliance on it is hurting the security of our environment.

A question for those of you who develop software: what is the number one rule for writing secure code? If you don’t know, its “Never trust user input.” Following this one rule will save you about 90% of the time. A password is… well… user input, and like all user input, it can’t be trusted. If you consider the million most used passwords list we all love to use and test against our users passwords, it can be easily altered to still crack passwords with complexity in place. We all know these rules:

  • At least 6 digits long
  • One Capital
  • One Lowercase
  • One Number
  • One special character

These rules keep your users from using one of those million most used passwords. Great, except I know your password complexity rules. They are printed right there on your website. I’ve already taken the million common passwords list and just shaved off the top hundred which are 6-8 digits long. I’ve capitalized the first letter and added 1! (I normally try both 1! and !1) to the end of each. At a minimum, for every 20 users on your network I will have found at least one username and password combination.

But look here! You’ve put in place a rule to force users to change their password. In addition they aren’t able to use the same password as the last 5. Now have stopped me? No, you haven’t. Change the ! to @,#,$ or %. These are the special characters across the top of the keyboard, in order, from 1 to 5. I’ve still gotten into your system.

The fact is users are predictable. It’s not their fault, as humans we are wired for patterns and we use them in our passwords. We all do it in some way whether we know it or not.

But alas! you say! The password complexity keeps the users password files from being easily cracked! Consider what needs to happen BEFORE a criminal runs a password cracker. They need to get into your network, gain escalated privileges, gain access to your password file and remove it from your network (the last step is optional, you can run the cracker locally if you are unable to remove it). If an attacker is able to get into your network and obtain your password file to crack it, you’ve already lost the game.

Password complexity is not there to protect your servers and provides minimal protection for your users. It is, however, one of the main focuses of most security departments as well as security classes and certifications.

So, what are your real protections against these attacks?

A timeout and account lockout is a wonderful first level defense. Once an incorrect password has been tried 3-5 times the system should timeout for at least 15 minutes (I would say at least 24 hours) or the account should be locked. In addition, it needs to report the incident and that report should be followed up on.

Block lists are another great first level defense. If you only have users in the United States, then only allow IP addresses to connect from the US. If you know the users IP or range of IP’s then block all other addresses. If you want to make this a little more advanced, start pulling information such as IP address each time a user logs in, if the user uses the same address for a year, then the address suddenly changes, investigate.

Using a 4 digit number as a password with a timeout and blocklist in place is MORE secure than all the complexity we’ve listed. Consider that next time you’re thinking about what’s important on your network.

Using keys in addition to passwords are another fantastic first level defense. (Keys should NOT be considered two-factor authentication) The user will be able to use an encrypted private key in order to access your system. Without this key they don’t get access.

A properly used password manager is a very suitable defense. When I say properly used, all your passwords need to be chosen by the random password generator built into your password manager. I suggest a minimum of 20 random characters (I normally use 50 when I can). This also means server admins need to stop making the password maximum so low. Setting the maximum number of charters to 12 or 15 is ridiculous and should be considered a poor security practice.

And saving the best for last, of course, multi-factor authentication. Currently there is not more secure method of authentication. Make sure you’re using actual two-factor, not a code from a cell phone (I call this one-and-a-half-factor, more on that in another article). There are plenty of inexpensive solutions out there. I purchased a Yubi-key when they first came out and still use my first edition device to this day.

As security professionals we need to stop pushing the complexity rules so hard as they are really no more than security theatre. In their place, we need to make sure we have a truly hardened and secure environment.

Leave a Reply

Your email address will not be published. Required fields are marked *