Password Policy Formulation Whitepaper

7/29/2019 Password Policy Formulation Whitepaper

1/7

Password PolicyFormulation

Key Considerations and Challenges


2/7

Contents

1 Why organisations establish password policies 1

2 The influence of policy on password practices 1

3 Password policy decisions are multi-faceted 2

4 The bottom line findings 4


3/7

1

1 Why organisations establish password policies

For many organisations, passwords are the primary defence against

unauthorised access to key systems and data, and are here to stay

for the foreseeable future.

The fundamental method of protecting access to

computers and networks, the password, is still in use as

the primary authentication credential for most systems

today. Password policies are necessary to protect the

confidentiality of information and the integrity of systems

by keeping unauthorized users out of these computer

systems. Password policies, however, also introduce their

own set of risks, namely user confusion, system denial-of-

service issues and user education problems. For this

reason, careful consideration should be taken in formulating these policies, taking into account the

design, user base and information risk appetite of the organisation.

2 The influence of policy on password practices

Whilst users are aware of the need for strong passwords, this need is

balanced against usability and productivity impacts of entering and

recalling complex and long passwords.

According to a 2010 study on the implications of password policies1,

insecure passwords are not the result of user carelessness, but

rather of inadequate policies that force users to adopt behaviours

such as writing passwords down in order to help them comply rather

than help them select secure passwords. In a study performed by

Carnegie Mellon University2, less that 18% of users were able to

select a password that complied with strict password policies the

first time around.

In addition to the security concerns of policy decisions, the same 2010 study found that forcing

users to comply with policies which meet the maximum theoretical risk is a huge cost, not only in

monetary terms but also in terms of the most valuable resource any organisation has - the goodwill of

organisation members.

However, mandated policies are necessary as users cannot be

relied upon to select and manage their passwords in a secure

manner without some form of enforced control. In fact, a study

published in the Journal of Management Information3 found no

immediate correlation between users selection of password

strength and the sensitivity of the systems they are meant to

protect. In fact, Ponemon Institutes 2012 report shows that only

29% of users would use passwords if they were not forced to.

1 Inglesant & Sasse, Dept of Computer Science, University College London, 2010

2 Komanduri, Shay et al, Of Passwords and People: Measuring the Effect of Password-Composition Policies, Carnegie Mellon

University, 2011

3 Zviran and Haga, Password Security: An Empirical Study, 1999

Poor password practicesaccount for 20% of therisky practices of

employees, according tothe Ponemon Institutes

2012 study

55%of users write theirpasswords down

76%

of users never changetheir passwords


4/7

2

3 Password policy decisions are multi-faceted

Pragmatic, risk-adjusted policy enables users to adopt secure

passwords that they can remember

Standard passwords shorter than 12 characters can now be easily broken

4

with a PC and a graphicsprocessor. Alternative approaches are therefore needed for the selection of stronger passwords. It is

now widely agreed5,6 that mnemonic techniques are the most effective way for users to formulate

strong passwords that are also memorablefor example the phrase "youre just another brick in the

wall" could yield the password "yjabitw", which further tweaked using substitution yields "yj@B!tW".

While the National Institute of Standards and

Technology (NIST) state that the probability of

success of an on-line password guessing

attack should not exceed 1 in 16,384 (i.e. 14

bits of entropy), passphrases that compromise

more than 2 unlinked words can provide up to

20 bits of entropy7, and mnemonics of only 6

characters can provide a full 24 bits of entropy

and are 63% less likely to be cracked8.

Figure 1: Relative entropy of passwords5

Length is a major factor in protecting against brute

forcing a password, and every time you add another

character, your protection goes up exponentially, by

95 times. But adding numbers, symbols and

uppercase characters further significantly increases

the time needed to decipher a password," says

Georgia Tech Research Institutes Joshua L. Davis6.

A recent study by Gartner5 used empirical testing and standard distributions to calculate the most

effective password length and complexity requirements that would yield strong passwords with

sufficient entropy that were also memorable. The following table summarises the results:

Selection technique Entropy per character Low Risk User9 High Risk User9

Randomly generated Very High (6.5) 4 7

Complex mnemonic High (5.7) 5 8

Strong chosen string Medium (4.3) 6 10

Weak chosen string Low (2.5) 10 18

Figure 2: Minimum password length based on complexity (entropy) of selection technique

Selecting these lengths as your policy would yield at least 1 years protection from online guessing

attacks10. Passwords beyond these length were found to be counter-productive unless written down.

However, frequently used passwords have a higher tolerance for more complexity11.

4 Using NVidia CUDA GPU Arrays, attacking offline password databases and hashes

5 A. Allen, Passwords Are Near the Breaking Point, Gartner, 2004

6 The Power of Graphics Processing Units May Threaten Password Security, Georgia Tech Research Institute, 2010

7 Bonneau & Shutova, Linguistic properties of multi-word passphrases, University of Cambridge, 2012

8 Kuo, Romanosky & Cranor, Human selection of mnemonic phrase-based passwords, Carnegie Mellon University, 2006

9 Low risk users have 25 bits of entropy and high risk users have 46 bits of entropy.

Given the choice, users tendto avoid non-alphanumericsymbols, as passwordswhich contain such symbolsare significantly harder torecall, according to Microsoft

Research

0

20

40

60

80

100

120

5 10 15

Entropy

(bits)

Length (characters)

Weak

Strong

Mnemonic

Random


5/7

3

With respect to password change behaviour, one should again reference the Inglesant & Sasse

study, which found that users rarely change passwords unless forced to do so, finding that less than

7% of users changed their passwords voluntarily. Of those, 50% were due to having forgotten their

initial password. For this reason, password change intervals should be considered based on the risk

of exposure to guessing attack and the sensitivity of the data and systems they restrict access to.

