Network Security: Passwords vs. Passphrases
Passwords tend to be the area where security-minded people annoy customers the most. There’s often tension around:
- Password complexity requirement
- Password length requirements
- Password expiration requirements
Setting these up could easily push your staff into a complete revolt without the proper planning and training. Too often, management decides to focus on security and institutes a system that is self-defeating. If users have to change passwords every two weeks, you can be sure most will end up writing them down and taping them to their computer.
Fortunately, there’s an easier alternative: passphrases. Passphrases have been around for a long time (think “Open Sesame!”) but only recently has technology caught up to allow most users to use them on a regular basis. In the past, most passwords were limited to 8-9 characters. To institute a complex passwords, systems administrators would force users to create such monstrosities as “YU78^&x3″ which were difficult to remember, let alone type. As the technology improved however, most modern operating systems abandoned the 8-9 character limit, allowing up to 256 characters. A passphrase differs only from a password in that it typically contains multiple words strung together. “All good boys eat chocolate!” is a sample passphrase we’ll reference in a bit.
Why does this make any difference? In the past, with a smaller number of characters, even security minded people with complex passwords could only come up with something such as “Ma*f1el!”. As a result, malicious password guessing software (utilizing what’s known as a “brute force attack”)could simply attempt to guess every single possible password. With an 8-9 character limit, the number of possible passwords was simply too small. As soon as you expand the limit from 8 to 16, or 24, the amount of passwords that have to be guessed increases dramatically. A brute force attack on a 28 character password like the sample password above will take much longer, often to the point of rendering such an attack infeasible.
There are two major wins for using passphrases in lieu of passwords. Firstly, the added length reduces the need to make the password overly complex. Instead of requiring uppercase characters and symbols, most sentences incorporate these automatically, such as “I enjoy movies, except action films.” Secondly, because a sentence is easier to remember than a series of complex letters, numbers and symbols, users will be much more comfortable changing them on a regular basis. Users can select a category of passphrases that they’re well versed in, and cycle them every 2-3 months. Song lyrics, movie quotes, and far-off geographic locations can all serve as easy inspirations for a good passphrase. Pesky users who have password expiration disabled may finally be able to come in from the cold and enjoy the secure benefits in a modern network environment.
With any system, there are bound to be some drawbacks. One of the most common ones associated with passphrases actually increases the security of users, namely, that many internet sites still utilize fairly short passwords. Therefore, instead of having one password that can be used for multiple sites, users may have a different network password from their internet site passwords. As detailed last week, though, having your users keep their network passwords stored on random Internet sites is an extremely large security risk. For users with many external internet passwords, New Signature has worked with a number of free, open-source products which can provide a secure repository of internet passwords. Until internet sites start to improve their password security, this may be a flaw we have to live with, benefits and all.
In the end, educating users about the benefits of passphrases, combined with a secure password policy, can close the easiest hole into your corporate network. It’s not a panacea, but it’s a great first step.