Technology Memo: Passwords and Digital Credentials
No. 3 Topic: Managing Passwords and other Digital Credentials at Brandeis University
It requires little in the way of persuasion to convince, well, anyone, that passwords are unpleasant: they’re difficult to type, harder to remember, and, sadly, they offer only diminishing security for our personal and private information. Yet for the time being passwords remain our primary means of verifying the identity of individuals before granting access to services or data. This document details some upcoming changes to how Brandeis maintains digital credentials and discusses some planned future enhancements.
It is worth briefly discussing what passwords do. Passwords don’t intrinsically provide any security; rather, a password is a secret that (in theory) is known only to an individual. By providing the password when prompted, you as an individual are identified; that is, the combination of the username and password tells the system who you are—and because the password is a secret known only to you, it verifies that you are who you say you are.
Creating Strong Passwords
A strong password has usually meant one that is difficult to guess. Yet with the advent of powerful computing, it has become possible to make repeated guesses at a password, thousands if not millions of times per minute.1 The effect of this is that an ordinary 8-character password, by itself, offers limited protection against hacking. The standard approach to addressing this is to require passwords of greater and greater complexity and length—thus leading to more forgotten or mistyped passwords, an increased burden on helpdesks, and user frustration and anger.
First, passwords do get stolen, and they get stolen in a number of different ways. Additionally, we regularly see brute force2 attempts to log into an account using commonly used passwords. In the last 90 days, for example, there have been numerous attempts on dozens of accounts from various cities in the U.S., Africa, Eastern Europe, Iran, and China. By requiring the use of strong passwords, we are attempting to slow the ability to use the stolen password long enough for us to detect its use, detect its theft, or lower our attractiveness as a target.3
Achieving this does not require absurdly complex passwords, but it does require the use of longer passwords or passphrases. For example, using a well-known method for evaluating passwords,4 we see that the apparently very strong password &xy90UJ! would take ~7 years to crack; whereas the much easier to remember passphrase rain Spain falls plain would take centuries to crack. Here are a few more samples in this table:
Since it is obvious that long, comprehensible, and memorable sentences make for much stronger credentials than traditional passwords, it is compelling to ask, “why are we still using traditional passwords?” The answer is historical more than technical. Because of the long use of passwords, many applications assume that the password “ends” when it encounters the first space character. Thus “Rosebud Was The Sled” will be seen as merely “Rosebud,” a word found in dictionaries and instantly crackable.
It’s also reasonable to ask why, if a password can resist being cracked for a century, it would ever need to be changed. First, note that those estimates for crack time make a number of assumptions about how the password is stored. If you use the same password at Brandeis that you use for a poorly secured website or game site, the thief may be able to simply read your password—no cracking necessary. Thus it becomes a balancing act—we require you to change your password periodically based on a reasonable estimate of how long it might take to crack it. While it would be possible to calculate a unique password expiration period for everyone, supporting this (and explaining it) can get complicated. Therefore, our policy will be to require annual password changes for shorter passwords, and biennial changes (every two years) for longer passwords and passphrases.
Second, despite being a violation of policy and best practice, we know from experience that people do occasionally share a password. By periodically requiring the password to change, we effectively reset that decision.
Ultimately, passwords are like stoves, to quote Mark Twain:
We do not remember the exact date of the invention of stoves, but it was some years ago. Since then mankind have been tormented once a year, by the difficulties that beset the task of putting them up, and getting the pipes fixed.5
Of all the current technologies to supplement or replace passwords, the most mature, inexpensive, and easiest to implement is two-factor authentication. This is generally seen as a supplement to passwords in which the individual provides a random number generated by a piece of hardware (or a cell phone) in addition to a password.
Two-factor authentication, while not perfect, is currently sufficient to prevent almost all attacks on accounts and is viewed as the new gold standard for protecting accounts. LTS is in the process of developing a strategy to deploy two-factor authentication. This will, in all likelihood, begin with limited deployment to high-risk services and individuals with elevated privileges before being made available to the general Brandeis community.
Going Forward: Password and Passphrase Creation and Maintenance
In summary, LTS is modifying the rules for creating and changing passwords and passphrases. These changes are designed to encourage longer and easier-to-remember passphrases. This represents a significant increase to the protection of campus accounts, systems, and services.
Passphrases are over 14 characters in length and may be formed using only upper- and lowercase characters (a minimum of one of each). These will expire after a period of two years. For technical reasons, no passphrase may be over 30 characters in length. We recommend using a minimum of four unrelated words separated by spaces.
Passwords must be between 10 and 14 characters. Passwords 14 characters or fewer in length will require the usual assortment of at least one character from each character set: digits (0-9), non-alphabetic symbols (!@#$%); uppercase letters (A-Z), and lowercase letters (a-z). Dictionary words and commonly used passwords are also not permitted to be part of the password.
In no case may the user’s username or last password be part of either a password or a passphrase.
The following table summarizes the above rule set.
Changing your password
One of the largest problems facing institutions that require a periodic password change is assisting individuals who have forgotten their passwords. After all, in order to change your password you need to log in. In order to minimize this burden (to both the community and the LTS Help Desk), we have recently introduced a new method for self-service password reset for individuals who do not know their passwords.
By preregistering either a third-party, non-Brandeis email address, or a cell phone—or both—at https://identity.brandeis.edu/identity-manage/password_reset_data, you may reset your Brandeis password when you have forgotten it. Once you have set this information, you may reset your password by either cell phone or email. Visit https://identity.brandeis.edu/identity/reset_password2 to initiate a password reset using your cell or third-party email address. Note: security questions will be disappearing towards the end of 2015!
Timeline and upcoming changes
At the time of writing we have not yet locked in the date when existing passwords older than one year will begin to expire. We anticipate beginning this process in March and expect to phase it in over two or three months. Additional changes are listed below. Campus wide announcements will be made as these go into effect.
- Early January: Accounts that have not been used in two or more years will be “padlocked”: that is, they will have their passwords set to very long random strings to prevent misuse.
- Mid-January: We will begin enforcing the new password formation rules. Individuals will be provided with dynamic feedback on the password reset page.
- Mid-March: Accounts whose passwords have not been changed in over a year will begin to expire. We will probably phase in the expirations over a period of a couple of months; an announcement will be made to the community about the final schedule. Individuals will get warning notifications at the following intervals prior to password expiration: 6 weeks, 4 weeks, 2, weeks, 1 week, and daily until the password expires.
Author(s): Michael Corn
Published: January, 2015
1Security Ledger link: https://securityledger.com/2012/12/new-25-gpu-monster-devours-passwords-in-seconds/
2A “brute force” attack is a simple attempt to log in using an enormous list of common passwords.
3Also known as the “bear rule”: when being chased by a bear, you don’t need to be faster than the bear, only faster than the guy next to you.
4Tech Drop Box link: https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/
5Mark Twain. Scientific American Vol. 22, No. 1., January 1, 1870.