Complexity of authentication ("the Password problem")

Reading Time: 4 minutes

Many IT people I know require their users to come up with complex passwords and require them to change them often. I guess this gives them a sense of security. It's actually not as secure as they think. Even after implementing a good (Microsoft ISA Server) firewall, implementing IPSec on your network, running NAP or NAC there are still some potential problems.


A little background

Let's start off with a little background why passwords by themselves aren't secure.

Users don't use complex passwords

Bruce Schneier showed the complexity of passwords as harvested from MySpace users and compared these with the complexity of passwords obtained through research by Oyvind Fredstie and other previous investigations. Bruce's conclusion was passwords are getting better, but most passwords are still pretty simple: password, abc123, myspace1 and password1 were the most used passwords.

Slashdot concluded that MySpace passwords were generally more secure than the passwords at companies. Perhaps the reason being MySpace users were generally younger than the subjects in the other investigations.

Do passwords get better because the person that uses the password wants it to be better or because the admin wants it to be better? (and enforces complex passwords) MySpace requires new users to come up with passwords that are at least six characters long and include one numeric or punctuation character. Perhaps this explains the slightly "better" passwords Bruce Schneier talks about. Recent Microsoft Windows versions also require certain complexity and within a Microsoft Active Directory Domain you can set password policies.

People nowadays use a wide variety of (online) resources, which most of the time have different usernames but almost always have different passwords. A lot of people change passwords to resemble that one password that gets used for everything! This is easy and as we all know easy and secure contradict each other mostly.

Passwords are never going to be complex enough

In terms of security a good password is a password that changes often: Often enough not to allow a password utility to retrieve it. According to that philosophy you have to enforce complex passwords and you need to make sure users change these passwords. Tools to retrieve passwords got increasingly better. Most of the passwords entered during the MySpace fishing expedition can be retrieved in a matter of minutes.

But at TechEd Marcus Murray showed you don't even have to retrieve them. He showed a tool that relies on the hash of the passwords (and only the hash!) to gain access to resources. You'd actually have to get an admin fooled into passing his or her passwords first, but Marcus showed some neat social engineering tricks to get these.

Tools for retrieving other hashes (Protected Storage PassView and SIW) are already publicly available. If your users reuse their passwords or you reuse their passwords for them (Reduced Single Sign-On is a good example for this kind of helpfulness) things might get ugly quick.


Multiple factor authentication

One way to really secure resources is to protect them with multiple factor authentication. Mostly used nowadays is two-factor authentication, that consists of something you have and something you know (smartcards and tokens combined with passwords are perfect examples of these) and something you are and something you know. (biometric equipment combined with a password serves its purpose here)

Introducing smartcards in your corporate environment is not difficult. Microsoft did it a couple of years ago and still relies on it for its VPN connections. The hardest parts are to design a certificate chain and get your certificates to your users. In an Active Directory environment both activities are not that difficult… Tim Springston has some good considerations if you plan to use smartcards in existing (non-Vista, Pre-Windows Server 2003 SP1) environments.


Active Directory Password complexity

Since two-factor authentication nowadays still relies on a strong password you should still enforce a password policy and an account lockout policy. (Don't worry about your Administrator account)

The recent investigations show us that although users will come up with silly passwords (like Novem2006, Decem2006 and Janua2007) enforcing complex passwords is still a meaningful thing to do.

For each Active Directory domain you can enforce a password policy. I strongly urge you to enable the "Password must meet complexity requirements" option. This will force the user to come up with a complex password next time the password has to be changed. The new password must meet the following minimum requirements:

  • The password is at least six characters long.
  • The password contains characters from three of the following four categories:
    • English uppercase characters (from A through Z)
    • English lowercase characters (from a through z)
    • Base 10 digits (from 0 through 9)
    • Non-alphanumeric characters (for example: !, $, #, or %)
  • The password does not contain three or more characters from the user’s account name. If the account name is less than three characters long, this check is not performed because the rate at which passwords would be rejected would be too high. When checking against the user’s full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes, hyphens, underscores, spaces, number signs (#), and tab characters. Each token that is three or more characters long is searched for in the password, and if it is present, the password change is rejected. For example, the name “Erin M. Hagens” would be split into three tokens: “Erin,” “M,” and “Hagens.” Because the second token is only one character long, it would be ignored. Therefore this user could not have a password that included either “erin” or “hagens” as a substring anywhere in the password. None of these checks are case-sensitive.

Although the default password filter (passfilt.dll), which you enable with the "Password must meet complexity requirements" option, enforces passwords of six characters it is still recommended to define a minimum password length larger than six characters.

It is possible to create your own passfilt.dll and replace the default filter.



Think about using mere passwords for protecting resources. Is it really secure?

You can implement a good (Microsoft ISA Server) firewall, implement IPSec on your network, run NAP or NAC and still be insecure. Don't let authentication be or become the weakest link in your security.

Further reading

MySpace Users Have Stronger Passwords Than Corporate Employees
MySpace Passwords Aren't So Dumb
Analyzing 20,000 MySpace Passwords
Report: Net users picking safer passwords
MySpace Password Analysis
End Users Attitudes and Behaviours towards Password Management
Knowing the Enemy – A lightning demonstration on how hackers attack networks
Are Smart Cards the New Way of Life?
Planning a Smart Card Deployment
Best Practices for Implementing a Microsoft Windows Server 2003 PKI
Microsoft IT Showcase: Smart Card Deployment at Microsoft
Password must meet complexity requirements
New Password Mantra: Go Long
Account Policy Settings in Windows Server 2003
Why administrative passwords will never be like nuclear missile launchers
Smartcard Logon Considerations
How Microsoft fights off 100,000 attacks per month

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.