Introduction to security via password policies

Security is an enormously complicated topic and it has a surprisingly large number of subtopics.  Security, at the 10,000 meters level, is all about making sure that a person or program (the privileged user) that should have access to some data, information, program, system or physical location (the asset) can obtain such access reasonably quickly and easily, with a common caveat that such access is logged and recorded.  Every other individual or program (the attacker) that may deliberately or accidentally attempt to obtain access is "satisfactory" denied, with a similar caveat that as much information as possible about the denied access is also logged and recorded. Here we explore how and why corporations rely on passwords.

Perhaps unsurprisingly this process of allowing one group of individuals access to something, while denying other groups (i.e., everyone else) creates a dichotomy between ease of access and level of protection.  The easier you make it for the "good" group to access the protected asset, the less likely it is that you will be able to deny access to every member of the "bad" group (hence the "satisfactory" part in the original definition).  If you want to deny access to 100% of everyone in the "bad" group, you are correspondingly going to make it quite difficult for members of the "good" group to gain access.  This give and take between the "control" and "access" of controlled access to assets is pretty much true at all levels of security.  What this implies is that security is not a destination, it is a multi-layered synthesis of processes and principals all working (hopefully) together for the common goal of protecting assets. For the curious, here is a glossary of security related terms.

With this baseline introduction to security in place, I wish to focus on the security subtopic commonly known as "passwords" (alternative labels include "passphrase," "passcode," "keyphrase", "keys" and several other pseudonyms)  In this case the asset protected is typically a digital asset, and the password is the key to the protection mechanism; in such a system passwords are the first (and, unfortunately, often the only) line of defense.  A privileged user is authenticated to access the asset (given permission) by virtue of knowing the password.  Other users are denied access by virtue of not knowing or not being able to guess the password.  Note that access to the protected asset might be obtained through other means, but this would require a detailed discussion of protection mechanisms that is not really suitable here.

Attributes of Effective Passwords

Already we can gain quite a bit of insight into the strengths and weakness of a system that uses passwords to authenticate users.

Passwords are more effective when...

1. they are more complicated (random) because this makes them harder to guess.
2. what each one protects is limited in scope because fewer assets protected by the password means less assets are at risk if a password attack is successful.
3. fewer people know a password because there is less risk of exposure, accidental or deliberate.  For critically important passwords this has the disadvantage that an attacker can choose a narrower focus of attack - one reason the U.S. President wanders around with Secret Service bodyguards all the time, a good thing since he holds the primary key to the USA nuclear arsenal.
4. they are spread across multiple people, because this reduces the risk that one individual can or will abuse their asset privileges if all are required to be present when it is used.
5. provided to the authentication mechanism in such a fashion as to prevent (or at least make difficult) external observation.
6. they are not written down, a corollary of the above that helps to make observation of the password difficult.
7. they are not logged, recorded or stored by the authentication system (not even failed attempts), another corollary to help make observing a password difficult. Passwords are commonly stored using a "one-way" encryption system, this reduces the ability of an attacker to use the encrypted form for purposes of determining a password.
8. they are changed often, this is because constantly changing passwords prevents an attacker from continuing to use a known password for an unlimited time in the future.

To understand this last point better, consider a credit card.  A credit card contains a digital and printed password for accessing your bank account; an individual who can obtain the numbers on both front and back of your card may successfully pass themselves off as you at a wide variety of retailers.  They can draw against your account and may continue to do so over and over again until you "change the password" (i.e., call the card issuer and cancel the card).  If such a thief is careful in their transactions over a long period of time they can potentially go for months, or even years before the "password is changed."  Banks understand this risk, they've seen it before, and their potential liability in such cases is why they periodically "change the password" by reissuing a new card with new numbers front and back on a regular schedule.

Not all of these strengths and weaknesses we just discussed are readily apparent to the normal computer user.  It says something about human nature that, on systems that allow users to select their own passwords with no guidance or restrictions on the chosen value, the most common password chosen is "123456" with "password" and "stupid" close runner-ups.  This inherent weakness in choosing good passwords is one reason many companies have a "password policy" in place for their computer users.

If you're unfamiliar with the term "password policy" then you should understand that they are a set of guidelines primarily enforced at the computer itself, the use of which is intended to encourage users to create relatively secure passwords.  Most modern computer systems contain software that helps IT manage the kinds of passwords that are acceptable and how often the user must change their password.  The fact that the computer will do most of the enforcement grunt work makes corporate management of passwords a snap.  As an example, here is a password policy that your IT group may enforce:

Password Policy for XYZ Corp:

1. Must be changed every 90 days.
2. Must have between 8 and 20 characters.
3. Must use both lower and UPPER case letters.
4. Must use at least two digits or symbols.
5. Cannot be a password you have used in the past.

As you may see, these rules are to address several of the points listed in the "Attributes of Effective Passwords" list above. This policy basically encourages regular password changes and fairly reasonably enforces the creation of complicated passwords. Such a written policy statement is the digital equivalent to having OSHA safety guidelines posted on the company's legal notice board.

If you are a corporation (especially a public corp), the officers of the company actually have a legal obligation to protect the corporate assets, failure to do so (or rather failure to make reasonable attempts at doing so) means that you, the officer, or you, the corporation, can loose all sorts of rights and/or open yourself to all sorts of trouble (often in the form of lawyers serving papers, undesirable stock action or both - multiplexed). A public corporation who fails to reasonably protect its assets is just asking for a shareholder's lawsuit. This protection requirement extends to and includes corporate digital assets (a phrase that really means "bits stored on some hard drive somewhere (and, by the way, the latter had better be owned or controlled by the company, or a serious looking man (woman) in a pinstripe suit (dress) is going to be dispatched somewhere as soon as we know where we're going to send him (her))") and in certain situations may have even more egregious requirements than physical assets. Just examine the actions of the RIAA "on behalf of music artists" for the last decade or two if you don't believe me (what a great business idea, sue your customers).

Strangely, one of the best and easiest ways to show your shareholders (or the judge) that you are taking seriously the protection of your digital assets is to have your IT department put into place a password policy similar to the one above. There is more than this, of course, but a question similar to, "Does your company have a password policy?" will invariably be one of the first questions asked; followed closely by, "What actions does your company take to enforce such a policy?"

Of course, under your newly minted policy the most likely password in the above system may now be "Pa$$w0rd" but at least you tried (besides, the first and last policy guidelines listed above will at least ensure that the obvious alternatives to common passwords will be flushed out of the system fairly quickly).

An IT security professional will need to be careful, however. Aggressive policies can actually work against you. Forcing users to frequently create new passwords increases your chance that they will act against you in other ways (i.e., writing down the password on a sticky note they then tack to the bottom of their screen). The best password systems make as much of this automated as possible.

To reiterate: from the user's perspective, the best system should be an easy to remember password and be trivial to use. From the security perspective: the ideal password is a randomly generated password that may be used exactly once, a different password is required for each successive authentication for an asset. Such a system exists, but the cost is fairly high. Thankfully, competitors are starting to offer lower priced alternatives.

If you are a private citizen you don't have the same legal responsibility to protect personal assets (i.e., someone can steal from you and may be prosecuted even if you didn't lock your front door), and such assets are not normally protected by passwords anyway. This doesn't mean that you should't pay attention to these password issues. You still need to take reasonable action (if only for self interest) in selecting passwords for your bank accounts, utility account, mortgage accounts and any internet retailers you frequent.

An exercise for the reader: are password policies the cause for such idiomatic trash as 1337 $934|< (elite speak)?