Enforcing stronger passwords increases the

entropy over the lifetime of the password, and as aresult allows for less frequent changes. However,

when considering change interval conditions within

password policy, one must consider that strong

passwords offer no protection against phishing or

key-logging attacks, and the breach of password

hashes that are unsalted (such as Active Directory

password databases). For this reason, password

change intervals, together with the inclusion of

compensating controls such as account lockout

must be considered.

Forced changes can, however, also introduce their own risk. For example, this may cause the user tojust add a counter at the end of their existing password, which in fact decreases the entropy of

password. The value of password changes are further questioned in a study performed by University

of North Carolina12, which found that given a successful offline crack of a previous password, or

knowledge of the previous password, that 17% of new passwords can be guessed witin the first 5

attempts.

Assuming a normal distribution again, the

following graph shows an approximation of the

diminishing return of enforced password

changes based on the lifespan of the user

account and the time an attacker may have to

try and guess or crack the password. This

assumes, however, that usernames are not

predictable. In environments where the

username is predictable based on a numeric or

standard alpha-numeric formula, the probability

of brute-force attacks is increased, and as a

result change intervals may need to be

shortened.

Figure 3: Probability of compromise over time

Including time limiting methods (throttling, lockout and CAPTCHA) systematically reduces the

effectiveness of straight brute force attacks, allowing for extended change intervals. Implementing

systems to notify the user of attempts to access their account and the last login date should also be

implemented as a means to balance the risk of extended change intervals.

Going even further, requiring a physically revocable second factor in the authentication chain negates

the need for complex passwords and short change intervals. Such 2-factor systems should be

considered for all high-risk accounts and systems.

Lastly, organisations should consider providing users with access to a secure password vault. These

systems, now commonplace and available on mobile devices, allow for the selection and secure

storage of very stronger random passwords.

10 Based on matched pairs of username (16 bit string) and password, with account lockout for 8 hours after 5 failed attempts.

11 Florencio and Herley, Microsoft Research, 2007

12 Zhang, Monrose & Reiter, The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis,

University of North Carolina, 2010

0

20

40

60

80

100

120

2 4 6 8 10 11

Prob

ability(%)

Time (months)

with change

without change

If a password is usedinfrequently, and also forcedto change, forcing thischange makes users selecteasier to guess passwords,as they themselves will need

to guess, says leading security

expert Bruce Schneier


6/7

4

4 The bottom line findings

The password as an authentication mechanism offers increasingly

limited security, but the formulation and enforcement of appropriate

policies can mitigate the risk it represents within organisations.

The research conducted in this paper and the experience and knowledge gained by KPMG at its

various clients in the sectors of Education, Communication and Technology, Energy, Retail and

Financial Services, suggests that password policies be formulated that provide a balance of security

and usability as follows:

1. For normal users enforce complexity and a minimum length requirement of 6 characters, and

remove the requirement for frequent changes. However, inform the user of all unsuccessful login

attempts to their account and allow them to change their password at will.

2. For high risk users, enforce a minimum length of 8 characters with complexity, and a 90 day

change interval. In addition, provide these users with access to an approved password vaulting

system.

3. Implement password lockout settings that lock accounts for at least 8 hours after 5 failed

attempts within a 24 hour period.

4. Configure the complexity rules to perform a dictionary check (which alone significantly raises the

entropy of even a non-complex 8 character password by 6 bits13), and require an alpha, numeric

and special character.

5. Consider 2-factor authentication technologies for all remote access and control remote access

traffic through firewalls to isolate high-risk systems from standard users. If 2-factor authentication

is not implemented, double the password length requirement from 6 to 12 and halve the change

interval from 90 to 45 days for all privileged users.

Whilst the efforts of companies such as Google to provide a ubiquitous and accessible authenticationalternative are promising, the use of the password is certainly here to stay. For this reason, password

policies rather than the passwords themselves will remain one of the primary security controls within

organisations until the cost, distribution and usability challenges of more robust 2-factor systems are

overcome.

13 Burr, Dodson, and Polk, Electronic authentication guideline, National Institute of Standards and Technology, 2006


7/7

2013 KPMG Services (Proprietary) Limited, a South African company and a member firm

of the KPMG network of independent member firms affiliated with KPMG International

Cooperative (KPMG International), a Swiss entity. All rights reserved.

The information contained herein is of a general nature and is not intended to address the

circumstances of any particular individual or entity. Although we endeavour to provide

accurate and timely information, there can be no guarantee that such information is

accurate as of the date it is received or that it will continue to be accurate in the future. No

one should act on such information without appropriate professional advice after a thorough

examination of the particular situation.

The KPMG name, logo and cutting through complexity are registered trademarks or

trademarks of KPMG International Cooperative (KPMG International).

Contact us

Jason Gottschalk

T+27 82 719 1804

E [email protected]

OR

Robb Anderson

T +27 82 719 2413

E [email protected]

www.kpmg.co.za

Documents

Password Policy Formulation Whitepaper