Why Strong Password Policy Is Mandatory? In recent news, LinkedIn lost 167 million account credentials in a data breach. After that LinkedIn’s CEO has published a Blog by saying,
Yesterday, we became aware of an additional set of data that had just been released that claims to email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach. We take the safety and security of our members’ accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible
Though LinkedIn is taking a measure to overcome the breach the damage has been done and there will be many users who have been compromised due to this breach. A recent survey done by an IT firm in 2019 says that 67% of organizations have a password policy or standard. This clearly indicates that organizations have started taking password management as one of the key areas of security. A strong password is an important aspect of enterprise security and enforcing stringent policy rules for passwords should be the standard of every organization in the world.
Password no longer attributes to an MD5/SHA1/SHA256 value stored in a database but it’s more than that. An organization needs to understand the various aspects of a strong password. The following are the aspects that need to be considered seriously:
- Length
- Complexity
- Expiration
- Strength
Length of Strong Password
The length of the password is one of the important attributes. From a brute force approach the longer the length of the password the more time it will take to determine it. It is very important from an organizational perspective to enforce the minimum length of the password. This will ensure all employees within the organization are forced to set a password that is larger in length. As per the NIST Guide to Enterprise Password Management if we increase the length of the password from 4 to 12, given a character set of 26 characters the number of permutations and combinations increased to 200 billion times.
According to the NIST draft paper, Keyspace is the total number of possible values that a key, such as a password, can have. For example, a four-digit PIN could have any of 10 different values (0 through 9) for each of its four characters: the keyspace would be 104, or 10,000 (i.e., 0000 – 9999). The following table provides an insight keyspaces for various length of the password
In the case of Sony data breach case in 2011, the analysis of hacked user’s passwords found that more than 50% of users have password length less than 8 characters (https://www.troyhunt.com/brief-sony-password-analysis/).
Password Complexity
The complexity of the strong password is defined by the different types of characters used in the password. The types of the characters could be
- Uppercase
- Lowercase
- Special Characters
- Numbers
The special character consists of
~!@#$%^&*()_+|}{][“:’;?><,./
The administrator as part of the organization policy can enforce the password to consists of characters as described above. The administrator can mandate
- The password should have at least 1 upper case alphabet
- Password should have at least 1 number
- Password should have one of the special characters
Apart from the above rules, the administrator can add the additional rule to increase the complexity
- User’s first name/last name should not be part of the password
- Organisation name should not be part of the password
- Blacklist common words or words that can be guessed easily
- Can not set the previous N password as the new password
Such type of complex rules does make the setting of password a tough task for an end-user but also reduces the risk of cracking the strong password by hackers.
Talking about the Sony breach example only 4% of users have 3 different types of characters in their password.
Expiration of Password
One of the common best practices that the IT security team in an organization as part of best practices of the password is having password expiration interval. It is one of the practices followed by most organizations. Mostly 30/45 days are chosen as the age of a password and users are forced to change passwords at the end of 30/45 days.
The basis of such a rule is to ensure if a hacker has got the password of a user through some means by the time the hacker uses the password the user will change the password. This is based on the assumption that a hacker typically doesn’t use the stolen password immediately to hack into the user’s account. This assumption is based on series of such hacks that happened in history.
Considering the latest technologies available in today’s world, the assumption may not hold as hackers try to use the password immediately to cause damage and may not wait for days like before. Nevertheless, it is good to have an expiration policy to ensure the user doesn’t keep the same password forever.
Strength of Strong Password
Password strength is a score given to a user’s password based on various parameters about how the password is formed. In other words how much difficult for an attacker to guess/retrieve paa ssword through the brute force approach. According to Wikipedia, the following parameters can be taken as a parameter to calculate password strength
- Complexity of Password
- Length of Password
- Unpredictability
Some of the findings of the analysis of 37,608 users password of Sony breach based on length, character types, randomness, and uniqueness are as follows
- 93% of accounts being between 6 and 10 characters long which is pretty predictable and 50% of these are less than eight characters.
- 4% of passwords had three or more character types.
- Half of the passwords had only one character type and nine out of ten of those were all lowercase.
- Less than 1% of passwords contained a non-alphanumeric character.
- One-third of passwords conform to a relatively predictable pattern.