Password policy
Encyclopedia
A password policy is a set of rules designed to enhance computer security
by encouraging users to employ strong password
s and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness
training. The password policy may either be advisory or mandated by technical means.
s.
Some policies suggest or impose requirements on what type of password a user can choose, such as:
As of October 2005, employees of the UK Government
are advised to use passwords of the following form: consonant, vowel, consonant, consonant, vowel, consonant, number, number (for example pinray45). This form is called an Environ password and is case-insensitive. Unfortunately, since the form of this 8-character password is known to potential attackers, the number of possibilities that need to be tested is actually fewer than a 6-character password of no form (486,202,500 vs 2,176,782,336).
Other systems create the password for the users or let the user select one of a limited number of displayed choices.
This policy can often backfire. Since it's hard to come up with 'good
' passwords that are also easy to remember, if people are required to come up with many passwords because they have to change them often, they end up using much weaker passwords; the policy also encourages users to write passwords down. Also, if the policy prevents a user from repeating a recent password, this means that there is a database in existence of everyone's recent passwords (or their hashes
) instead of having the old ones erased from memory.
The human factors aspects of passwords must also be considered. Unlike computers, human users cannot delete one memory and replace it with another. Consequently changing a memorized password is very difficult, and most users resort to choosing a password that is easy to guess. Users are often advised to use mnemonic devices to remember complex passwords. However if the password must be repeatedly changed, mnemonics are useless because the user would not remember which mnemonic to use.
Requiring a very strong password and not requiring it be changed is often better. However, this approach does have a major drawback: if an unauthorized person acquires a password and uses it without being detected, that person may have access for an indefinite period.
It is necessary to weigh these factors: the likelihood of someone guessing a password because it is weak, vs. the likelihood of someone managing to steal, or otherwise acquire without guessing, a password.
, a violation of password policy could be a criminal offense. Some consider a convincing explanation of the importance of security to be more effective than threats of sanctions.
version of the password so anyone can check its validity. When this is done, an attacker can try passwords very rapidly and much stronger passwords are necessary for reasonable security. (See password cracking
and password length equation.) Stricter requirements are also appropriate for accounts with higher privileges, such as root or system administrator accounts.
A 2010 examination of the password policies
of 75 different web-sites concludes that security only partly explains more stringent policies: monopoly providers of a service (e.g. government sites) have more stringent policies than sites where consumers have choice (e.g. retail sites and banks). The study concludes that sites with more stringent polices "do not have greater security concerns, they are simply better insulated from the consequences from poor usability."
Other approaches are available that are generally considered to be more secure than simple passwords. These include use of a security token
or one-time password
system, such as S/Key
.
Most companies will require users to familiarise themselves with any password policy, much in the same way a company would require employees to be aware of Health & Safety regulations, or building fire exits, however it is often difficult to ensure that the relevant policies are actually being followed.
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
by encouraging users to employ strong password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
s and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness
Security awareness
Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization...
training. The password policy may either be advisory or mandated by technical means.
Password length and formation
Many policies require a minimum password length, typically 8 characters. Some systems impose a maximum length for compatibility with legacy systemLegacy system
A legacy system is an old method, technology, computer system, or application program that continues to be used, typically because it still functions for the users' needs, even though newer technology or more efficient methods of performing a task are now available...
s.
Some policies suggest or impose requirements on what type of password a user can choose, such as:
- the use of both upper- and lower-case letters (case sensitivityCase sensitivityText sometimes exhibits case sensitivity; that is, words can differ in meaning based on differing use of uppercase and lowercase letters. Words with capital letters do not always have the same meaning when written with lowercase letters....
) - inclusion of one or more numerical digits
- inclusion of special characters, e.g. @, #, $ etc.
- prohibition of words found in a dictionary or the user's personal information
- prohibition of passwords that match the format of calendar dates, license plate numbers, telephone numbers, or other common numbers
- prohibition of use of company name or an abbreviation
As of October 2005, employees of the UK Government
Departments of the United Kingdom Government
Her Majesty's Government of the United Kingdom contains a number of Cabinet ministers who are usually called secretaries of state when they are in charge of Government departments called ministerial departments...
are advised to use passwords of the following form: consonant, vowel, consonant, consonant, vowel, consonant, number, number (for example pinray45). This form is called an Environ password and is case-insensitive. Unfortunately, since the form of this 8-character password is known to potential attackers, the number of possibilities that need to be tested is actually fewer than a 6-character password of no form (486,202,500 vs 2,176,782,336).
Other systems create the password for the users or let the user select one of a limited number of displayed choices.
Password duration
Some policies require users to change passwords periodically, e.g. every 90 or 180 days. Systems that implement such policies sometimes prevent users from picking a password too close to a previous selection.This policy can often backfire. Since it's hard to come up with 'good
Password strength
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly...
' passwords that are also easy to remember, if people are required to come up with many passwords because they have to change them often, they end up using much weaker passwords; the policy also encourages users to write passwords down. Also, if the policy prevents a user from repeating a recent password, this means that there is a database in existence of everyone's recent passwords (or their hashes
Cryptographic hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
) instead of having the old ones erased from memory.
The human factors aspects of passwords must also be considered. Unlike computers, human users cannot delete one memory and replace it with another. Consequently changing a memorized password is very difficult, and most users resort to choosing a password that is easy to guess. Users are often advised to use mnemonic devices to remember complex passwords. However if the password must be repeatedly changed, mnemonics are useless because the user would not remember which mnemonic to use.
