Password Policy

Formulation
Key Considerations and Challenges



Contents
1 Why organisations establish password policies 1
2 The influence of policy on password practices 1
3 Password policy decisions are multi-faceted 2
4 The bottom line findings 4



1
1 Why organisations establish password policies
For many organisations, passwords are the primary defence against
unauthorised access to key systems and data, and are here to stay
for the foreseeable future.
The fundamental method of protecting access to
computers and networks, the password, is still in use as
the primary authentication credential for most systems
today. Password policies are necessary to protect the
confidentiality of information and the integrity of systems
by keeping unauthorized users out of these computer
systems. Password policies, however, also introduce their
own set of risks, namely user confusion, system denial-of-
service issues and user education problems. For this
reason, careful consideration should be taken in formulating these policies, taking into account the
design, user base and information risk appetite of the organisation.

2 The influence of policy on password practices
Whilst users are aware of the need for strong passwords, this need is
balanced against usability and productivity impacts of entering and
recalling complex and long passwords.
According to a 2010 study on the implications of password policies
1
,
insecure passwords are not the result of user carelessness, but
rather of inadequate policies that force users to adopt behaviours
such as writing passwords down in order to help them comply rather
than help them select secure passwords. In a study performed by
Carnegie Mellon University
2
, less that 18% of users were able to
select a password that complied with strict password policies the
first time around.
In addition to the security concerns of policy decisions, the same 2010 study found that forcing
users to comply with policies which meet the maximum theoretical risk is a huge cost, not only in
monetary terms but also in terms of the most valuable resource any organisation has - the goodwill of
organisation members.
However, mandated policies are necessary as users cannot be
relied upon to select and manage their passwords in a secure
manner without some form of enforced control. In fact, a study
published in the Journal of Management Information
3
found no
immediate correlation between users selection of password
strength and the sensitivity of the systems they are meant to
protect. In fact, Ponemon Institutes 2012 report shows that only
29% of users would use passwords if they were not forced to.


1
Inglesant & Sasse, Dept of Computer Science, University College London, 2010
2
Komanduri, Shay et al, Of Passwords and People: Measuring the Effect of Password-Composition Policies, Carnegie Mellon
University, 2011
3
Zviran and Haga, Password Security: An Empirical Study, 1999
Poor password practices
account for 20% of the
risky practices of
employees, according to
the Ponemon Institutes
2012 study
55
%

of users write their
passwords down
76
%

of users never change
their passwords


2
3 Password policy decisions are multi-faceted
Pragmatic, risk-adjusted policy enables users to adopt secure
passwords that they can remember
Standard passwords shorter than 12 characters can now be easily broken
4
with a PC and a graphics
processor. Alternative approaches are therefore needed for the selection of stronger passwords. It is
now widely agreed
5,6
that mnemonic techniques are the most effective way for users to formulate
strong passwords that are also memorable for example the phrase "youre just another brick in the
wall" could yield the password "yjabitw", which further tweaked using substitution yields "yj@B!tW".
While the National Institute of Standards and
Technology (NIST) state that the probability of
success of an on-line password guessing
attack should not exceed 1 in 16,384 (i.e. 14
bits of entropy), passphrases that compromise
more than 2 unlinked words can provide up to
20 bits of entropy
7
, and mnemonics of only 6
characters can provide a full 24 bits of entropy
and are 63% less likely to be cracked
8
.
Figure 1: Relative entropy of passwords
5

Length is a major factor in protecting against brute
forcing a password, and every time you add another
character, your protection goes up exponentially, by
95 times. But adding numbers, symbols and
uppercase characters further significantly increases
the time needed to decipher a password," says
Georgia Tech Research Institutes Joshua L. Davis
6
.
A recent study by Gartner
5
used empirical testing and standard distributions to calculate the most
effective password length and complexity requirements that would yield strong passwords with
sufficient entropy that were also memorable. The following table summarises the results:
Selection technique Entropy per character Low Risk User
9
High Risk User
9

Randomly generated Very High (6.5) 4 7
Complex mnemonic High (5.7) 5 8
Strong chosen string Medium (4.3) 6 10
Weak chosen string Low (2.5) 10 18
Figure 2: Minimum password length based on complexity (entropy) of selection technique
Selecting these lengths as your policy would yield at least 1 years protection from online guessing
attacks
10
. Passwords beyond these length were found to be counter-productive unless written down.
However, frequently used passwords have a higher tolerance for more complexity
11
.


4
Using NVidia CUDA GPU Arrays, attacking offline password databases and hashes
5
A. Allen, Passwords Are Near the Breaking Point, Gartner, 2004
6
The Power of Graphics Processing Units May Threaten Password Security, Georgia Tech Research Institute, 2010
7
Bonneau & Shutova, Linguistic properties of multi-word passphrases, University of Cambridge, 2012
8
Kuo, Romanosky & Cranor, Human selection of mnemonic phrase-based passwords, Carnegie Mellon University, 2006
9
Low risk users have 25 bits of entropy and high risk users have 46 bits of entropy.
Given the choice, users tend
to avoid non-alphanumeric
symbols, as passwords
which contain such symbols
are significantly harder to
recall, according to Microsoft
Research
0
20
40
60
80
100
120
5 10 15
E
n
t
r
o
p
y

