How to strike a balance between security policies and practical implementation challenges?

Question

At our organization, we came across some frequent incidents such as:

1. Reported successful password guessing attacks

2. Frequent password reset complaints

We started an investigation to identify the causes and the flaws in our practice. The password policy is as follows

Passwords shall have a minimum of 8 characters with a mix of alphanumeric and special characters and 60 days of expiry. No repeating passwords for 3 consecutive changes.

Most of the user feedback on our password policy was negative and the complaint was that they find difficulty in remembering the password and often they use a simple one to meet the policy.

We conducted an internal (personal) survey to identify how strong the passwords being used are; the outcome indicates there were several common words being used in different combinations as users must change their passwords every 60 days.

For example, passwords containing repeated words like name, home, office, etc. I believe most organizations have these policies in place and most of the standards recommend these (PCI-DSS, etc) but none of them really strike the balance between the controls and practical applicability.

Hence the real outcome of such policies/controls are not achieving the desired outcome.

The major concerns is how do we strike the balance between these policies (in this case password policy) and practical implementation challenges?

Answer 1

Since this question is not a technical one, rather more about human behaviour, you won't get the answer. What you describe is very typical though and I made the same experience.

Complex password rules will usually not lead to more safe passwords, really important is only a minimum length, and a check against a list of the most used passwords. People cannot remember tons of strong passwords, and such rules can even interfere with good password schemes. People can get very inventive to bypass such rules, e.g. by using weak passwords like "Password-2018", which satisfies most rules. Often you end up with weaker passwords instead of stronger ones.

The same applies to the password-change rule, it is very common to add an increasing number or the current month to the password.

Recently NIST published an official paper (see chapter 10.2.1), advising against such rules, and against its former recommendations.

A try to answer the edited question:

1. We can try to delegate authentication, either with single-sign-on or with OAuth2, this way we can reduce the passwords a user has to remember (same password for multiple services).
2. One could recommend a password-manager. A link on the login page to a good tool won't hurt.
3. We could engourage password-phrases. Why not place a funny example on the login page: "I like to sleep until it is too late to get up", this raises awareness and shows the user how much easier (and mobile-friendly) pass-phrases can be. Just make sure to reject this exact example.

Answer 2

The best solution is to train your user base to use passphrases.

Passphrases are easier to remember, easier to type - and harder to crack. And the NIST rules that @martinstoeckli mentioned are designed to be passphrase-friendly.

Five random words, drawn from a dictionary of at least 20,000 words or so, would be a nice middle ground.

Training will be key, using materials like Stanford's.

You could even create a way to generate and suggest passphrases to them. It would be relatively easy to create a simplified, private instance of ae7.st/g or rempe.us/diceware for your user base to use as a starting point. These execute entirely on the client side, so the passwords cannot be collected remotely.

[Edit: Yes, I'm also a big fan of password managers. But the original question is focused on password-reset helpdesk calls in the enterprise, which almost certainly means AD passwords - which are one of those "front end" passwords that usually must be memorized.]

Answer 3

Help everyone in your organization use a good password manager. (I should disclose that I work for the makers of a very fine password manager.)

Seriously, you have a password management problem, and using a password manager within your organization is the best shot at addressing it. This is what password managers are designed to deal with.

Addressing comments

There have been a number of excellent comments my rather off-hand answer. So it looks like I'm going to have to put in some real effort here.

There are two questions to discuss.

Forgetting the password manager password

A password manager does not eliminate the need to remember all passwords, but certainly does help. It wasn't entirely clear to me whether the original question was focused specifically on the workstation/AD/LDAP user password for the organization or other passwords as well.

One thing about using password manager is that you typically need to type it its password several times a day. So after a short while, people do learn it well.

And talking specifically of 1Password, we have things set up so that it is impossible for us learn anyone's secrets, but it is possible for certain individuals within an organization to be empowered to perform recovery. See either our documentation for what this looks like to an administrator or our security white paper for the gory details of how that all works behind the scenes.

Workstation login

Of course you can't run your password manager on a system that you can't log into. But depending on your organizations policies, the password manager can also run on a user's phone.

I understand that there will be some objections to this, but consider that it is in the organizations' interest that people's sign on password not be something that they also use for the HTTP only MyKittyPictures.org which is built on a version of Wordpress that hasn't been updated in a decade. So you do want your people use a password manager at home as well as at work.

Again, 1Password (and some of our competition) allows ways of managing separate accounts, so that you don't find workplace secrets leaking into places you don't want it to. I didn't really want to turn this into a sales pitch, but there are ways to set things up that work for the security needs of various organizations.

With unique passwords, the need for forced rotation diminishes

(This is relevant because forced password rotation leads to people forgetting passwords or using crappy ones.)

