10-4 Password Measures

[Drakkon]

So today my workplace determined passwords were too insecure and needed to follow the 10-4 rule. For those of you not familiar:

Passwords must meet these criteria (the 10/4 rule):
Each password is at least ten (10) characters
Passwords must mix together four (4) different types of characters including upper case letters, lower case letters, numbers, and special symbols.

Now I dunno about most of you but coming up with a 10 character multi-type password that can easily be remembered isn't the easiest thing for most people. I'm finding people around here writing the password on a sticky note and putting it on their monitor/keyboard. Most people around here had at least a 6-8 character with 1 number password, some easier, others more overkill(but they still had to change because of the special character rule). How is this really solving anything?

 

[Oakenfold]

To be honest the passwords I choose to use meet that requirement.

Sounds like that might be difficult for some people, writing down passwords is not a good sign for the information security awareness of the company or the success of the recent password implementation.

 

[Zugzwang152]

We use the Windows definition of complex password merely for convenience's sake (AD environment). It's at least 8 characters, and must contain 3 of the 4 groups: lower case, upper case, numbers, special characters.

 

[Zugzwang152]

Should also note: we allow the writing down of passwords, so long as they are kept in a locked drawer or cabinet that only you have the key for.

 

[SilthDraeth]

Drakkon, while true, that threats to a network can often come from people inside, and with access to critical areas, the password rules actually make it harder for a brute force style of attack to break passwords.

We do not have any type of rules in place right now, and a brute force can crack about 80% of the passwords in the school district I work for. Because most are between 4 to 6 letters, and are common words.

My personal password, is over 10 characters long utilizing numbers, special characters, upper and lower case. I actually have 2 passwords that I use that meet that criteria. Now, granted, coming up with hundreds, would be a problem, but I think almost everyone has the ability of using a password that long. If you can remember a sentence or a quote, you can sure as heck make a password, and just throw a caps in the beginning, substitute the letter S with a 5, and put an exclamation point on the end of the password, and or an @ symbol in place of an "a" and you are golden.

 

[SecPro]

Originally posted by: SilthDraeth
Drakkon, while true, that threats to a network can often come from people inside, and with access to critical areas, the password rules actually make it harder for a brute force style of attack to break passwords.

We do not have any type of rules in place right now, and a brute force can crack about 80% of the passwords in the school district I work for. Because most are between 4 to 6 letters, and are common words.

My personal password, is over 10 characters long utilizing numbers, special characters, upper and lower case. I actually have 2 passwords that I use that meet that criteria. Now, granted, coming up with hundreds, would be a problem, but I think almost everyone has the ability of using a password that long. If you can remember a sentence or a quote, you can sure as heck make a password, and just throw a caps in the beginning, substitute the letter S with a 5, and put an exclamation point on the end of the password, and or an @ symbol in place of an "a" and you are golden.

A fairly simple way to prevent brute force attacks is to put a lockout policy on the login process. For example: 3 bad login attempts and the account locks until opened by an admin. and/or a certain amount of time elapses and it automatically unlocks.

As far as the 10/4 policy is concerned that's a pretty tight password policy. The difference in the time it takes to brute force a password takes the biggest jump between 7 and 8 characters (with the 4 special chars. required). One of the problems with longer passwords, that's already been alluded to, is that users start writing them down or, if allowed, use non complex passwords. Look around on the internet, there are "tricks" you can teach your users to come up with ways to create complex passwords. It reminds me of how some people create vanity license plates.

My organization has given up on the idea that user name and password is good enough for authentication. I am implementing a complete two factor solution using RSA tokens. We are starting with the web facing apps (VPN and I-Notes) and elevated privlege accounts. Eventually it will be used for everyday network logins. The trade-off with my users is that we will implement single sign-on, something they've wanted for years but something I refuse to authorize until a two-factor solution is in place.

 

[Zugzwang152]

Originally posted by: SecPro

Originally posted by: SilthDraeth
Drakkon, while true, that threats to a network can often come from people inside, and with access to critical areas, the password rules actually make it harder for a brute force style of attack to break passwords.

We do not have any type of rules in place right now, and a brute force can crack about 80% of the passwords in the school district I work for. Because most are between 4 to 6 letters, and are common words.

My personal password, is over 10 characters long utilizing numbers, special characters, upper and lower case. I actually have 2 passwords that I use that meet that criteria. Now, granted, coming up with hundreds, would be a problem, but I think almost everyone has the ability of using a password that long. If you can remember a sentence or a quote, you can sure as heck make a password, and just throw a caps in the beginning, substitute the letter S with a 5, and put an exclamation point on the end of the password, and or an @ symbol in place of an "a" and you are golden.

A fairly simple way to prevent brute force attacks is to put a lockout policy on the login process. For example: 3 bad login attempts and the account locks until opened by an admin. and/or a certain amount of time elapses and it automatically unlocks.

As far as the 10/4 policy is concerned that's a pretty tight password policy. The difference in the time it takes to brute force a password takes the biggest jump between 7 and 8 characters (with the 4 special chars. required). One of the problems with longer passwords, that's already been alluded to, is that users start writing them down or, if allowed, use non complex passwords. Look around on the internet, there are "tricks" you can teach your users to come up with ways to create complex passwords. It reminds me of how some people create vanity license plates.

