The following text is copyright 2007 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Passwords, for example, remember the humans in the loop
By: Scott Bradner
One of the biggest impediments to good security is people's understanding of what people can and can not do. I found one of the best examples of this the other day when I was asked to review a security plan presented by a potential vendor. Overall the plan was quite good but in a number of places they seemed to forget that humans were going to need to follow the rules. I'll use their password rules to make some points about the need to remember the limitations of the people in the loop when developing security rules.
At this company passwords have to be at least six characters long (they are working on a revision that will require 30 character passwords), must have a reasonable degree of complexity (they must include at least one non alphabetic character and not be simple words, names or digit strings) and must be changed every 90 days. Accounts are locked out after 3 failed attempts and must be reenabled by a system administrator.
The basic purpose of a password is to have a piece of information that, in theory, is only known by the legitimate user of a particular account. For this to work, passwords should be memorized -- not written down where others can find them. Humans have a hard time memorizing nonsense so passwords should make some kind of sense to the user to facilitate memorization. But passwords should not make so much sense that people who know you can guess them.
It is very hard for people to come up with hard to guess but easy to memorize 6 character passwords, especially when at least one of the characters cannot be a letter. Most security geeks suggest that the minimum reasonable length for passwords these days is 8 characters.
But it may be far worse to require very long passwords. Most normal users would be hard put to type a 30 character password reliably. So to ensure that they do not get locked out they will chose a easy to type password and type it very slowly - so slowly that it would be easy for someone to watch over their shoulder when the user is trying to login at Starbucks and find out this "high-security" access control.
The worst part of the password plan is automatic lockout after 3 failed attempts. Auto lockout is used to make password guessing attacks hard. If the password is at all well formed it will take a whole lot of guesses to break a password by brute force. (See http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx for some numbers) Having an auto lockout set to, lets say, 10 instead of 3 means that infinitesimally small additional chance that an attacker would guess the right password before being locked out. But from the user's point of view, a '3 tries and you're dead' rule means you must use the same password for all your applications because a simple mistake in which password to use hurts a lot. Requiring reset by a systems person provided little if any additional protection over an automatic reenable after 30 minutes and it pisses the heck out of the users. Finally requiring people to periodically come up with new passwords that they can memorize every 90 days makes life very hard for some users and does not solve many security problems. (See http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/ for a good discussion of this by Gene Spafford.)
All in all, these rules would be great if a computer had to follow them but with people in the loop they will generally significantly reduce security rather than increase it.
disclaimer: Harvard does not comment on the record about vendor security plans so the above critique must be mine.