200 likes | 332 Vues
p assword policies. We now know about password cracking. So we can make some statements about the strength of a certain password stored in a certain way. Is this information sufficient for our organization? What more do we need to know?. Consider this: passwords are means to an end.
E N D
We now know about password cracking. So we can make some statements about the strength of a certain password stored in a certain way. Is this information sufficient for our organization? What more do we need to know?
Consider this: passwords are means to an end. “If our adversaries get sufficient access to our password storage, then what are the chances that they also get access to whatever we have secured with them at this moment?” • “What are the chances” • “Sufficient access to storage” • “Whatever we have secured with them” • “At this moment”
Password policy dimensions RECOVERY HACKING PHISHING LOGIN PASSWORD INTERACTION PASSWORD STORAGE PASSWORD STORAGE PASSWORD STRENGTH SECURED DATA AND SERVICES PASSWORD COVERAGE
Password policy dimensions Password coverage To what extent do we rely on this password? Password strength What is the password and how is it stored? Password interaction What kinds of interaction with our password storage exist? Password lifetime For how long do we rely on this password?
Forces For each dimension, there is a trade-off between security and usability. We’re not concerned about usability because we’re nice people, but because bad usability results in adverse effects to our organization. First: the world of well-behaved users Then: the world of low usability
Dimension 1: password strength The actual passwords can be influenced by enforcing a password generation strategy. The goal is to influence entropy (given the strategy) and usability.
Inkblotsa small research by Adam Stubblefield @ Microsoft Research, 2004
Inkblotsa small research by Adam Stubblefield @ Microsoft Research, 2004 A small test on 25 people: • 20 people remembered the password the day after • 18 people remembered the password a week later • those who forgot, forgot just one picture / two character The entropy wasn’t thoroughly investigated, but only reasoned about.
Dimension 2: password coverage Boils down to: how many and what services do we protect with each password? What services: This can simply be chosen by policy designer. How many services: Unique password per service: high security, low usability Single sign-on: low security, high usability
Dimension 3: password interaction In what ways is it possible to interact with our password storage? phishing access reset access hack access normal access RESET INTERFACE LOGIN INTERFACE
Dimension 4: password lifetime Boils down to: for how long is a password valid? But also: password history.
The world of low usability WELL-BEHAVED USER REBEL USER LOW USABILITY
What do rebel users do? Try to lower the password entropy Introduce new password storages Call the help desk. A lot. “Adam Roderick, director of IT services at Aspenware, tells Ars that he frequently hears from client companies that a quarter to a third of all help-desk requests are the result of forgotten passwords or locked accounts.” REBEL USER
Dimension 1: password strength Complexity requirements: Minimum complexity becomes actual complexity. Users start using very common passwords, such as ‘123456’.
Dimension 2: password coverage • Users employ predictable patterns: commonpswd+ servicename
Dimension 4: password lifetime REACTION: users immediately reset the password to an earlier password. ACTION: enable password history: last x passwords can’t be used. REACTION: users immediately reset the password x times and then to the earlier password. ACTION: also enforce minimum password age. REACTION: users now have issues when they actually need a reset. ACTION: remove minum password age, set x to infinity. REACTION: password get written down, get saved in a file, or users start using password managers.
Dimension 3: password interaction hacker access intruder access OFFICE PASSWORD MANAGER POST IT
Conclusions When considering passwords, do not only consider the passwords themselves, but also how they are accessed, what they are used for and for how long they are used. In all of these dimensions, there will be a trade-off between security and usability. Low usability may backfire. Your users will use passwords unpredictably deviantly, rendering your policy useless.