Forced password rotations generally do more harm than good. Some of the "good" that they do is because people tend to reuse the same password on multiple services, and so once one gets compromised the everything using that same password is vulnerable.

Getting people to use a password manager helps move people away from password reuse.

With generated passwords, complexity rules aren't needed.

Password complexity rules may also do more harm then good, and they certainly lead to passwords that are hard to remember. 1Password nudges people toward very strong, but usable, master passwords.

Again, I'm not trying to turn this into a sales pitch. Look at what we offer (talk to us about your specific organization's needs), but look at others as well. We are the best, in my not so humble opinion, but my over all point is that many of your password problems can be addressed through the use of a password manager. And it will get your people engaging in more secure habits. A password manager enjoys the happy spot of both increasing security and making life easer for users.

Answer 4

... the real outcome of such policies/controls are not achieving the desired outcome.

Exactly. You have good identified that.

1. Review your password policy. Consider what exactly are you protecting and what would be consequences if an attacker finds out a password. If password gives only an access to your parking slot, it is not so harmful, a pretty simple password will be sufficient. Depending on consequences the policy may be more serious, in some cases password may be insufficient and you may need hardware solutions like smart cards or USB password managers.

2. Use password manager. Users will have then to remember a single password only. For system login (Windows, Linux, ...) you obviously cannot use password manager on this system, but you can use PW manager on your smartphone (provided and configured by your company and compliant with your security policies).

3. Use 2-factor authentication. For instance, password plus SMS. Pro: passwords can be simpler. Contra: Users may complain, because they will be forced to permanently enter code from SMS into login dialog. You can still make it simple, if you use 1-factor authentication in your intranet or in your office and 2-factor for remote access only or when user is logging in not from his PC.

4. Automate password resetting. Give your users possibility to reset their passwords automatically, e.g. via email or SMS.

Answer 5

Most relevant points were made in other posts. I just want to highlight

1. Letting users choose and keep a good password is in most situations the better security bargain than forcing them to change their password regularly.

2. A simple calculation shows that elaborate complexity requirements can be traded for one or two more characters, i.e. instead of requiring the "usual" letters/digits/special chars and minimum length 8 just ask for 10 characters.

3. Requirements like special characters actually weaken passwords, for next to no user picks a random such character at a random position - just have a look at the rockyou password list and watch the amount of passwords that end on "!" or ".". So, that's pretty predictable. In fact, the reasoning that complexity improves security (more precisely: entropy) is based on the assumption that users pick passwords like 1D>u&b8H or 6mp{:2tL instead of passwords like g0tch4!! or #1Hottie.

4. If you want complexity, then do it the right way: ask for n out of m different characters (e.g. at least 8 out of 12 or more), and reject patterns like 123456 or qwerty etc. This is not perfect but it'll weed out the worst kind of junk right away.

5. Even better, encourage your users to use passphrases.

6. I've also seen password suggesters based on Randall Munroe's idea to pick four (or more) random words.

Finally, if security is really such a concern, then passwords might not be the right choice for authentication; 2FA or public-key-based authentication might be the (admittedly more expensive) adequate solution. However, if management insists on the policy as it is, then they simply have to live with the results.

Answer 6

In my company we have mainly 2 rules, company wide:

• The store is either "in memory" or in a given password manager with a personal Master Password. (KeePass in this case)
• Password complexity must be at least of a minimum length and meet 3 out of these:
  • Number character
  • "Special character"
  • Lowercase Letter
  • Uppercase Letter

New employees are acquainted with these rules and trained as necessary.

The key here is the enforcement and support of the password manager. In practice, this leads to random, long, and safely stored passwords.

The only exception may be if a customer explicitly requires different handling of passwords to THEIR systems, which must be approved by the manager of the project.

Answer 7

I've given a couple of talks on this exact subject, so there's a lot of info in my head and I hope I can get it down to a few vital points:

1. What are your actual threats? Most of the password complexity rules are ancient, misguided, and assume brute-forcing as the main threat. If you think a little bit about the topic, you will almost certainly come to the conclusion that it isn't. In 90% of settings, if brute-forcing is possible at all, your software is broken.

2. Users will always interpret your password policy in the way that makes it most easy for them. This has the unintended consequence that an attacker who knows your password policy actually has a dramatically reduced search space. For example, if you require numbers, the vast majority of users will put them at the end, a minority at the beginning and almost nobody will mix them within the word the way your trivial complexity estimations assumed.

3. Ditch the "special characters and numbers and upper and lower case" rules. They are utter nonsense. These rules actually make a number of attacks more easy.

