BAD TROUBLESHOOTING 101 (part 4 of many): Give EVERYONE the opportunity for a short password!!

shawnrab — Tue, 22 Aug 2006 22:40:00 GMT

OK. Let me get this perfectly straight. I am not going to give you a new way to do your passwords like Robert Hensing (http://blogs.technet.com/robert_hensing/archive/2004/11/12/256648.aspx) or former Microsoftie Jesper Johansson (http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx or http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint110104.mspx). I am griping about short password policies. I was asked a question last week, "How do I prove to a customer that a six-character password policy is too short?" It wasn't the question that irked me, it was the thought that people have to actually *ask* that question. Six character passwords are to hackers like opponents are to Tiger Woods with the lead on Sunday at a Major. The red shirt makes it like everyone else starts off with a 4 on their scorecard before they ever hit the course.

The answer is a pretty easy one... Or is it? Password crackers can see passwords with less than 8 characters immediately. OK, so you know immediately that you have a limited character set to work with. At that point you *hope* that you have end users that use longer passwords. Well, what about social engineering? How many end users encorporate one of the following in their password:

Spouse's name?

Spouse's maiden name?

Kids' names?

Parents' names?

Pets' names?

Favorite sports team?

College attended?

Favorite hobby?

Make of vehicle?

Favorite movie?

Most recent movie they liked?

Favorite TV show?

Favorite actor/actress?

Favorite pro/college athlete?

A study was once done (I can't disclose details about it because it names a lot of names) showing that those 14 items would get well over half of passwords if they were included in a dictionary with hybrid capability ("password" could also be interpreted as "P@$$w0rD")

So you could potentially have a middle school student go into the cafeteria and hand out a survey for a "science project" and populate your dictionary file and then use a popular password cracker to run attacks against the shorter passwords and get quick results. Personally, I would be guilty of a few of those, but I am smart about it. I use a larger character set. One of my old passwords was a tribute to one of my favorite athletes "J0hn3lw@yH@ll0fF@m32004".

I wonder how many administrators you would get with the social engineering? I wonder if a middle school student added a 15th question "What is your favorite password?" How many would you get? That is a question for another day. I'd be interested in seeing how many of those you would get.

So I really haven't done anything definitive to prove that 6 character passwords are *that* bad. I have said something about password crackers and social engineering, but what's really the hold up here?

In my days in Product Support Services, I took about a hundred calls from customers who liked blank passwords and their new "0wn3r" liked those blank passwords as well. Can you count on your end user knowing better? Here's what I would like to see. I would like to see a video similar to those you see in an alcohol or drug or smoking or bad driving course. Your lungs will look like "this" when you're 50 if you use short and bad passwords. Seriously though, there needs to be a level of accountability there. Put the fear into the end user. If your password is the one that exposes Colonel Sanders' secret formula, you're fired.

So what are you preventing? The sticky note on the monitor or under the keyboard? A helpdesk call from someone who forgot their 9 character password? How about this? Go and print out 50 flash cards with inanimate objects on them and give everyone a deck of those cards and a roll of tape. Educate them to use something they can easily remember and the flash card to construct their password. So for me, my daughter's name is Georgia and her birthday is 5/26 and if I had a flash card with an apple on it, I could have a password like "Georgia5@^Apple"

That's not too bad, right? You can argue that there is capability of inside attacks at that point, but you can take it a step further. I could have a green apple and a red apple. Or a golden delicious apple. Or have four pictures on the flash card and instruct the user to remember one of them and not use the card again. 50 cards would get about five years of use with a 42 day expiration

I guess the justification is that it may or may not cost more to educate the user than it would cost to have everything 0wn3d. I am certainly glad that in some organizations there are compliance police that enforce these things and even better who are doing away with passwords and moving to two-factor authentication. But for those who still need to use passwords, please - educate your user. If a person can remember a 9-digit phone number, you can find a way for them to remember a 9 character password.

This posting is provided "AS IS" with no warranties, and confers no rights.

Shawn's MIIS/ILM Tricks, PKI Hints, and Résumé Writing Prevention Tips : Passwords

BAD TROUBLESHOOTING 101 (part 4 of many): Give EVERYONE the opportunity for a short password!!