Вы находитесь на странице: 1из 7

Simplifying Password Complexity

Simplifying Password Complexity Steve Simpson CISSP

Steve Simpson CISSP

Introduction How many passwords do you currently have to remember? I don’t know the actual


How many passwords do you currently have to remember? I don’t know the actual

statistics but surely these days, most people must have to remember the passwords

to four or more applications or functions at any one time. Those of us that work in IT

quite often have to remember considerably more. It is for this reason that it’s the IT

community that tend to become the most complacent and end up having the worst personal practices for selecting and employing passwords. ICT business users will (I hope) have to remember a password for logging on to their business computer some will have more than one account depending upon the function they are providing. Many applications will have separate password requirements as could email programs. Even at home where you may not have to log into your computer you need to have passwords for each of your email accounts, accessing various websites, bank account details configuration of your ADSL router and many others. The sad thing is that the more passwords we have to remember the slacker we tend to become in the way that we select and handle them.

I consider myself fortunate in that wherever I have worked there has been a good security policy in force which mandates the use of strong passwords. I say fortunate because this shows me that the organisations I have worked for take the security of the information on their systems seriously and therefore gives me the confidence that any information I store there is going to receive a good degree of protection.

However in the past I have worked as a helpdesk operator, IT support technician, system administrator and now as a security consultant. In each of these areas I have regularly faced resistance to the application of strong password policies. Sometimes I have faced resistance to implementing any password controlled access at all. This resistance has also surprised me on occasion by coming from high levels of management within an organisation. The most common excuses for this resistance, seems to be a belief that the more complex a password and the more often it is changed then the more likely are the chances of forgetting the password and therefore the more likely that the password will have to be written down, and hence risking compromise. This is true to a certain extent, but if passwords are being easily forgotten then it could be that some methodology in their means of selection needs to be adopted. It is difficult to change this attitude but we can reduce the amount of resistance through logical policy enforcement and through user education.

Appropriate Password Policy?

Is the password policy being enforced through your organisational system security

policy appropriate to the highest value of the information assets that can be accessed using that password for access? It could be that the policy is too strict when the value

of the information assets on that system is assessed. Or it could be that the value

has been under estimated and therefore a more secure password policy may be required. When reduced to basics, we use passwords to provide system owners with

a means of identifying individual users and if authenticated, granting them the

appropriate access authority for that system. The level of protection for an access

password though must depend upon the value of the information it is protecting.

For example: If you have an administration computer system that only contains information about the stock and order levels of the company’s stationary cupboard then this system is unlikely to require strong means of identification and authentication. However if that same system also had an area that contained the personal details of all company employees or the payroll and banking details then the means of identification and authentication needs to be considerably stronger. The

Steve Simpson Principal Consultant Infosec Plus Consulting

Page 2 of 7

stronger the password the harder it is for a potential attacker to gain access and

stronger the password the harder it is for a potential attacker to gain access and therefore the greater protection you are giving the data held on the system. Even if a user in the second example has only has a business need to access to the stationary orders the strength of password needs to be the same as that of the CFO accessing the payroll information. The reason being that if an attacker managed to obtain the username and password of the stationary clerk then they could use this as a starting point to breach the system border and launch their attempt to gain access to the CFOs data. This is an example but it demonstrates the underlying theory for employing an appropriate level of password strength across the enterprise.

This is of course a greatly simplified example avoiding such topics as the mathematical calculation of password space, the use of cryptographic algorithms, hashing and salting. Specialist advice should be sought on these topics if the information assets that you are protecting have extreme sensitivity or where national security is concerned.

Complexity Issues

When a new system is introduced or security on an existing system is increased due to the introduction of more sensitive information assets, then the change in ‘user culture’ must be carefully managed. A project introducing a new system can be doomed to failure if the users resist so much that the new system does not used to its full potential and therefore does not bring the business benefits promised in the business plan or PID.