4. Enforce long passwords. 8 characters absolute minimum, better 12. If the password is sufficiently long, it can be memorable, it can be a word or variation or mix-up of words. It is easy to create nonsense words in most languages. For example, "nonmost wordages" from that last sentence. These are reasonably easy to remember and reasonably fast to type correctly. (mixing parts of 4 or so words like that is my favorite variation on the famous xkcd answer to that topic, which is brilliant, but results in too long passwords that normal users won't type - remember that most users can't touch type)

5. Check passwords that people enter against a blacklist to ensure that "password" and anything on the top 100 or so list is not acceptable. Add a couple of your own (e.g. company name or company name + current year)

6. Go back to your thoughts about threats and add to these generic hints some that are specific to your threats. For example if there is a reasonable threat that your password database could be stolen, you have the only scenario where brute-force is actually a thing, and you need to think about search space - after you made sure you are using good hashes, good salt and maybe pepper. Also, maybe making your database more secure is easier and more effective than trying to force people to do something that thousands of people have been trying to force them for decades, unsuccessfully? -- if, however, you identify shoulder surfing as a serious threat, you definitely do not want complexity in passwords, because 9[~K>'?+D*kg is a lot slower to type than "nonmost wordages", while they have the same complexity (on the order of 10^22).

If you need some data and research to convince others in your company, give me a shout.

Answer 8

What is annoying your users is the strict policy, which prevents many strong passwords while allowing weak ones

The password policy is strong with ‘Passwords shall have a minimum of 8 characters with a mix of alphanumeric and special characters and 60 days of expiry. No repeating passwords for consecutive 3 times’.

"Password-1" has one uppercase letter, is 10 characters long, and has a special character and you think it is secure. "green horse president butter" is not allowed, but much longer and harder to guess or brute-force.

Password expiry is another thing which modern password guidelines recommend against. Make me choose another password by your rules and I choose "Password-2".

Personally I would solve this by requiring a long password. If you need to have at least 20 characters, "Password-123" won't work and you start getting creative. Or start using a password manager. Simple brute-force has no chance with such long passwords and you have a good chance that even a not so good password cannot be easily composed from a wordlist.

Answer 9

My master's thesis was on Information Security and how humans are the weakest link. I feel your pain here because the second you make the password rules too difficult, users will write their password down on a sticky note and attach it to their computer.

My company has several additional rules to help keep up complexity:

1. 70% of your passphrase must be different: this keeps people from password1, then password2, then password3
2. Your password cannot contain any dictionary words: this forces people to use leet spelling and similar workarounds
3. Your password cannot be a common passphrase: this allows you to sample your system's passphrases and prevent more than one person from using the same password.

Since passwords are only slightly better than the illusion of security, maybe the better idea is to add a different type of authentication.

There are three types of authentication:

1. Something you know (like a passcode or passphrase)
2. Something you have (like a token or access card)
3. Something you are (like fingerprints or other biometrics)

When passwords are used in conjunction with 2 and 3, then the complexity of the passcode doesn't matter as much and is often reduced to a pin number.

Unfortunately, the only way for the system to enforce truly random passwords is for the system to generate them for a user… but then you can nearly guarantee that they will be written down.

Answer 10

Philosophically speaking, there are two main forces, to which people tend to adhere to differently. The first category is freedom: Conviction over coercion, choice over obligation, moral over enforcement. The second category is power, which is the reverse of freedom. These fundamental differences can be seen best in politics as of issues of pro-state movements (socialism, nationalism) vs pro-freedom movements (libertarianism).

Now, history has clearly shown that using violence, coercion and control yielded worse results in every aspect, with communism and fascism being at its pinnacle of manifestation. On the other hand, capitalism (which we currenlty have ~50% of), may have caused wealth inequality, but in a positive way, which caused everybody to become wealthier (by raising living standards), and those who provide the most value to become incredibly wealthy. Meaning: Even the poor(est) benefit from that. Whereas if you force total wealth equality, everybody becomes poor and many people may starve (but not those who caused that of course).

So, to get back to this topic: Whenever you have a positive goal (better password protection) try to mess with the freedom of people by force (forcing certain password rules), you can witness a decline in your goals - up to the point of reaching the opposite.

I think one feasable way would be to advocate better password protection and warn them about the fragility of their passwords. Maybe show them an estimated duration needed to crack it. Tell them to use multiple words (which seems to be the best method). But if they want a password which can be cracked in 2 seconds, it's their choice.

Providing information (and warnings) is in my opinion way better than simply forcing passwords rules. Because that's what will happen, as you described, people will get annoyed and will try to find the easiest way to resolve the problem. Forcing 9 letters will yield many 9 letter passwords, but telling them that a given password can be cracked in 2 seconds may motivate them to use something better than the minimum you'd otherwise force them to have, especially if it's about something of high importance.

Plus a lot of special rules (which often do not even make much sense, like 1+ capital letter and 1+ special symbol) make passwords much harder to remember, if theirs didn't had that already. So it's not only the "stupidity" of users which is the issue, but the attempt of control by "force."