Evidence-Based Password Policies
The Communications of the ACM recently published a study on the efficacy of tactics for defending password-protected networks from guessing attacks. The authors discovered that “Enterprises that impose stringent password-composition policies appear to suffer the same fate as those that do not,” reaching three main conclusions:
- It has long been accepted that making users choose more complex passwords is the price they must pay to make their accounts safer; it turns out this line of thinking misunderstands how attacks actually work.
- Harder-to-guess passwords do not always reduce the likelihood of successful guessing attacks; in fact, in a large portion of the attack space, they make no difference at all.…
- Compelling returns are offered by password blacklists, throttling, and hash iteration, while current password-composition policies fail to provide demonstrable improvement in outcomes against offline guessing attacks.
These results match what root9B has found while performing credential assessments encompassing large numbers of users on a variety of networks.
A significant number of accounts in every network we’ve checked are using passwords so weak that they risk being cracked by an attacker guessing common passwords. This type of check is one of the many that our proprietary credential assessment capability Orkos does automatically. Once attackers have compromised one account or one system, whether due to this kind of attack or another, their access quickly snowballs into additional access.
In the networks we have scanned, Orkos has been able to automatically find a path to complete network control from between 75% and 99% of systems and between 50% and 90% of accounts, without even considering weak passwords. It does this by identifying credentials stored on systems and in memory, analyzing privileges, group memberships, system configurations and re-used credentials to show the path an attacker could take if they compromise one system. If you assume the attackers will try guessing passwords, complete network control is virtually guaranteed, at least, until you remediate these risks.
Once attackers have control of a system, they can extract the password hashes and try to brute-force any uncracked passwords offline. In contrast with an online attack, which defenders can slow down and trigger lockouts to attempt to defeat, an offline attack operates entirely on the attackers system as fast as their hardware can run. With a decent graphics card, even laptops can try over 1 billion guesses per second against common hash types. Defeating an offline brute force is nearly impossible; over 90% of hashes leaked from public breaches can be cracked with an ordinary personal computer.
It is not difficult to create a password that cannot be cracked with an online attack, especially if throttling or lockouts are enabled (although throttling and lockouts can be used to execute a denial-of-service attack against users). However, it is exceptionally difficult for people to create a password that cannot be broken with an offline attack; the only way to ensure this is the case is to use a long, complex, randomly generated password with a measurably high level of entropy from a cryptographically strong source. The vast majority of even long, complex passwords that users create still tend to follow mental shortcuts, like replacing letters with look-alike symbols or using common words and phrases. Password rotation policies have a tendency of weakening passwords, since users’ creativity and patience saps the more frequently password changes are required.
Common password policies simply make it more difficult to create and remember passwords, while not stopping any additional attacks. Instead of doubling down on password policies, why not find your real credential risks and mitigate those instead?