Are Complex Passwords Really Necessary?

balaji
By balaji

August 6, 2006

Are Complex Passwords Really Necessary?

Why it's silly to enforce passwords like "2@$Rw0rd~" in web applications.
Insist on complex passwords in your Windows LAN. But, not in your web applications. In this issue we put complex passwords in perspective. We first discuss how they enhance the security of Windows LANs, and then show why they are less relevant for web apps.

Password Generator

Why it's silly to enforce passwords like "2@$Rw0rd~" in web applications.

Insist on complex passwords in your Windows LAN. But, not in your web applications. In this issue we put complex passwords in perspective. We first discuss how they enhance the security of Windows LANs, and then show why they are less relevant for web apps.

What are Complex Passwords

Complex passwords are the easy-to-forget passwords that use special characters like $, #, @ etc in them. Applications sometimes demand that the password be complex.

What are Weak Passwords

Easily guessable passwords like your name, or the names of your close relatives, blank, "test123" are called Weak Passwords. An informed attacker might be able to guess them.

Are Complex Passwords the opposite of Weak Passwords?

No, not at all. While complex passwords are indeed difficult to guess, so are a range of passwords that do not have any special characters in them. Eg. "TheBeautifulLife" is neither complex, nor weak.

The Need for Complex Passwords in Windows LANs

There are many ways to steal Windows domain passwords. The simplest is to sniff it off the wire and use a tool like John the Ripper or L0phtCrack to guess it. The password that travels on the wire is salted and hashed, so tools like John try millions of different combinations to get a match. The length of time it takes to guess the password by this "brute force approach" depends on the number of permutations to try. Shorter, simpler passwords get cracked faster - in a few minutes - while longer, complex passwords take hours and sometimes days. Enforcing longer and more complex passwords thus improves security.

There is a second closely related attack that is also thwarted by complex passwords. Instead of sniffing the hashes off the wire, an adversary who gains administrative access to the server could dump the password hashes, and then crack those hashes. Again, simpler, shorter passwords require less permutations to guess them. Complex passwords again improve security.

And why that's less relevant for Web Applications

If the threats affecting web applications were identical, it would make sense to re-use the strategy of complex password. But, they aren't.

First, let's look at the broad range of techniques used by attackers to bypass authentication, and see if password complexity really helps defend against them. After that we'll dig deeper into the areas where complexity does help.

#

Techniques to bypass authentication

Are Complex passwords a defense?

1

Steal Passwords

Sometimes

2

SQL Injection

No

3

Cross Site Scripting

No

4

Privilege escalation

No

5

Steal data from browser cache

No

The above list is probably not exhaustive, but it shows the pattern. Passwords are not the only means of bypassing authentication. There are several other popular techniques, and password complexity plays no role in defending against them.

What about "Steal Passwords"? Surely, complex passwords should be a great help there. Let's look at the evidence. Here're 10 ways to steal web application passwords and whether complex passwords are a credible defense. Note that SSL encryption (unlike the hashing scheme used for Windows passwords) protects against sniffing and the brute force guessing that Windows LAN passwords are vulnerable to.

#

Techniques to steal passwords

Are Complex passwords a defense?

1

Remote brute force guessing

Yes

2

Intelligent guessing

Yes

3

Crack database locally

Yes

4

Phishing

No

5

Sniffing

No

6

Social Engineering

No

7

Keystroke Logger

No

8

From browser memory

No

9

From browser History

No

10

From browser refresh

No

Complex passwords thwart three out of the 10 techniques. Never mind the three are not exactly the "popular" attacks like Phishing or Keystroke Loggers. If they are the best defense against those three attacks, it's still worth investing in complex passwords.

Turns out they aren't.

There are other effective defenses against the 3 attacks than complex passwords. Let's look at each one by one.

Defend against remote brute force guessing

Tools like Brutus can automate remote password guessing, trying 1000s of passwords in an hour. If they spend days on it, they could conceivably crack a few passwords. But you can stop automated tools in several ways: account lockout after 5 failed attempts, and throttling logins from an IP after 5 failed logins are two common approaches. But our favorite is the use of CAPTCHAs after 3 or 4 failed login attempts. While there is a race on to defeat CAPTCHAs, they still make it unattractive to brute force passwords remotely.

Defend against intelligent guessing

Intelligent guessing is when an attacker uses a very short, targeted list of passwords to manually guess the password. Names of close relatives, blank, "test123", "bob" are weak passwords that might be guessable. It's tempting to scorn this attack as unlikely today, but in the absence of solid data, it's wiser to err on the side of caution and protect against intelligent guessing. The simplest solution is to use a blacklist of weak passwords; deny users from using them. Educate users against weak passwords.

Defend against cracking the password database

Remember the second attack on Windows passwords? The adversary dumps the password database and cracks it open with a tool like John. The password database can be the weak link, especially because database administrators usually have access to it. The solution is to store passwords salted hashed, with user specific salts that prevent against attacks like <a
href="http://palisade.plynt.com/issues/2006Feb/rainbow-tables/">Rainbow Cracking. The longer the passwords, the more time it takes to crack them.</a

#

Attacks that complex password defend against

Is there a better defense?

What's better?

1

Remote brute force guessing

Yes

CAPTCHAs

2

Intelligent guessing

Yes

Refuse obvious passwords

3

Crack database locally

yes

Salted hashes with user specific salts

To summarize, while complex passwords defend against these attacks, so do other methods that inconvenience the user less. Complex passwords contribute far less to enhance the security of web applications than they do in your Windows network. Insisting web users chose complex passwords can be counter productive if they resort to writing down the difficult-to-remember password.

If Not Complex Passwords, then What Else?

Here're some good practices we recommend to make life easier for your users and enhance security at the same.

  1. When users log in, display the time and location of their three previous logins
  2. Go ahead and show them their last 3 transactions too, they will remember better
  3. Place a prominent link to let users report suspicious transactions
  4. Educate your users how to select good passwords. Longer passwords that they can remember easily are better than complex passwords they might write down.
  5. Use a CAPTCHA when a login attempt fails, don't lock anybody out!
  6. Monitor the application for suspicious logins - eg. large volume of logins from the same IP address
  7. If your site accepts sensitive data, warn users not to trade from publicly shared computers

References

  1. Password Cracking, Wikipedia
  2. Password Size Does Matter, Roger Grimes
  3. The Great Debates: Pass Phrases vs. Passwords
  4. Good and Bad Passwords How-To, An Example List of Common and Especially Bad Passwords
  5. What's wrong with password policies
  6. New Internet Trading Password Policy, ICICI Direct
  7. Strong Passwords: How to create and use them
  8. The Strong Password Dilemma, by Richard E. Smith, Ph.D.
  9. John The Ripper Password Cracker
  10. PWDump2

Tags: Best Practices

About

balaji

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset