Friday, March 4, 2016

#empoexpiire In which the FTC and universities look at password expiration policies

On the same day that I wrote my most recent post on password expiration policies, someone named Lorrie Cranor wrote a post on the same topic.

Now are you going to listen to Lorrie Cranor, or are you going to listen to me? I mean, who is Lorrie Cranor?

She's just the Chief Technologist of the U.S. Federal Trade Commission.


There's no way that I can address all of the topics that Cranor raised, so I encourage you to read her entire post. Its title? "Time to rethink mandatory password changes."

At one point in her post, she describes the results of a University of North Carolina study that looked at password files and history for people who were required to change passwords regularly.

The researchers then developed password cracking approaches that formulated guesses based on the previous password selected by a user. They observed that users tended to create passwords that followed predictable patterns, called “transformations,” such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end)....

The researchers performed an experiment in which they used a subset of the passwords to train their cracking algorithm to apply the most likely transformations and then use it to crack the remaining passwords. The paper includes a lot of technical detail about what they did, but the bottom line results are striking. The UNC researchers found that for 17% of the accounts they studied, knowing a user’s previous password allowed them to guess their next password in fewer than 5 guesses. An attacker who knows the previous password and has access to the hashed password file (generally because they stole it) and can carry out an offline attack can guess the current password for 41% of accounts within 3 seconds per account (on a typical 2009 research computer). These results suggest that after a mandated password change, attackers who have previously learned a user’s password may be able to guess the user’s new password fairly easily.

Cranor further states:

There is also evidence from interview and survey suggest that users who know they will have to change their password do not choose strong passwords to begin with and are more likely to write their passwords down. In a study I worked on with colleagues and students at Carnegie Mellon University...we found that CMU students, faculty and staff who reported annoyance with the CMU password policy ended up choosing weaker passwords than those who did not report annoyance.

After reading Cranor's post (and there's a lot more there than what I cited), I only have one regret - I wish that she wasn't the chief technologist at the FTC, but at the government agency that I cited in my March 2 post.
blog comments powered by Disqus