Tuesday, October 19, 2010

Policy Madness

There's a lot of policies, requirements, etc., out there, that come from "Best Practices" and Good Ideas™. In my line of work, where I run into this, a lot, is with security policies.

Best practices indicate that longer passwords are better. After all, guessing a password of N length requires X number of guesses, but guessing a password of N+1 length requires exponentially greater. So, from a mathematical basis,there's merit to this best practice.

Best practices also indicate that passwords should be changed frequently. After all, given sufficient time, any password of any arbitrary length can be guessed. If you know how fast guesses can be made and the total guessable set size, you have a strong, mathematical basis for setting a password change interval.

Unfortunately, day by day, computers get to be much, much faster. This means that, day by day, an automated attack can be conducted much, much faster. To combat this, you can up the password length and/or complexity requirements or shorten your password lifetimes.

And, that's all great from a "Best Practices" standpoint. Unfortunately, "Best Practices" generally only consider things like machines, not humans. Humans are in no way uniform. So, it's hard to set the kind of mathematical constant that makes it easy to formulate a "Best Practice". Thus, the human component is generally left out of the equation.

Sadly, this means you end up with security "Best Practices" that fail to figure in the fact that humans' memories for long, complex strings tend to be lacking. It fails to factor in that humans like to cheat or otherwise use crutches or mechanisms to assist them with a task. So, yeah, you can say, "Best Practices require that you set a fifteen-character, multi-character-class string as your password and that it be changed every thirty days." But, when you do so, you ignore the human component. You ignore that most people either can't remember such strings unaided or that, if they can, it will take them time to do so. That leaves cheating. And, if your attacker knows the types of cheats used by the humans your policies govern, they can exploit those cheats.

For myself, I find that I can usually come up with a mnemonic or other "cheat" that helps me remember things. Unfortunately, it frequently takes me several days to come up with that cheat. Often times, by the time I've really started to remember my password, it's time to generate a new one.

Unfortunately for the security types, most people have to resort to more exploitable cheats. And then... You're as bad off or worse by enforcing "Best Practices". Sometimes, you have to find a better "Best Practice" - one that factors in more of the limitations (particularly the human limitations).

No comments:

Post a Comment