1 / 20

p assword policies

p assword policies. We now know about password cracking. So we can make some statements about the strength of a certain password stored in a certain way. Is this information sufficient for our organization? What more do we need to know?. Consider this: passwords are means to an end.

marrim
Download Presentation

p assword policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. password policies

  2. We now know about password cracking. So we can make some statements about the strength of a certain password stored in a certain way. Is this information sufficient for our organization? What more do we need to know?

  3. Consider this: passwords are means to an end. “If our adversaries get sufficient access to our password storage, then what are the chances that they also get access to whatever we have secured with them at this moment?” • “What are the chances” • “Sufficient access to storage” • “Whatever we have secured with them” • “At this moment”

  4. Password policy dimensions RECOVERY HACKING PHISHING LOGIN PASSWORD INTERACTION PASSWORD STORAGE PASSWORD STORAGE PASSWORD STRENGTH SECURED DATA AND SERVICES PASSWORD COVERAGE

  5. Password policy dimensions Password coverage To what extent do we rely on this password? Password strength What is the password and how is it stored? Password interaction What kinds of interaction with our password storage exist? Password lifetime For how long do we rely on this password?

  6. Forces For each dimension, there is a trade-off between security and usability. We’re not concerned about usability because we’re nice people, but because bad usability results in adverse effects to our organization. First: the world of well-behaved users Then: the world of low usability

  7. Dimension 1: password strength The actual passwords can be influenced by enforcing a password generation strategy. The goal is to influence entropy (given the strategy) and usability.

  8. Inkblotsa small research by Adam Stubblefield @ Microsoft Research, 2004

  9. Inkblotsa small research by Adam Stubblefield @ Microsoft Research, 2004 A small test on 25 people: • 20 people remembered the password the day after • 18 people remembered the password a week later • those who forgot, forgot just one picture / two character The entropy wasn’t thoroughly investigated, but only reasoned about.

  10. Dimension 2: password coverage Boils down to: how many and what services do we protect with each password? What services: This can simply be chosen by policy designer. How many services: Unique password per service: high security, low usability Single sign-on: low security, high usability

  11. Dimension 3: password interaction In what ways is it possible to interact with our password storage? phishing access reset access hack access normal access RESET INTERFACE LOGIN INTERFACE

  12. Dimension 4: password lifetime Boils down to: for how long is a password valid? But also: password history.

  13. The world of low usability WELL-BEHAVED USER REBEL USER LOW USABILITY

  14. What do rebel users do? Try to lower the password entropy Introduce new password storages Call the help desk. A lot. “Adam Roderick, director of IT services at Aspenware, tells Ars that he frequently hears from client companies that a quarter to a third of all help-desk requests are the result of forgotten passwords or locked accounts.” REBEL USER

  15. Dimension 1: password strength Complexity requirements: Minimum complexity becomes actual complexity. Users start using very common passwords, such as ‘123456’.

  16. Dimension 2: password coverage • Users employ predictable patterns: commonpswd+ servicename

  17. Dimension 4: password lifetime REACTION: users immediately reset the password to an earlier password. ACTION: enable password history: last x passwords can’t be used. REACTION: users immediately reset the password x times and then to the earlier password. ACTION: also enforce minimum password age. REACTION: users now have issues when they actually need a reset. ACTION: remove minum password age, set x to infinity. REACTION: password get written down, get saved in a file, or users start using password managers.

  18. Dimension 3: password interaction hacker access intruder access OFFICE PASSWORD MANAGER POST IT

  19. Conclusions When considering passwords, do not only consider the passwords themselves, but also how they are accessed, what they are used for and for how long they are used. In all of these dimensions, there will be a trade-off between security and usability. Low usability may backfire. Your users will use passwords unpredictably deviantly, rendering your policy useless.

More Related