Password length vs. complexity vs. getting rid of the darn things
Roger Grimes has an article at InfoWorld about the size of passwords versus the complexity. I agree with Roger’s assertion that password length is the better than complexity. I have been told by many a security consultant to make the third character a special character, or make the fifth character uppercase, blah blah blah. This just does not work. I crack passwords as part of my security manager duties, and length has always trumped complexity.
The main reason is because of the good ol’ human factor, and Roger points out some of the issues below:
- People typically stick with a few characters, even if you try to force complexity.
- People are predictable, so dictionary attacks can be written based on known patterns
- Handing out complex passwords will piss people off and make them write the passwords down.
So what to do, what to do? Well, make the passwords longer. Enforce length, then tell people to simply use a sentence of over 10 characters. It could be “Bob is a big fat loser” (no, I don’t know who Bob is – maybe that damn AccountTemps guy), or it could be “I got my nails done on Tuesday”. Anything like that gives you what you need. Dictionary attacks are not going to work against that, and the sheer length makes brute force impossible.
Of course, I would like to get rid of ‘em all together, or at least get rid of passwords as they are today. They are a nuisance, plain and simple. Multi-factor authentication is one answer. I know it is susceptible to man-in-middle attacks, but how many networks are going to have this problem if other security measures are in place (dang defense-in-depth keeps coming back up every time I turn a corner!). I tend to favor the passive RFID card / PIN number combination over the active RIFD, smart card, or token / pin combo. It is simpler than the token (even though it seems really simple, users get so hung up on combining a six-digit number with a four-digit PIN – don’t ask me why), and it is more secure than the smart card of the active RFID (very limited range compared to the active RFID and typically contains no identifiable info compared to the smart card).
One limitation to RFID cards is remote users, but readers are getting more and more common in laptops. Or you can implement a smaller token-based system for those users, though administration may turn into a headache.
But here’s s caveat, no matter which way you go: you really need a single-signon solution backing up a multi-factor authentication implementation. This scenario seems to make a lot of sense for a few reasons:
- It eases the administrative burdens for the IT department because, if implemented correctly, your password reset burden should go down to almost nil
- It eases (possibly almost eliminates) password complaints and written down passwords
- It has the bonus of actually easing the login process to the network and the applications
I know it is not the end-all-be-all, but multi-factor authentication is definitely a strong layer in your defenses. Think about it.
Vet
