Last week, we discussed what makes a good password as well as what makes a “hard to guess” password. This week, we will be addressing “hard to discover” passwords and how to fix bad passwords. “HARD TO DISCOVER” PASSWORDS Choosing passwords that are hard to guess does you no good if your passwords can be easily discovered. There are two primary factors in making passwords hard to discover:

  • Make them easy to remember
  • Store and manage them properly

Issue: Hard to remember 

When passwords are hard to remember, they get stored insecurely -- users write them down, put them in text files, or the like. A password that’s written down doesn’t have to be guessed, an attacker can just read the note.

Storing passwords properly Many applications store passwords in plain text within a file or database. Therefore, if you manage to get a copy of the database, you have the passwords. Using encryption If you can guess or discover the encryption key (which is effectively just another password), you can now read the entire password database. People who understand the problem with encrypting passwords will often apply a hash function.

Encryption leads to Rainbow Table attacks An attacker can pre-compute the hash output for every possible password, then simply look up the hashes in the database to recover the passwords. The computation work has already been done and the databases are for sale inexpensively.

Add a little salt The only correct way to store an inbound password is to choose several random bytes of “salt” and add these to the password before hashing. If the salt is long enough and is randomly chosen for each password, a rainbow table becomes impractical to generate. SOLVING THE PASSWORD PROBLEM The most powerful thing an organization can do to mitigate password risks is to lower the value of passwords by implementing multi-factor authentication schemes. When you have to not only guess a password, but steal or duplicate a hardware token as well, then guessing the password has less value. Unfortunately, that’s not always an option. For example, the expense of issuing a second factor on a public-facing site with millions of users may be prohibitive.

This is where passphrases come in .A passphrase is a sequence of words that effectively form a very long password. Because they are “plain language” words, they are easier for people to remember. However, because there are approximately 10,000 common words for an average English speaker to choose from, you can get fairly high entropy from even quite short passwords.

Compare:

A passphrase of 5 words (Assuming a 10,000 word vocabulary) 66.4385618977472 bits
A password using the common rule of “8 characters, at least 1 upper-case, 1 digit, and 1 special” (94 possible characters) 52.4367108134211 bits

If you recall that adding just one bit of entropy doubles guessing effort, you’ll see that passphrases are far more resistant to brute force than a typical in-policy password. And, since they are easier to remember, they are far less likely to be discovered. Setting a passphrase policy does not address human factors People still tend to choose bad passwords. There are two things you can do to address this:

  • Routinely attack your own password database: If you attack your own database, you’ll find users using weak passwords. When you find weak passwords, require a password change on the next login and send them an email explaining why they had to change their password
  • Provide continued security awareness training and support: If you train your people well and often, they are more likely to choose strong passwords.