If we have assessed the level of authentication and identification appropriate to the

system then to reduce the resistance for having complex passwords, all users need to have a degree of awareness for the reasoning behind it. It is best practice (and

mandatory for compliance with some governance standards) for all users of business system to receive at least annually some form of security awareness training. This training should include good factual explanations for the need for the password policy being implemented. Training needs to include an explanation of the ways that attackers can discover weak passwords, through such means as dictionary attacks and social engineering techniques. However in addition to this what can really make

a difference is to explain to a user how they can generate strong passwords that are

relatively easy for them to remember. There are many ways that this can be achieved

but my personal favourites include those listed below:

There are four types of character that can be included in a complex password:

Lower case alphabetical characters (abc etc)

Upper case alphabetical characters (ABC etc)

Numbers (0123456789)

Special characters (!@#$%^&*()_+[]\{}|;’:”,./<>?) (Although it must be noted

that not all systems will accept all of these characters, advice on this may need to be sought from your helpdesk or local support).

Common implementations of complexity requirements may require that at least two or three of the four types of character listed above to be necessary in a password for

it to be compliant with policy. Whether it is heeded or not, the majority of system

users will be aware that passwords should not consist of words, numbers or phrases that could be linked or be directly attributable to them. So names and birthdays etc

are normally out of the question (taboo). However there are a few techniques shown

Steve Simpson Principal Consultant Infosec Plus Consulting

Page 3 of 7

below that can be employed which make passwords relatively complex but at the same time

below that can be employed which make passwords relatively complex but at the same time keeping them simple enough to remember.

Randomising capitals This allows two of the complexity character types to be used in a password so that the plain dictionary password widgets could become wIdGeTs or WidGETs. A single 7 letter word has (by my weak math standard) just developed a maximum of 128 password combination possibilities. Whilst it is not good practice to say so, this complexity could mean that even when a password has been poorly chosen (in that it is a word or number that can be directly linked or attributed to the user), it is not going to be simple for an attacker guess correctly within the number of attempts permitted in policy.

Character/number substitution Again using two of the complexity character types, this involves replacing alphabetical characters with similar looking numbers or charicters so the letters I or L (in lower or upper case) could be substituted with the number 1, the letter o can be substituted with the number 0, the letter g can be replaced with the number 8 and so on. Now the same dictionary password widgets can be made more complex to become w1d8ets or other combinations.

Randomising capitols and character/number substitution combination This employs three of the four complexity character types and therefore greatly increases the complexity of the password and takes the possible password combinations way beyond my mathematics capabilities (not least because no one can know how you will interpret numbers looking like letters etc). Our example of widget as a password could now become w1d8ETs or W1dgeTs or many others.

Special character substitution To include the fourth complexity character type we can substitute letters or numbers for any of the special characters found by holding the shift key down on your keyboard. If your chosen password is a number then you can easily hold the shift key down while typing one or more of the numbers to make it much more complex so the password 1234567 could become !@#4567 or 123$%67 and once again a 7 character password has gained instant complexity. You can also take special characters that look like numbers or letters and place them in your passwords in a similar way that we did with numbers and letters. So the letters I or L could be substituted for the special character ! or the letter o or number 0 could be replaced with the special character @ or the number 7 could be replaced with ?.

These can be of course all be combined to good effect so that the original password of widgets can become w!d8tS which utilises all 4 complexity character types in a 7 character password that is not much harder to remember than the original word ‘widgets’. Suddenly the taboo passwords mentioned earlier have new connotations that can make them acceptable in some cases.

Simplification Tips

These are all good techniques that can be used to obfuscate a known word or number but these may still only be acceptable on a system where the requirement is for minimum to moderate access security. Systems that require stronger or longer passwords (or even passphrases) bring with them more difficult choices when it comes to selecting the starting password. At the most extreme end of my personal

Steve Simpson Principal Consultant Infosec Plus Consulting

Page 4 of 7

experience I have seen a system where the minimum password length was 15 characters with

experience I have seen a system where the minimum password length was 15 characters with 3 out of the 4 complexity types needed. For selecting memorable passwords for these systems I use the following technique.