My organization has given up on the idea that user name and password is good enough for authentication. I am implementing a complete two factor solution using RSA tokens. We are starting with the web facing apps (VPN and I-Notes) and elevated privlege accounts. Eventually it will be used for everyday network logins. The trade-off with my users is that we will implement single sign-on, something they've wanted for years but something I refuse to authorize until a two-factor solution is in place.

My users and executives would revolt if they had to use a token for logging in to their PC at work.

 

[SecPro]

Originally posted by: Zugzwang152

Originally posted by: SecPro

Originally posted by: SilthDraeth
Drakkon, while true, that threats to a network can often come from people inside, and with access to critical areas, the password rules actually make it harder for a brute force style of attack to break passwords.

We do not have any type of rules in place right now, and a brute force can crack about 80% of the passwords in the school district I work for. Because most are between 4 to 6 letters, and are common words.

My personal password, is over 10 characters long utilizing numbers, special characters, upper and lower case. I actually have 2 passwords that I use that meet that criteria. Now, granted, coming up with hundreds, would be a problem, but I think almost everyone has the ability of using a password that long. If you can remember a sentence or a quote, you can sure as heck make a password, and just throw a caps in the beginning, substitute the letter S with a 5, and put an exclamation point on the end of the password, and or an @ symbol in place of an "a" and you are golden.

A fairly simple way to prevent brute force attacks is to put a lockout policy on the login process. For example: 3 bad login attempts and the account locks until opened by an admin. and/or a certain amount of time elapses and it automatically unlocks.

As far as the 10/4 policy is concerned that's a pretty tight password policy. The difference in the time it takes to brute force a password takes the biggest jump between 7 and 8 characters (with the 4 special chars. required). One of the problems with longer passwords, that's already been alluded to, is that users start writing them down or, if allowed, use non complex passwords. Look around on the internet, there are "tricks" you can teach your users to come up with ways to create complex passwords. It reminds me of how some people create vanity license plates.

My organization has given up on the idea that user name and password is good enough for authentication. I am implementing a complete two factor solution using RSA tokens. We are starting with the web facing apps (VPN and I-Notes) and elevated privlege accounts. Eventually it will be used for everyday network logins. The trade-off with my users is that we will implement single sign-on, something they've wanted for years but something I refuse to authorize until a two-factor solution is in place.

My users and executives would revolt if they had to use a token for logging in to their PC at work.

A common reaction however all I'm doing is replacing a complex 8 character password with a 5 digit pin that they append to a 6 digit number off their token.

 

[gsellis]

Complex passwords are now part of the spec if you want to handle credit cards (PCI). Since a dictionary attack (brute force) works very quickly, if a password is used, at least it should have some worth by being a little easier than comparinng it to 500,000 know words at 1000's of attempts per second (I think there was a processor that was demoed at Blackhat that was that fast from our team report).

So, yes, it makes it more secure. It does not 'solve' the problem. But that are what 'layers of security' are all about. SSL sessions, AV, security agents, etc., for an even better time. A quick tutorial on social engineering for all computer users can be an even bigger win (and for goodness sake, no figure pointing - just "these people are trying to steal from you - here are ways they will try to con you and how you can avoid them here and at home.")

 

[invidia]

My passwords are absurdly long. It may be a surprise that I remember all of them. I mostly use anime/game titles as my passwords.

Example - A password I would use would be a 1337 code variation of Gundam Seed Destiny - i.e. gUnd4ms33Dde5t|ny, GUNd@m533Dd35t1ny, and so on.

 

[SilthDraeth]

Originally posted by: SecPro
A fairly simple way to prevent brute force attacks is to put a lockout policy on the login process. For example: 3 bad login attempts and the account locks until opened by an admin. and/or a certain amount of time elapses and it automatically unlocks.

True. Though, in my work environment, people have trouble memorizing 4 character passwords. Which is extremely sad, since I work for a school district, and these are the people educating our children.

In the Air Force, we had our Smart Cards, and went to smart card readers. We had a 4 or 6( I can't remember which) digit pin associated with a 10 digit password. You only had to enter your password once, then just use your card in the card reader, and your pin code.

Most people, and organizations will choose convenience over security. They have the attitude that it "won't" happen to them, until it does. Then if the damage wasn't that great, they still do not care very much.

 

[nova2]

........

just memorize them and do whatever helps you to memorize them - like a phrase that rhymes.

"----but coming up with a 10 character multi-type password that can be remembered isn't the easiest thing------"
maybe if they don't use the password 'often enough' or they put little effort into memorizing it, but otherwise its never been a problem for me.

"Though, in my work environment, people have trouble memorizing 4 character passwords. Which is extremely sad"

wow - no effort put into memorizing and remembering that is pathetic.

 

[crisscross]

RSA tokens aren't too bad.. I used it where i worked earlier and it got quite easy after a week or so.

 

[Joemonkey]

I'm going to start using patterns on the keyboard in combination with words, like start with U and go up up down down left right left right b a START, so the password would be:

u77uuyiyib a START

you have lower, upper, symbol, and number. Also, if someone asks your password, you honestly can't give it out

 

[gsellis]

Originally posted by: crisscross
RSA tokens aren't too bad.. I used it where i worked earlier and it got quite easy after a week or so.

Verisign tokens are cheaper.