As systems admins, we can be our own worst enemies when it comes to security. We implement these convoluted password complexity policies in the interest of security, yet what really happens? We end up making passwords so complex that the user cannot remember them, so they end up on sticky notes on monitors, or under keyboards. And really, these eight-character complex passwords are only slightly more secure than an eight-character non-complex password. So, have we made our environment more secure, or less?
Any security expert will tell you it is all about length. Sign language and squirrel noises might help some, but when you get up to 14 to 18 characters, you are really most secure.
For example, you told your users that they must use a minimum of eight characters, and at least one number. Then we tell them that random strings are the way to go. Don't use your cat's name! The first thing they will do, (and I have had no less than five users tell me that this is their password), is go "Well, I need a random string I can remember..."
So they type "1qaz2wsx"... The quotes are mine and are not included in the password, as is the case for all passwords on this page. If that doesn't look familiar to you, start at the one key on your keyboard and head for the alt key.. Repeat, starting at the two. Let's see what howsecureismypassword.net says about this random string of numbers and letters.
This password is in the top 670 most commonly used passwords. It's not up there with "admin" or "god" or "cisco", but it's up there, and the bad guys know it. Keyboard patterns are built into password cracks. Using an eight-character word like "saboteur" is actually more secure: it would take a whopping 52 seconds to crack!
Ok, so no keyboard patterns or plain old words... How about making them add a special character and a capital letter to our eight-character password? Let's see how "Ds#rtgmh" fares as a password.
A day might seem like a long time. It's not. Keep in mind that the bad guys usually have a little more juice than a "desktop PC". Also keep in mind that they have plenty of time. A day is a snap.
Again, it is all about length.
The lady at the front desk has a cat. Why not let her use "tail.cat.fluffy"? No caps, no special characters, and (gasp!) includes dictionary words..
Now we are talking! A secure password that she can remember, so it won't end up on a sticky note. A dictionary word is bad. Several dictionary words are absolutely great. Put in some dots or dashes to break up the words, and add to the length and complexity. Replacing the "a" in cat with an "@" drives our time-to-crack up to 3 billion years! Not uncrackable, but if someone has 3 billion years to spend on my account-- I might just give it to them for effort.
Forcing an expiration of 30 days, 60 days, 90 days is not really necessary, and just drives up your support costs. If it is in their brain, it isn't going to get lost, stolen, or otherwise misappropriated. There is no valid reason to force a change every 30 days. You are making it less secure by doing so. The more challenging you make this process for your users, the more likely they are to write it down, throwing all of your hard security work out the window. Or, they forget it- resulting in a help desk call to your already over-worked help desk.
Force 14 or 16 characters, have it expire once a year, and educate your users on creating long, yet easy to remember passwords. Did I say it was all about length? Your users and your help desk will thank you.
Try it yourself! Swing by howsecureismypassword.net and put in your favorite double-secret secure password. You might be surprised at the results.