Requiring a very strong password and not requiring it be changed is often better. However, this approach does have a major drawback: if an unauthorized person acquires a password and uses it without being detected, that person may have access for an indefinite period.
It is necessary to weigh these factors: the likelihood of someone guessing a password because it is weak, vs. the likelihood of someone managing to steal, or otherwise acquire without guessing, a password.
Common password practice
Password policies often include advice on proper password management such as:- never share a computer account
- never use the same password for more than one account
- never tell a password to anyone, including people who claim to be from customer service or security
- never write down a password
- never communicate a password by telephone, e-mail or instant messaging
- being careful to log off before leaving a computer unattended
- changing passwords whenever there is suspicion they may have been compromised
- operating system password and application passwords are different
- password should be alpha-numeric
Sanctions
Password policies may include progressive sanctions beginning with warnings and ending with possible loss of computer privileges or job termination. Where confidentiality is mandated by law, e.g. with classified informationClassified information
Classified information is sensitive information to which access is restricted by law or regulation to particular groups of persons. A formal security clearance is required to handle classified documents or access classified data. The clearance process requires a satisfactory background investigation...
, a violation of password policy could be a criminal offense. Some consider a convincing explanation of the importance of security to be more effective than threats of sanctions.
Selection process
The level of password strength required depends, in part, on how easy it is for an attacker to submit multiple guesses. Some systems limit the number of times a user can enter an incorrect password before some delay is imposed or the account is frozen. At the other extreme, some systems make available a specially hashedKey derivation function
In cryptography, a key derivation function derives one or more secret keys from a secret value such as a master key or other known information such as a password or passphrase using a pseudo-random function...
version of the password so anyone can check its validity. When this is done, an attacker can try passwords very rapidly and much stronger passwords are necessary for reasonable security. (See password cracking
Password cracking
Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password...
and password length equation.) Stricter requirements are also appropriate for accounts with higher privileges, such as root or system administrator accounts.
Usability considerations
Password policies are usually a tradeoff between theoretical security and the practicalities of human behavior. For example:- Requiring excessively complex passwords and forcing them to be changed frequently can cause users to write passwords down in places that are easy for an intruder to find, such as a RolodexRolodexA Rolodex is a rotating file device used to store business contact information currently manufactured by Newell Rubbermaid. The Rolodex holds specially shaped index cards; the user writes the contact information for one person or company on each card...
or post-it notePost-it noteA Post-it note is a piece of stationery with a re-adherable strip of adhesive on the back, designed for temporarily attaching notes to documents and other surfaces. Although now available in a wide range of colours, shapes, and sizes, Post-it notes are most commonly a square, canary yellow in colour...
near the computer.
- Users often have dozens of passwords to manage. It may be more realistic to recommend a single password be used for all low security applications, such as reading on-line newspapers and accessing entertainment web sites.
- Similarly, demanding that users never write down their passwords may be unrealistic and lead users to choose weak ones. An alternative is to suggest keeping written passwords in a secure place, such as a safeSafeA safe is a secure lockable box used for securing valuable objects against theft or damage. A safe is usually a hollow cuboid or cylinder, with one face removable or hinged to form a door. The body and door may be cast from metal or formed out of plastic through blow molding...
or an encrypted master file. The validity of this approach depends on what the most likely threat is deemed to be. While writing down a password may be problematic if potential attackers have access to the secure store, if the threat is primarily remote attackers who do not have access to the store, it can be a very secure method.
- Inclusion of special characters can be a problem if a user has to logonLogonLogon may refer to:*The Logone River in Chad, Africa*in computing, the process of login...
a computer in a different country. Some special characters may be difficult or impossible to find on keyboards designed for another language.
- Some identity managementIdentity managementIdentity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
systems allow Self Service Password ResetSelf service password resetSelf-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk...
, where users can bypass password security by supplying an answer to one or more security questionSecurity questionA security question is used as an authenticator by banks, cable companies and wireless providers as an extra security layer. They are a form of shared secret....
s such as "where were you born?," "what's your favorite movie?," etc. Often the answers to these questions can easily be obtained by social engineering, phishingPhishingPhishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
or simple research.
A 2010 examination of the password policies
of 75 different web-sites concludes that security only partly explains more stringent policies: monopoly providers of a service (e.g. government sites) have more stringent policies than sites where consumers have choice (e.g. retail sites and banks). The study concludes that sites with more stringent polices "do not have greater security concerns, they are simply better insulated from the consequences from poor usability."
Other approaches are available that are generally considered to be more secure than simple passwords. These include use of a security token
Security token
A security token may be a physical device that an authorized user of computer services is given to ease authentication...
or one-time password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
system, such as S/Key
S/KEY
S/KEY is a one-time password system developed for authentication to Unix-like operating systems, especially from dumb terminals or untrusted public computers on which one does not want to type a long-term password. A user's real password is combined in an offline device with a short set of...
.
Enforcing a Policy
The more complex a password policy the harder it may be to enforce, due to user difficulty in remembering or choosing a suitable password.Most companies will require users to familiarise themselves with any password policy, much in the same way a company would require employees to be aware of Health & Safety regulations, or building fire exits, however it is often difficult to ensure that the relevant policies are actually being followed.
External links
- Choosing good passwords
- Password management best practices
- Changing Passwords for Key User Accounts
- "Is It Just My Imagination?" article by Suzanne Ross "Inkblots not only help users create a strong password, but people also seem to enjoy using them."