Introduction
The science of password policies is finally starting to sync up with psychology. The evolution of this science provides meaningful insights that are crucial in the secure design of any system, although it it has not yet reached men's ears.
In 2003, a manager at NIST was pressured to write password policy guidelines. Proper data and research was lacking, so he used a paper from the 80's to make up guidelines like "change passwords every 90 days". The document circulated as an authority on password policies, despite its non-scientific foundation. In 2017, the manager publicly apologized for the guidelines, as research has shown that they have an adverse effect on security. In the same year, NIST released new guidelines, which were build from scratch and based on academic research. (McMillan, 2017)
What made the old policies so weak?
The old policies create a stringent environment in which creativity is suppressed and insulted. Users generally want to create strong passwords and contribute to security, but they lack the knowledge on how to create a strong password, in that they don't know how the length or the complexity of the password can aid an attacker (Hanamsagar et al, 2016). A password policy is supposed to guide users towards passwords that are hard to crack, but the old policies were found to yield opposite results with detrimental side-effects on password usage.
Two bad practices that stand out are frequent password changes (password expiration) and compound complexity requirements. Password expiration makes users change their password at certain intervals. Compound complexity requirements force the use of certain types of characters, like a capital letter or a special character.
Password expiration cause users to create cyclic passwords (Zhang, Yinqian & Monrose, Fabian & Reiter, Michael., 2010; Inglesant & Sasse, 2010). The term cyclic password means a user will make small changes to a previous password, which they tend to do in a predictable manner.
Blocking a certain number of previously used passwords is a common mechanism paired with password expiration. Users were observed circumventing these systems by simply changing their password consecutively until they could revert back to their original. Storing a user's previous passwords also introduces risk, since cracking a previous password can give attackers an edge. Zhang et al. (2010) created an algorithm to guess new passwords based on old ones, which was tested against systems where password expiration was enforced. They were successful 17% of the time in online attacks, and had a 41% success rate in offline cracking.
A paper from Inglesant & Sasse (2010), which is spot-on and brilliantly written, describes the psychological effects of stringent policies on users. The main idea is that humans don't like to let go of resources in which they've put time and effort. Thinking of a new password and remembering it seems like a trivial task, but it burdens the users quite heavily. This process causes the user to view the password as a valuable resource, i.e. "good". It's against human nature to simply let go of such a resource, so they will cling to it. The mentioned policies try to battle this layer of the human psyche. At some point, the mental load forces them to apply insecure practices. If you really bother them, they will use the weakest password they can get away with. This is done, not out of malice, but because the policy depleted their mental resources to do better. They write:
Against the world-view that "if only [users] understood the dangers, they would behave differently" [12], we argue that "if only security managers understood the true costs for users and the organisation, they would set policies differently"
What are the crackers doing with it?
Outdated password policies thwart creativity and tend to herd users towards common patterns. Attackers use statistical modals to create such patterns to crack passwords. 13 unique password patterns were found to crack 50% of passwords, based on passwords from publicly exposed breaches. In addition, users respond to complexity requirements by making the first character uppercase 90% of the time, and they like to end their password with digits and a special character. (Dunning, 2015)
Attackers can abuse complexity requirements using standard cracking tools. For example, if the policy requires the use of an uppercase character, the attacker will know that there exist no password that is lowercase. Redman (2013) combined common password statistics with a company's password policy to crack 48.2% of the company's passwords in 20 minutes.
A seasoned password cracking professional can outperform automated tools by switching between strategies to improve cracking capabilities. In both automated and manual cracking, complexity requirements don't decrease cracking percentages, but password length does. (Ur et al., 2015)
What should we do?
Even though NIST dropped the ball in the past, they made up for it with their new guidelines, which are properly based on science. These guidelines should be used when creating a password policy, and they can be found here.
Properly maintained sources, such as the NCSC and OWASP, practically copy NIST. The most important recommendation is simple: set a minimal password length. A minimum of 8 characters is recommended, but this length should be increased based on your threat model.
Security engineers must fix the infrastructure around the user, instead of trying to fix the users themselves (Schneier, 2016). For example, instead of having users think up hard-to-crack passwords, it's more efficient to use hashing algorithms that are designed to make cracking slow.
The bcrypt hashing algorithm is designed to slow down password cracking, while NTLM(v2) hashes missed out on this luxury. Cracking clusters exist that can crack NTLM hashes with 31.8 TH/s. That's 31 trillion 800 billion passwords per second. Searching the entire alphanumeric passwords space of length 9 can be done in 7 minutes. Against bcrypt hashes, it takes 37 years. (Terahash, 2019)
Conclusion
Security must not rely on a battle against the human psyche. The outdated policies charge the user head-on, and lose this battle by creating incentive for insecure practices. The latest NIST guidelines should be used for creating a password policy, in which it's recommended to set a minimum length for a password, and to drop password expiration and complexity requirements.
Password policies are only a small piece of the security puzzle. Even practically uncrackable passwords can be stolen via phishing, keylogging, or by eavesdropping insecure communications. To properly protect a password, one can implement physical security, usage of a password manager, Single-Sign On, 2FA, a proper hashing algorithm, a lockout policy or rate limiting, TLS, and so on. Most proper security measures take stress away from the user, instead of dropping the responsibility of security on their shoulders.
References
McMillan, R. (2017, August 7). The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!. The Wall Street Journal. https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118 A. Hanamsagar, S. Woo, C. Kanich and J. Mirkovic. (2016). How Users Choose and Reuse Passwords. Information Sciences Institute. Inglesant, Philip & Sasse, Angela. (2010). The true cost of unusable password policies. 1. 383-392. 10.1145/1753326.1753384. Zhang, Yinqian & Monrose, Fabian & Reiter, Michael. (2010). The security of modern password expiration: An algorithmic framework and empirical analysis. Proceedings of the ACM Conference on Computer and Communications Security.176-186. 10.1145/1866307.1866328. Dunning, J. (2015, April 13). Statistics Will Crack Your Password. Praetorian. https://www.praetorian.com/blog/statistics-will-crack-your-password-mask-structure Redman R. (2013, July 30-31). Cracking Corporate Passwords: Why Your Password Policy Suck [Video]. YouTube. https://www.youtube.com/watch?v=5i_Im6JntPQ Ur, Blase & Segreti, Sean & Bauer, Lujo & Christin, Nicolas & Cranor, Lorrie & Komanduri, Saranga & Kurilova, Darya & Mazurek, Michelle & Melicher, William & Shay, Richard. (2015). Measuring real-world accuracies and biases in modeling password guessability. Krawczyk, P. (2019, November 7). Password Special Characters. OWASP. https://owasp.org/www-community/password-special-characters NCSC NL. (n.d.). Authenticatie. Retrieved from https://www.ncsc.nl/onderwerpen/authenticatie NCSC EN. (n.d.). Password policy: updating your approach. Retrieved from https://www.ncsc.gov.uk/collection/passwords/updating-your-approach OWASP. (n.d.). Authentication Cheat Sheet. Retrieved from https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html Schneier, Bruce. (2016). Stop Trying to Fix the User. IEEE Security & Privacy. 14. 96-96. 10.1109/MSP.2016.101. Terahash [@TerahashCorp]. (2019, July 27). Ever wondered what a #hashstack @hashcat cluster of 448x RTX 2080s could do for #password #cracking? How about 31.8 TH/s on NTLM, 17.7 TH/s on MD5 [Image attached] [Tweet]. Twitter. https://twitter.com/TerahashCorp/status/1155112559206383616
The article was originally published on my LinkedIn, but I migrated all posts here.