2020 – X.0 security has not solved the password issue. The “LCR Policy” (for minimum Length, Complexity, and Regular Renewal), intuitive though it may be, persists despite findings that challenge it. Have we measured its effectiveness? Given the findings, what are the solutions? And most importantly, what are the behavioural factors that contribute to the status quo?
An inconvenient truth
What was the goal?
The LCR policy is consistently adopted in most of the larger companies. In fact, it is even backed by several French institutions: CERTA , CNIL , ANSSI “Change your passwords at a reasonable frequency. Every 90 days is reasonable for systems containing sensitive data“, ANS .
“A good password is above all a ‘strong’ password, meaning that it is difficult to crack even with automated tools“. It can possibly be defined by its strength: “The strength of a password depends on its length and the number of existing possibilities for each character in it.” . This quote from ANSSI must be completed by: “and the unpredictability of the characters.”
But is this LCR policy effective? Does it encourage the choice of “strong” passwords?
We have “cracked” the passwords and password histories of 5,298 real users. Our results are comparable to those published in research papers  .
- 5,298 accounts with at least 2 histories;
- 33,188 hashes in total;
- 88% of hashes cracked in less than 10 days.
|Identified password behaviours||% hashes cracked|
|1||Begins with an upper-case letter: A||58%|
|3||Upper case is followed by lower case: Aaaa…||48%|
|4||Ends with 1, 2, 3 or 4 digits||72%|
|5||Meet criteria (1) and (2) and (3)||33%|
According to the strength criteria, passwords and their patterns should not be predictable. The goal is not achieved.
How can this be explained?
There are two reasons why the user is not responsible:
- Tired of the inconsistencies that emerge in the absence of SSO (management of many passwords, unsynchronized changes, inappropriate timing… ), the user will eventually choose passwords that are easy to remember and “compliant” with the LCR policy: “Internet2018” or “Judith2612”, for example.
- “The whole is not the sum of the parts”
When creating a password, the hints are a “sum of information” whose overall meaning has disappeared.
As long as the effectiveness of a security rule has not been evaluated, it is impossible to apply a continuous improvement approach to it.
Awareness will not solve the problem because the problem does not stem from a lack of understanding of the LCR policy.
If the cause of the problem is not limited to the understanding of the policy , then awareness alone will not make it more efficient.
What are the solutions?
Freeing ourselves from passwords via multi-factor authentication would be a great step forward, but this mechanism is costly and cannot be applied in all situations (legacy or industrial IS, for instance).
As the disappearance of passwords does not seem to be on the horizon, the continuous improvement approach should lead to a radical change in the LCR policy:
- Disable regular change as it encourages simplification;
- Disable the complexity requirement to get out of the predictable “Aaaaaaa1234” structures;
- Activate Single Sign-On, to avoid “password fatigue”  and encouraging simplification for the second time;
- Require an increased password length, as compensation for the suppression of the first two rules;
- Train employees on using a “passphrase”, to avoid “CorrectHorseBatteryStaple”  ;
- Make password managers available;
- Regularly crack internal password databases to detect “weak” passwords and induce people to change them using behavioural science.
Except for SSO, the cost of all these measures is reasonable. Considering the risks involved and the costs, how can we explain the continuation of LCR policies in companies?
From Intent to Action
Several behavioural factors reinforce the status quo:
- The influence of the regulator, the “halo effect”:
The lack of evolution of the LCR policy recommended by national institutions: ANSSI, CNIL… A CISO will “protect” himself by applying national directives.
- The “dilution of responsibility”:
We consider that a rule is applied correctly because it is defined by the CISO, implemented by the operational teams, communicated to users and imposed at the very least when the password is chosen. In other words, “everything is under control”, since each stakeholder has done their part.
Note: the AD only considers criteria L and C, without other controls: company name, incrementality, etc.
- – The status quo bias:
The LCR policy is already in place and we prefer to leave it in its original configuration, even when provided with new information.
- The “identity opinion” and the “lost costs”:
We tend to see ourselves as embodying our decisions. In a way, to recant is like disagreeing with ourselves and the positions we have defended. The “psychological cost” of a change in trajectory seems to outweigh the associated benefit.
Has the LCR policy been defended for so long that it cannot be questioned any more?
By placing the problem “between the chair and the screen”, the computer security staff is cleared of its responsibility too quickly.
The LCR policy is not adapted to the way our brain works. Indeed, it is intuitive but based on incomplete information. The data presented invites us to reevaluate our opinion, following the example of other institutions: FBI , GCHQ , NIST .
Changing the password policy means taking into account this updated information and implementing the continuous improvement approach.
(by Gilles Favier)
|1||CERTA– Information Note – Passwords – CERTA-2005-INF-001|
|2||The CNIL’s Guide – 2010 – https://services-numeriques.unistra.fr/fileadmin/upload/Services_numeriques/Documents/DI/CIL/CNIL-guide-securite.mht.pdf|
|3||ANSSI – 01/09/2019 – https://www.ssi.gouv.fr/guide/mot-de-passe/ & https://www.ssi.gouv.fr/uploads/IMG/pdf/NP_MDP_NoteTech.pdf|
|4||Autorité Nationale de Santé [French Health Authority] – https://esante.gouv.fr/sites/default/files/media_entity/documents/2019-11-20_Dossier_Information_Campagne_Cybersecurite.pdf|
|5||Lorrie Cranor – CMU – Measuring password guessability for an entire university – https://doi.org/10.1145/2508859.2516726|
|6||Yinqian Zhang et al. – The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis – https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf|
|7||Report: Authentication Diary, Study – http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf|
|8||Lorrie Cranor – CMU – Do Users’ Perceptions of Password Security Match Reality? – https://www.archive.ece.cmu.edu/~lbauer/papers/2016/chi2016-pwd-perceptions.pdf|
|10||XKCD – Password Strength – https://xkcd.com/936/|
|12||FBI Tech Tuesday: Building a Digital Defense with Passwords – https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/oregon-fbi-tech-tuesday-building-a-digital-defense-with-passwords|
|13||GCHQ – 2015 – Password Guidance – https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf|
|14||NIST – 2017 – https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret|