Strong Password Policy is Mandatory for Organisation

In recent news on 18th May 2016, LinkedIn lost 167 million account credentials in a data breach. After that LinkedIn’s CEO has published Blog by saying,

Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach. We take the safety and security of our members’ accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible

 

Though LinkedIn is taking a measure to overcome the breach the damage has been done and there will be many users who have been compromised due to this breach. A recent survey done by an IT firm in 2015 says that  67% of organizations have a password policy or standard. This clearly indicates that the organizations have started taking password management as one of the key areas of security. The password is the important aspect of enterprise security and enforcing stringent policy rules for password should be the standard of every organization in the world.

Password no longer attributes to an MD5/SHA1/SHA256 value stored in a database but it’s more than that. It is very important for an organization to understand the various aspects of the password. The following are the aspects that need to be considered seriously:

  1. Length
  2. Complexity
  3. Expiration
  4. Strength

Length

Length of the password is one of the important attributes. From a brute force approach the longer the length of the password the more time it will take to determine it. It is very important from organization perspective to enforce the minimum length of the password. This will ensure all employees within the organization are forced to set a password which is larger in length. As per the NIST Guide to Enterprise Password Management if we increase the length of the password from 4 to 12, given a character set of 26 characters the number of permutation and combination increased to 200 billion times.  

According to NIST draft paper,  Keyspace is the total number of possible values that a key, such as a password, can have. For example, a four-digit PIN could have any of 10 different values (0 through 9) for each of its four characters: the keyspace would be 104, or 10,000 (i.e., 0000 – 9999).  The following table provides an insight keyspaces for various length of password

 

In case of Sony data breach case in 2011, the analysis of hacked user’s password found that more than 50% users have password length less than 8 characters (https://www.troyhunt.com/brief-sony-password-analysis/).

Complexity

The complexity of the password is defined by the different type of characters used in the password. The types of the characters could be

  1. Uppercase
  2. Lowercase
  3. Special Characters
  4. Numbers

The special character consists of

~!@#$%^&*()_+|}{][“:’;?><,./

The administrator as part of the organization policy can enforce the password to consists of characters as described above. The administrator can mandate

  1. The password should have at least 1 upper case alphabet.
  2. Password should have at least 1 number
  3. Password should have one of the special characters

Apart from the above rules the administrator can add the additional rule to increase the complexity

  1. User’s first name/last name should not be part of the password
  2. Organisation name should not be part of the password
  3. Blacklist common words or words that can be guessed easily
  4. Cannot set the previous N password as the new password

Such type of complex rules does make the setting of password a tough task for an end user but also reduces the risk of cracking the password by hackers.

Talking about the Sony breach example only 4% users have 3 different type of characters in their password.

Expiration

One of the common best practices that the IT security team in an organization as part of best practices of the password is having password expiration interval. It is one of the practices followed by most of the organizations. Mostly 30/45 days are chosen as the age of a password and users are forced to change password at the end of 30/45 days.

The basis of such rule is to ensure if a hacker has got the password of a user through some means by the time the hacker uses the password the user will change the password. This is based on the assumptions that hacker typically doesn’t use the stolen password immediately to hack into the user’s account. This assumption is based on series of such hacks happened in history.

Considering the latest technologies available in today’s world, the assumption may not hold true as hackers try to use the password immediately to cause the damage and may not wait for days like before. But nevertheless, it is good to have the expiration policy to ensure the user doesn’t keep the same password forever.

Strength

A password strength is a score given to a user’s password based on various parameters about how the password is formed. In other words how much difficult for an attacker to guess/retrieve password through brute force approach. According to Wikipedia the following parameters can be taken as parameter to calculate password strength

  1. Complexity of Password
  2. Length of Password
  3. Unpredictability

 

Some of the finding of the analysis of 37,608 users password of Sony breach on the basis of length, character types, randomness, and uniqueness are as follows

  1. 93% of accounts being between 6 and 10 characters long which is pretty predictable and 50% of these are less than eight characters.
  2. 4% of passwords had three or more character types.
  3. Half of the passwords had only one character type and nine out of ten of those were all lowercase.
  4. Less than 1% of passwords contained a non-alphanumeric character.
  5. One-third of passwords conform to a relatively predictable pattern.