(
b
i
t
s
)
Length (characters)
Weak
Strong
Mnemonic
Random


3
With respect to password change behaviour, one should again reference the Inglesant & Sasse
study, which found that users rarely change passwords unless forced to do so, finding that less than
7% of users changed their passwords voluntarily. Of those, 50% were due to having forgotten their
initial password. For this reason, password change intervals should be considered based on the risk
of exposure to guessing attack and the sensitivity of the data and systems they restrict access to.
Enforcing stronger passwords increases the
entropy over the lifetime of the password, and as a
result allows for less frequent changes. However,
when considering change interval conditions within
password policy, one must consider that strong
passwords offer no protection against phishing or
key-logging attacks, and the breach of password
hashes that are unsalted (such as Active Directory
password databases). For this reason, password
change intervals, together with the inclusion of
compensating controls such as account lockout
must be considered.
Forced changes can, however, also introduce their own risk. For example, this may cause the user to
just add a counter at the end of their existing password, which in fact decreases the entropy of
password. The value of password changes are further questioned in a study performed by University
of North Carolina
12
, which found that given a successful offline crack of a previous password, or
knowledge of the previous password, that 17% of new passwords can be guessed witin the first 5
attempts.
Assuming a normal distribution again, the
following graph shows an approximation of the
diminishing return of enforced password
changes based on the lifespan of the user
account and the time an attacker may have to
try and guess or crack the password. This
assumes, however, that usernames are not
predictable. In environments where the
username is predictable based on a numeric or
standard alpha-numeric formula, the probability
of brute-force attacks is increased, and as a
result change intervals may need to be
shortened.
Figure 3: Probability of compromise over time
Including time limiting methods (throttling, lockout and CAPTCHA) systematically reduces the
effectiveness of straight brute force attacks, allowing for extended change intervals. Implementing
systems to notify the user of attempts to access their account and the last login date should also be
implemented as a means to balance the risk of extended change intervals.
Going even further, requiring a physically revocable second factor in the authentication chain negates
the need for complex passwords and short change intervals. Such 2-factor systems should be
considered for all high-risk accounts and systems.
Lastly, organisations should consider providing users with access to a secure password vault. These
systems, now commonplace and available on mobile devices, allow for the selection and secure
storage of very stronger random passwords.


10
Based on matched pairs of username (16 bit string) and password, with account lockout for 8 hours after 5 failed attempts.
11
Florencio and Herley, Microsoft Research, 2007
12
Zhang, Monrose & Reiter, The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis,
University of North Carolina, 2010
0
20
40
60
80
100
120
2 4 6 8 10 11
P
r
o
b
a
b
i
l
i
t
y

(
%
)
Time (months)
with change
without change
If a password is used
infrequently, and also forced
to change, forcing this
change makes users select
easier to guess passwords,
as they themselves will need
to guess, says leading security
expert Bruce Schneier


4
4 The bottom line findings
The password as an authentication mechanism offers increasingly
limited security, but the formulation and enforcement of appropriate
policies can mitigate the risk it represents within organisations.
The research conducted in this paper and the experience and knowledge gained by KPMG at its
various clients in the sectors of Education, Communication and Technology, Energy, Retail and
Financial Services, suggests that password policies be formulated that provide a balance of security
and usability as follows:
1. For normal users enforce complexity and a minimum length requirement of 6 characters, and
remove the requirement for frequent changes. However, inform the user of all unsuccessful login
attempts to their account and allow them to change their password at will.
2. For high risk users, enforce a minimum length of 8 characters with complexity, and a 90 day
change interval. In addition, provide these users with access to an approved password vaulting
system.
3. Implement password lockout settings that lock accounts for at least 8 hours after 5 failed
attempts within a 24 hour period.
4. Configure the complexity rules to perform a dictionary check (which alone significantly raises the
entropy of even a non-complex 8 character password by 6 bits
13
), and require an alpha, numeric
and special character.
5. Consider 2-factor authentication technologies for all remote access and control remote access
traffic through firewalls to isolate high-risk systems from standard users. If 2-factor authentication
is not implemented, double the password length requirement from 6 to 12 and halve the change
interval from 90 to 45 days for all privileged users.

Whilst the efforts of companies such as Google to provide a ubiquitous and accessible authentication
alternative are promising, the use of the password is certainly here to stay. For this reason, password
policies rather than the passwords themselves will remain one of the primary security controls within
organisations until the cost, distribution and usability challenges of more robust 2-factor systems are
overcome.


13
Burr, Dodson, and Polk, Electronic authentication guideline, National Institute of Standards and Technology, 2006




2013 KPMG Services (Proprietary) Limited, a South African company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (KPMG International), a Swiss entity. All rights reserved.
The information contained herein is of a general nature and is not intended to address the
circumstances of any particular individual or entity. Although we endeavour to provide
accurate and timely information, there can be no guarantee that such information is
accurate as of the date it is received or that it will continue to be accurate in the future. No
one should act on such information without appropriate professional advice after a thorough
examination of the particular situation.
The KPMG name, logo and cutting through complexity are registered trademarks or
trademarks of KPMG International Cooperative (KPMG International).
Contact us
Jason Gottschalk

T +27 82 719 1804
E jason.gottschalk@kpmg.co.za
OR
Robb Anderson

T +27 82 719 2413
E robb.anderson@kpmg.co.za
www.kpmg.co.za