Throughout most of my 30-year IT career, the most basic password policy best practices have remained largely unchanged. While there is something to be said for consistency, the idea that certain practices have been recommended for three decades or more is a bit unsettling--to say the least. When an industry holds onto a practice for such as long time it begs the question of whether that practice is outdated. One also has to question whether some of the basic security best practices that have been in place for what seems like forever might have been misguided from the very beginning.
Microsoft recently drew a mixture of praise and sharp criticism when the company announced that it no longer recommends periodic password changes. This announcement garnered a lot of attention, but there are other aspects of Microsoft’s current password recommendations for Office 365 that might best be described as counterintuitive. These include:
- Maintain an eight-character minimum length requirement. (Longer isn't necessarily better.)
- Don't require character composition requirements.
- Don't require mandatory periodic password resets for user accounts.
So, as you can see, Microsoft’s password policy best practices longer recommend periodic password changes or the use of special characters. Microsoft has even gone so far as to state that longer passwords are not necessarily better So, what gives?
According to Microsoft, rules have a way of normalizing passwords. “Normalizing” refers to the practice of taking an input string and converting it into a standardized format. When a user enters a phone number into a VoIP phone, for instance, the user might enter a long string of numbers (8005551234), they might use dashes (800-555-1234), or they might even use parentheses and dashes combined ((800) 555-1234). As such, a VoIP application will typically use normalization techniques to convert the user’s input--whatever it may be--into a standardized format that the underlying software can use.
Password rules do the same sort of thing to passwords. Suppose that an organization requires passwords to be at least eight characters in length, contain at least one uppercase and at least one lowercase character, a special symbol, and at least one number. People who know these rules can use what they know about the organization’s password requirements to automatically eliminate out a lot of potential passwords. For example, a password cracker can be configured to automatically ignore any potential password with fewer than eight characters. It can also rule out any string that uses all lowercase letters or all numbers.
The previously referenced Microsoft document also mentions that it is critically important to take human nature into account when devising a password policy. If, for example, a password policy requires the use of a capital letter, then there is a really good chance that a user will use a capital letter as their password’s first character. After all, we have all been conditioned from an early age to start sentences with a capital letter and to capitalize the first letter of proper nouns.
As for no longer requiring periodic password resets, Microsoft mentions that it can be easy for someone to guess a password based on the password that was previously used. When required to periodically change passwords, users have a tendency to use password transformations as a way of making the new password easier to remember. These password transformations might include things like incrementing a number at the end of a password or perhaps embedding the month and year into the password and using that as the basis for the password transformation.
The University of North Carolina at Chapel Hill actually has some interesting evidence to back this idea up. In a study, researchers were given access to about 10,000 accounts that were no longer in use (such as accounts belonging to former students). The researchers were supplied with hashes for the accounts’ previously used passwords, and in the span of several months had cracked a large percentage of those passwords.
The researchers then tried to guess the accounts’ current passwords based on the previously used passwords. The researchers were able to guess the current password within five guesses for 17% of the accounts. In those cases, knowing a users’ previous passwords made it easy to guess their current passwords.
It seems inevitable that passwords will eventually be replaced by biometric and other multi-factor authentication technologies. For right now, though, it is important to take human nature into consideration when formulating password policies rather than simply accepting the static quo that has been in place for decades.