So you think your company's passwords are strong? Can you prove it?
Frank Jaffe, CSO of Portland, Maine-based electronic payment provider Clareon, can. He tests the strength of his employees' passwords every month. If an end user's password is cracked in less than five minutes, they join the "Five Minute Club," and Jaffe meets with them to explain why the passwords were cracked so easily.
"Passwords are the most visible sign of security to users," Jaffe said. "Setting passwords is an opportunity to remind them of the part they play in security."
If an employee is in the club three times, Jaffe then chooses the password. "They know they won't like the password I assign them," he said.
When Jaffe started testing, he was able to break all user passwords after a week or two of testing. Just recently, less than 5% of passwords could be cracked in the first two days of testing.
Trying to crack employee passwords is just one step in crafting a password policy with some bite. User education is another important piece of the puzzle. They need to know that their password choices affect the security of the company.
In a nutshell, complexity and length affect the strength of passwords. Complexity means the password contains a mixture of letters, symbols and numbers. In other words, it's not something like "password" or "username."
Complexity guards against the most basic kind of password cracking, namely a dictionary attack. As its name suggests, these attacks involves trying a host of words from a list. Attackers don't manually try all combinations but have tools that do automatically. Generally, passwords shouldn't contain any words with more than three letters in addition to symbols and numbers, Jaffe said.
The length of passwords comes into play during brute force attacks, which attackers could employ if dictionary attack fails. In essence, such an attack is like trying to open a lock you forgot the combination for. You try every one until you find the right one. Again, this is done with an automatic tool, taking weeks or months to complete.
Using just letters and numbers means there are only 36 things to form combinations but symbols brings that figure to over 70.
So it follows that the longer the password, the more combinations there are to try. Passwords should be at least seven characters, said Chris Wysopal, director of research and development for Cambridge, Mass.-based consulting company @Stake.
There are also technical ways to enforce password policy. Windows 2000, for example, has a feature that requires more complex passwords. To be accepted, a password must include three of the following: upper-case letters, lower-case letters, numbers and symbols. Users can still create fairly weak passwords with this system, but it's better than nothing, Wysopal said.
@Stake has a tool, LC4, that can be used to test passwords. It first tries a simple dictionary attack by trying whole words. "There are only tens of thousands of choices so using a whole word is really horrible [from a security prospective]," Wysopal said.
LC4 then tries a hybrid dictionary attack where it adds numbers to the end of whole words and tries different upper case and lower case letter combinations. If this attack fails then it launches into a full brute force attack where all combinations are tried, which can take from days to months to complete, Wysopal said.
Yet an important part of any password policy is making sure the strength of the password matches the risk associated with someone being able to crack it. One extreme may be system passwords used by system administrators. The other end would be passwords for Web sites.
"You really don't need to worry about your password for The New York Times Web site much at all," he said.
Jaffe would like to see all passwords be able withstand a week or two-week brute force attack, but he specifically wants to prevent the truly easy ones; hence, the Five Minute Club. Often attackers move on to other potential victims when a dictionary attack fails because "they don't have the weeks or months needed for a brute force," he said.