3. PASSWORD PRINCIPLES

Password Rules

Although password rules have evolved since their inception, the most commonly used passwords fall into two broad categories: strength rules and management rules. Strength rules are important during the password creation process. Management rules become important after passwords are created. The password rules we adopt for this module is derived from their use in practice as discussed by Zhang-Kennedy et al.

Strength Rules

The following are the strength rules:

  • S1: Length: Password policies typically require a length of at least 8 j. There is considerable variability, where some organizations may require a shorter length (e.g., a 4-digit PIN) while others enforce longer passwords (e.g., at least 8, 12 or 15 characters or an exact length). A password length policy prevents users from choosing passwords that are too short.
  • S2: Composition: It enforces rules about what types of characters can be used. A password composition policy typically require passwords that contain characters from one or more of the following sets:

○       Uppercase characters

○       Lowercase characters

○       Base 10 digits

○       Non-alphanumeric ASCII characters

A password composition policy prevents users from choosing passwords that are too simple.

  • S3: Blacklist: Some organizations prohibit the use of dictionary words due to the susceptibility of human-chosen passwords to dictionary password guessing attacks (attackers use dictionary lists or high probability candidate passwords for guessing). Others enforce this rule by prohibiting the use of the most common passwords. For example, users could be prohibited from choosing passwords from a blacklist of the top 1000 frequently used passwords. Typically, lists of the most commonly used passwords are obtained from leaked datasets (e.g., RockYou).

Management Rules:

  • M1: Change-it-often: requires users to change their passwords at a set interval (e.g. 90 days)
  • M2: Do-not-reuse: do not use the same password across multiple accounts; reusing passwords from weak sites could compromise security
  • M3: Do-not-write it down: intended to prevent local attacks from friends, co-workers, family, or other onsite observers
  • M4: Do-not-share-it-with-anyone: Users are advised to not share their passwords with anyone. The security reasons seem obvious, but user practice indicates that passwords are frequently shared with close family members and colleagues. Some security experts argue that password sharing may be appropriate under certain circumstances, such as during account recovery or in an emergency situation.

Updated Password Rules:

  • Updated S1-S3 – Create-strong-and-memorable mnemonic-passwords: Create strong and easy to remember passwords using original mnemonic phrases. Passwords (should be: (1) at least 8 characters long; (2) not be either commonly used (e.g., ‘123456’, ‘password’), predictable character substitutions (e.g.,‘pa$$w0rd’), or dictionary words.
  • Updated M1 – Change-your-password-well: Change your password if you suspect that a service has been compromised. Create a new password that is not derived from a compromised password.

○       In general, M1 (change-it-often) is not recommended. According to Zhang-Kennedy, forced password expiration causes extreme annoyance and fatigue for users and has few security benefits. It provides minimal protection against access to an account by an attacker who has captured the account’s expired password. Users tend to make simple modifications to an existing password (e.g., password1, password2, password3) when the password is changed, allowing attackers to guess the new password based on knowledge of the old password.

  • Updated M2 – Strategically-reuse-passwords: Categorize accounts based on their importance. Use unique passwords for high-value accounts (e.g., banking). Only reuse passwords for low-value accounts.
  • Updated M3 – Keep-written-down-passwords hidden: Store written-down passwords or password hints in a secure place hidden from view. However, it is important to note that the practice might be against the rules for some companies, and storing passwords securely on the job might be a challenging issue. Custodians and other workers might have access to a user’s office.
  • Updated M4 – Share-passwords-with-caution: Share passwords with family, friends, or colleagues with caution. Change your password when the sharing obligation ends.

Problem: The previous section describes some of the characteristics that a good password should have and how password rules have evolved in recent years. The section also implies that there are no foolproof methods to construct and keep passwords 100% private/safe.

An Example Password Algorithm/Scheme

There are a variety of methods to construct passwords. Yan et al. (2000) recommend using mnemonic-based passwords, where a character (commonly the first letter) from each word of a memorable phrase is selected as the password. Mnemonic-based passwords are as memorable as naıvely selected passwords but are as difficult to guess as randomly chosen passwords. It is important to avoid selecting common phrases from popular sources because of the possibility that an attack dictionary could be compiled for mnemonic-based passwords. However, building a comprehensive mnemonic dictionary is non-trivial due to the large search space of possible phrases. Consequently, it has lower success rates and is less commonly deployed by attackers than regular dictionary attacks.

A few illustrative examples of how this process is used to construct a passwords is now provided. The following are the steps: (1) Select a memorable phrase, preferably one that is not commonly used, (2) take the first letter of every word in the sentence, and include the punctuation; throw in extra punctuation or change numbers into digits for variety. Here are some examples:

Password How to remember it
Mrci7yo! My rusty car is 7 years old!
2emBp,1ib 2 elephants make bad pets, 1 is better
ItMc?Gib Is that MY coat? Give it back.

How to determine the strength of your password?

The following is a partial list of some checks you might perform to determine the strength of your password:

  1. Memorability check: you should be able to remember the password
  2. Length check: the password should be at least eight characters long; but generally, the longer the password, the stronger it will be—Windows XP allows up to 127 characters
  3. Alphanumeric character check: the password should include both letters and numbers
  4. Upper- and lower-case letters check: the password should include both upper and lowercase letters
  5. Punctuation and non-alphanumeric character check: it should include one or more characters, such as #, $, !, @ and punctuation marks, such as the period and comma.
  6. Dictionary Check

The following video (Edward Snowden on Passwords), details some of the dangers of a weak password, as well some suggestions to create secure passwords.

© 2019. NSU Socio-Cybersecurity Project. All Rights Reserved