|Apr. 14th, 2010 @ 09:34 am How IT Security helps the hackers|
Today, it was reported the latest research that says what lots of us have known for awhile: the required password-changes don't help security. As the report likened it, the practice assumes that the thief who makes a copy of your house key will wait a few months before trying the lock. Right... we all know the delay for password-usage is a day, at most, sometimes seconds if you fall for a phishing scam. |
Yes, I can hear the cry now, that it limits the usefulness of stolen passwords to a timeframe. Surely that's a separate question, I must ask. A stolen password is usually changed by the hacker to allow time for whatever activities and review of the stolen data, without interference by the original owner. The hacker can easily keep changing the password themselves to comply with the automation if the proper owner doesn't report the problem. Again, a nonsesical practice with little benefit in reality.
The report does a rough estimate that the American population using computers with such policies earn some average of $16 billion/minute. It goes further to note that security measures assume that users have no value on time spent, else there would be some showing that over 16 billion is saved annually for just one minute of time spent changing and resetting passwords...which there isn't.
Ok, I'll go further now: password requirements. The practice of passwords following certain required formats, such as at least one upper case, one number, six characters, etc. actually *helps* hackers when these rules are known..and most of them are easily available or can be assumed. Obvious? Picture a program designed to crack your password (which follows your company's requirements of at least one lower, one upper, one special, one number and six characters minimum). Will the program need to bother to check 'aaaaaa'? No, of course not, if the hacker knows that your company doesn't allow such 'easily' guessed passwords! This eliminates all combinations of at least six all-lower-case combinations, perhaps 14% of the possible combinations by some quick calculations. Factor in other six-character combinations that don't satisfy your company's rules...and the brute-force method isn't looking too hard to do at all. Heck, eliminating words in the dictionary only helps the cracker program once it knows that requirement, more items it can dismiss out-of-hand. You can't use 'mYPass', why should the hacker spend time trying it?
Now, of course, these requirements were meant to get users to have a broad range of values, so that each character of your password could be one of (26 lower, 26 upper, 32 special, 10 digit) = 94 characters, which makes it hard to 'guess', assuredly. Most users, when given a free choice, put in simple and easy to remember values without regard to outside security. The rules are there to force such users to create broad values. But these same rules also limit that range, which is a security vulnerability. It also allows typical human nature to create a value that satisfies the minimum necessary of the rules: one digit, one upper-case letter, exactly six or eight characters, etc. This also makes a hacker's task easier, the percentage of people who go above and beyond is very low. And exceptions? The hacker can be rest assured the company's Security IT will guarantee the rules specified, ensuring only a fraction of the total available combinations need be checked. In a company full of 8-character passwords with digits and special characters, the person with 'mywork' as a password is probably the safest from automated attacks against that company.
My suggestion? These 'requirements' limit all users to the same standards. I would randomly assign some variant of the rules to each user. This user needs to use 6 characters, one digit. That user needs eight, but 3 digits, one upper-case. This other user needs 6 again, but two upper-case, no minimum of digits. This would be randomly assigned to the user and persist for that user, the actual restrictions only easily known to IT Security and the user him/herself.
With that, the hacker doesn't know any range to limit their cracker programs, which penalizes them with searching the entire tree of passwords rather than the one branch current Security IT points out for them.
This makes sense? Currently, I think so. :) At least, it removes the implicit crutch many cracker programs can use these days. So yay!