For this method you need to select a baseline sentence or line that is familiar and memorable to you. Suggestions for this could be a favourite line from a song or poem or a phrase or saying. For the purposes of this explanation though, I shall use the well known test sentence:

‘the quick brown fox jumps over the lazy dog’

From this staring base there are many options that you can select from, depending upon the required password length. By taking the first letter from each word we instantly have a 9 character password tqbfjotld that is easy to remember but difficult to guess. Alternatively by taking the first two letters from each of the words we have a memorable 18 character password thqubrfojuovthlado. By taking the first 3 letters from each of the first 4 words we have the 12 character memorable password thequibrofox. For those that want to be really cryptic you can alter the number of letters selected from each word such as theqbrofjumotheldog, or take the last letter from each word to make eknxsreyg. The possibilities are almost endless and I am sure you have already realised that these long but memorable passwords can be made even more secure and complex when combined with the obfuscation and substitution techniques covered in previous paragraphs.


However you choose to select your password, there are a couple of tips that makes remembering a password somewhat easier.

On the day that you come in to work and discover that you have to change your password, do not do it immediately. Take a little time to consider the complexity options shown here but above all make sure that the base word or phrase that you select is one that you know you will remember.

Then after you have changed you password, log off every hour or so throughout the day and re-input the new password. It can be a bit of a pain to do, but our brains work well with remembering things that we do repeatedly and this will greatly assist you in remembering your new password the next time you try to log on.

There will always be users fighting to resist change, but I am sure that the majority users will accept the changes more readily, when an understandable justification for the need for password complexity is given, and when provided with the knowledge allowing them to create complex yet memorable passwords.

Steve Simpson Principal Consultant Infosec Plus Consulting

Page 5 of 7

Page intentionally blank Steve Simpson – Principal Consultant Infosec Plus Consulting Page 6 of 7

Page intentionally blank

Steve Simpson Principal Consultant Infosec Plus Consulting

Page 6 of 7

Based in Perth, Western Australia, Infosec Plus Consulting is able to provide tailored, vender neutral

Based in Perth, Western Australia, Infosec Plus Consulting is able to provide tailored, vender neutral information security business advisory services. Services include:

Data Loss Assessments Data loss is a serious concern for all organisations. Many organisations each year never manage to recover from a security breach. Infosec Plus can provide you with assurance through a holistic review of your business policies, processes and procedures to establish where you may be susceptible to data loss allowing you to establish where you may be susceptible to dat loss allowing you to access the risks and apply targeted risk mitigation controls.

Holistic Security Review A holistic review of your organisations information security including, technology, procedural, physical and personnel security measures.

Risk Assessment/Management Assessing the risk from specific threats will give you the ability to apply the most efficient and cost effective security measures. The introduction of a risk management program can considerably reduce operational costs.

PCI Compliance Review All organisations that store, process or transmit credit card information must comply with the Payment Card Industries Data Security Standard (PCI-DSS). Infosec Plus can guide you through this process and provide you with the information you need to gain and maintain compliance with this exacting standard.

Security Awareness The single most effective way to reduce data loss and increase the security standing of your organisation is through the introduction of a security awareness program. Infosec Plus can guide you through the development of an awareness program and can provide one to one or one to many training sessions to get the security message across.

Network Access Control All organisations need to protect their valuable business and personal data from the ever increasing need for system interconnectivity. Infosec Plus can guide you through the process for developing a Network Access Control policy that will allow day to day business continue in the safest possible manner.

Project Augmentation If you are running or planning a project that needs to include security representation, Infosec Plus can provide a consultant to join your team providing expert security advice to ensure that the project provides the security that your business information assets require.

Steve Simpson Principal Consultant Infosec Plus Consulting

Page 7 of 7