Thursday, October 21, 2004

Password or phrase?

Robert Hensing from the Microsoft PSS Security Team is trying to propose a new method of accessing systems. Although using a passphrase instead of a password is nothing new it is when we are talking about general access control systems. At present a user can authenticate using a username and password. In some cases, you'll need a token card as the system is using something like Secure ID but for the most part it's username and password authentication only.

Robert thinks along with others that it is time to change and improve upon the current system. Kind of like when the password file was readable by all users on a system - one day it was decided that this was a bad idea and about came the shadow system. Allowing users to use phrases instead of just a simple one word password would increase security and stop accounts being compromised so easily as users would not be able to use simple dictionary words and thus help to prevent dictionary based attacks.

Various people within Microsoft are looking at this phrase method of authentication, Jesper M. Johansson has written a document regarding it and outlines some of the reasons why this change should be made. There are some interesting points made. With the rise of worms that include password crackers and dictionaries the amount of automated cracking taking place is also increasing.

Insuring that AV software is constantly updated and rules are used to prevent certain words being used in passwords or the adoption of passphrase authentication, will help mitigate the effect that these worms have. The problem is, most people in the world who are not that computer literate have problems remembering passwords as it is. Although using tokens would be better there are increased costs and some companies cannot afford to pay. Combined with the fact most people would have problems using tokens, the passphrase approach would increase authentication security and not have the cost / complexity issues.

If more companies were aware of the need for better security, the people who have the authority to spend money might do. At the moment, a lot of companies are not aware. With the introduction of phrase authentication instead of passwords in Windows, it would allow for some degree of increased security without any extra money being spent.

Users would rather not have to type longer passwords or phrases, but if they are forced to then of course they will. So it is the job of the security team and administrators of a network to ensure that a decent policy is used. Windows has supported longed passwords since Windows 2000 so using a phrase is not a problem.

I have already thought about this, but reading these articles also reminds me that it is not down to the complexity of a password or phrase that makes it more secure. It is down to the length. Using a shorter password should cause a need for it to be more secure but using a longer phrase of text increase the complexity itself as the longer a password or phrase is the more possible combinations there could be which of course increases the time required to crack.

Using a long phrase, for example around 40 characters would take a long amount of time to crack. It simply would not be worth it and by the time an attack may have hit the jackpot, the password change policy would have ensured that the password has already been changed so the attacker would be back to square one.

For those of us that can type really faster, using a phrase would not be too much of an issue. For people that only type slowly, they would have to spend a little more time logging in. I'm sure that most administrators that have half a clue about security would assume this side effect for some people to be acceptable when judging it against the increased security provided.

It's not only Microsoft products that should adopt this approach. It would allow for even more security on other operating systems. In the same way, if the password file was obtained, it would not be feasible to try and crack the passwords if a good change / complixity policy was used. Maybe Microsoft should ensure that a longer policy is enabled by default to help the use of longer phrases spread.

Policies have been available on various systems for a long time but they have not been used very often or only in limited form, such as you are not allowed to use a previous password again. The complexity rules are not used as much on Windows systems and most UNIX based systems I've used don't implement any complexity requirements at all or you get warned about complexity but can ignore it and use the password you want anyway.

This could be the start of a change like we saw when people stopped using authentication systems that involved clear text. Soon we could have the same thought abouts using passwords as they are as we now do of plain text authentication.

Post ID: 542, posted by jase at 07:46 PM
Permalink | TrackBack ID: 515, (9) | Category: Security | Google Search
Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved before your comment will appear.)

Remember me?

Valve Media Ltd
Search Engine Compliance