Passwords

Author: Cody J., Inflow Software Engineer

Effective password management is a tricky process. There has to be a balance between an easily used password and a secure password. People inherently want to use easy-to-remember passwords. However, common security practices require users to have complex passwords, preferably a long string of randomly generated numbers, letters, and special characters.

One of the most frequently-cited secure password practices is to change your password often. However, this idea is considered outdated by a number of security practitioners. Bruce Schneier wrote about it back in 2010:

“The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they're more likely to choose easy-to-remember -- and easy-to-guess -- passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.”

The common theory behind frequent password changes is that someone will only be able to use the account of the stolen password for a limited time, typically every 60-90 days. However, Schneier states that these frequent changes are only necessary for a few types of situations.

  1. If you share your passwords with someone and have a falling out, then immediately change all your passwords.
  2. Only login passwords need to be changed. Passwords for encrypted files are good as long as you keep the file or until you believe the password has been compromised.
  3. Social media accounts are more likely to be hacked and used for phishing and fraud activity. In addition, they can be used for more blackmail-type actions, so frequently changing these accounts is a good idea.

Changing a password frequently, however, doesn’t always prevent intruders as seen in these situations:

  1. Financial passwords, such as bank accounts, have a short life span for criminals; once a criminal has the password, they will immediately use it to access the funds in the account. Holding onto the password is not worth anything. Therefore, frequently changing these types of passwords does no good. If the password is stolen, you will know the damage is done when your money is missing the next day.
  2. In a private network, if someone gains access to an authorized user’s password, the hacker will most likely install a backdoor or make a new account so they don’t have to rely on the stolen password anymore. In this case, changing all the passwords once the intruder is identified and removed is more important than frequently changing passwords.
  3. Social media accounts are more likely to be hacked and used for phishing and fraud activity. In addition, they can be used for more blackmail-type actions, so frequently changing these accounts is a good idea.

More recently, Lorrie Cranor, the Chief Technologist of the Federal Trade Commission, wrote about how many of the security principles that were a part of the information security zeitgeist at the turn of the century may no longer be relevant to today’s threats.

“...users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.)”

Cranor mentions two password security studies that discovered frequent password changes don’t necessarily enhance network security. The first one found that users, frequently, will only make minor changes to their passwords. This means knowing one password makes it much easier to guess the current password for potential intruders.

“The UNC researchers found that for 17% of the accounts they studied, knowing a user’s previous password allowed them to guess their next password in fewer than 5 guesses. An attacker who knows the previous password and has access to the hashed password file (generally because they stole it) and can carry out an offline attack can guess the current password for 41% of accounts within 3 seconds per account (on a typical 2009 research computer). These results suggest that after a mandated password change, attackers who have previously learned a user’s password may be able to guess the user’s new password fairly easily.”

The other study found that frequent password changes have little impact on someone’s ability to crack a password hash. However, using a slower hashing algorithms would have a larger impact.

“The Carleton researchers demonstrate mathematically that frequent password changes only hamper such attackers a little bit, probably not enough to offset the inconvenience to users. (On the other hand, without inconveniencing users, system administrators can use slow hash functions, e.g. bcrypt, to make it significantly harder for attackers to guess large numbers of passwords.)” [More on hashing in the next blog.]

While more information can be found in the authors’ articles, the main premise is that mandated, frequent password changes actually have little impact on the ability for someone to steal, crack, or otherwise use system accounts.

So, what are current “best practices”? First, using a password manager is better than relying on manual management. There are a number of management programs available that all tend to have, more or less, the same functionality. In addition to storing passwords for web sites and applications, these programs will normally provide the ability to generate random passwords. Therefore, a user only needs to create one memorable (and secure) password for the password manager and then rely on the manager to create random, secure passwords. As long as the user has access to the password manager, the user doesn’t need to know what an individual web site’s login password is.

Some of these managers are also cross-platform, meaning they can be used on regular computers (with different operating systems) as well as tablets and smartphones. Thus, a person should have access to all necessary passwords no matter where he or she is or what device they’re on.

So what if you work in a place that doesn’t allow access to an online password manager or otherwise prevents access to your manager? You can still have secure passwords that are unique to each program or website, yet are memorable enough to not be written down.

In this situation, you should have a “sub-password” that is common across all your logins (e.g. “@2010”) Then make a unique password for your particular need. For example, if you are making a website password, you could use the website’s name, like “Yahoo@2010”. This meets most secure password requirements of one uppercase, one lowercase, one number, and one special character. To make it even more secure, you can pad your password with special characters to extend the length, i.e. “***Yahoo@2010***”. Violà! You have a unique password for every website that is not only secure but easy to remember. For non-websites, you can do the same thing by substituting the name of the program for the website name.

Essentially, the longer the password, the better. With just some basic strengthening, a nine-digit password would require years to crack with brute-force methods. However, it is generally accepted that a password longer than 15 characters is suitably impossible to crack. As shown previously, this is very easy to do with simple padding.

In short, frequent password changes are not always applicable in every situation, and, in certain scenarios, may do more harm than good. Constructing a complicated password with a host of characters, numbers, and special characters is the best route to go. Better yet, installing a Password Manager will ensure each password is both complex and unique, preventing intruders from having easy access to your accounts.

Now you have a strong, complicated password, and a password manager to make your accounts even more secure, it begs the question, “Well now that I’ve got secure passwords, is my account information being stored safely on the different applications and sites I use?” In our next post, we’ll discuss how passwords are stored on the back-end or server side. We’ll discuss Hashing and how to tell whether or not an application or site is doing this.

- Cody J., Inflow Software Engineer

Cody J. is our new Inflowee. Having served our country with over 20 years of experience with the US Navy, Cody has extensive experience and knowledge in Information Security and Software Development. Beyond this, Cody has a love for teaching, and as such, he has served both as an adjunct professor and tutor at ECPI University and Thinkful respectively, teaching Computer Information Systems and Python. As an avid Python user, Cody currently has published Learning to Program Using Python, 3rd Edition. For more information on Cody, you can visit his site here.

Cody J. is our new Inflowee. Having served our country with over 20 years of experience with the US Navy, Cody has extensive experience and knowledge in Information Security and Software Development. Beyond this, Cody has a love for teaching, and as such, he has served both as an adjunct professor and tutor at ECPI University and Thinkful respectively, teaching Computer Information Systems and Python. As an avid Python user, Cody currently has published Learning to Program Using Python, 3rd Edition. For more information on Cody, you can visit his site here.

At Inflow we solve complex terror and criminal issues for the United States Government and their partners, by providing high quality and innovative solutions at the right price through the cultivation of a corporate culture dedicated to being #1 in employee and customer engagement. We Make it Matter, by putting people first! If you are interested in working for Inflow or partnering with us on future projects, contact us here