At least yours shouldn’t. Your enterprise should not care
about the 10,000 most common passwords and the reason is unbelievable! Out of
the 10,000
most common passwords only 10 of had 12 or more characters. Perhaps this
statistic is not surprising, but “unbelievable” did represent 10% (1) of the
passwords that were 12 characters or longer! Not a single one of the passwords
met the typical length and complexity requirements most enterprises inflict
upon their employees.
The one 18 character password on the list was “films+pic+galleries”
and was almost certainly magnitudes stronger than any 14 character password
used in your organization, unless it was a category on the TV game show
Jeopardy. I say “almost certainly” because there are probabilities that may
make a longer password with equivalent entropy weaker than its shorter
counterpart. You are not going to be able to do much about entropy and
probability control enforcement for the passwords your users create though. I
will discuss what I mean about probability factoring into password cracking in
another blog.
Rules about using a password with at least 12 characters and
multiple character sets encourage the use of 12 character passwords. This also results
in the creation and use of short passwords that have predictable formats such as
number or a symbol preceding or trailing a single word. What is the difference
between the passwords “techniques” and “1Techniques&”? Not much. Perhaps a
few seconds?
Recently NIST has adopted new guidelines concerning
passwords that security experts have long been advocating for – dump
complexity for length and don’t make users change their passwords frequently.
In simple terms, don’t make me use “^incredible1” for a password and then swap
“incredible” for another 10 letter word three months later. Trade complexity
for length. It’s a win for all concerned.
I talked about passphrases in a previous
blog, but I did not touch on passphrase token attacks. These are techniques
that can be used that to exploit common weaknesses of passphrases. This does
not mean the actual strength of a passphrase is less than a 12, or even 16
character password though. In another blog I’ll delve into token attacks and
then provide easy ways to mitigate such attacks in another blog. For now, take
a deep breath... Your users probably are not using very many of the rest of the
top one million most commonly used passwords because they probably don’t meet
your password strength criteria.
Randy Abrams
Independent Security Analyst
No comments:
Post a Comment