Passwords are among our most basic forms of security; the keys to the locks we use to secure our online world. So, it is understandably important that each of us are accountable for our actions and the management of passwords for our personal locks at school or work.
Email platforms and administrators also have a level of accountability when it comes to passwords and the security of their users. So, this post will take a look at password policies from a provider’s perspective, and why they are essential. We will explore the minimum password policy that atmail has set in our public cloud and explore the difference in passwords vs. passphrases. We will take a look at some of the mathematics behind passwords and how, despite our best efforts, we are vulnerable to the systems and machines we rely on and the simple fact that the human mind is not a machine.
atmail’s new password policy (atmail public cloud)
Starting on the 1st of February 2021 (AEST), our new default password policy in our atmail public cloud will be as follows:
- Minimum 10 characters
- Minimum one lower case character
- Minimum one upper case character
- Minimum one number
- Minimum one special (non-alphanumeric) character
- Maximum of three same characters in a row
Same as above, except:
- Minimum 14 characters
- Block the last 10 passwords from reuse
- No common words allowed
Note: These new default policies will not effect any domains or accounts that have defined their own policy already in effect and in force.
Now, let’s take a look at why we think this is a good start for minimum password security.
Password length (and complexity)
Password length is a pretty straightforward thing to begin wrapping our heads around.
If we were to take a password of six characters, which consisted of only lower case letters, there would be a total of 308,915,776 possible passwords. 26 possible letters for each of the six characters (26 x 26 x 26 x 26 x 26 x 26 = 266).
Before we get into complexity, let’s increase the number of characters to 10, atmail’s new default minimum password length for end users. Even if we stick with only lower case letters, the number of possible passwords jumps to 141,167,095,653,376. It would take the same computer 456,976 times as long to crack the 10-character password than the six-character password.
Now I use “guess” here loosely because a computer isn’t guessing anything. It is merely computing all of the possible passwords given the parameters you provide. Last year, the team that won the 2020 CrackMeIfYouCan password cracking competition at DefCon, @hashcat, tweeted that they had broken the 100GH/s mark on a single computing device. That is guessing one billion hashes per second (yes, 1,000,000,000)!
What does “hashed” mean? “When a password has been “hashed” it means it has been turned into a scrambled representation of itself. A user’s password is taken and – using a key known to the site – the hash value is derived from the combination of both the password and the key, using a set algorithm.”
This system would calculate the hashed value for the number of passwords for the six-character password in less than half a second. It would take the same system just over 39 hours to calculate all possible passwords for the 10-character password. In the real world, half a second versus two days isn’t much of a difference unless you’re changing your password every 24 hours. And if you were taking this level of precaution, it would be likely that you would be looking at different (and more complex) passwords altogether.
Password complexity is, well, complex. What do we mean by complexity? We mean adding variation to your password. For example, the examples above were all lower case letters. By adding upper case letters to your passwords, you are doubling the number of possible characters from 26 to 52, which is 64 times as many possibilities even on the six-character password. If we take the minimum requirements for the atmail public cloud of ten characters and require at least: one lower case letter; one upper case letter; one number; and one special character; and assuming we allow only the following special characters:
…we are now taking the number of possibilities from 141,167,095,653,376 to 53,861,511,409,489,970,000.
That same computer that calculated all of the possible password combinations for the 10-character (all lower case) password in 39 hours, would take 1,707 years to calculate all of the possible passwords for the minimum password requirements as we’ve defined for the atmail cloud.
This looks like a significant increase in your overall safety, and it is, but as we’ve said, password complexity is complex.
What you’re really up against
In the real world of password cracking, attackers have other tools at their disposal to help them speed things up. Not only do they have a complicated set of tools, but they know how to use them, and they are motivated. Your password has to withstand a constant barrage of brute force techniques and has to hold up 100 percent of the time. A threat actor only has to get it right one time to gain access to your system. Let’s briefly take a look at some of these techniques to illustrate our point.
Dictionaries and Rainbow Tables: A Rainbow Table is a pre-generated list of known password hashes. These lists save time using a list of precalculated values to compare to your password instead of generating the values.
They can save a considerable amount of time and are especially useful against common passwords.
Phishing: Phishing attacks are where someone is impersonating a person or company in an attempt to fool you into providing your sensitive and private information willingly. In 2019, 88 percent of all organisations around the world experienced spear phishing attacks.
Malware: Malware covers a vast range of software that is intended to harm your computer. Malware is often used to infect your computer, and either reports passwords found to whoever launched the attack, or it can sit on your computer and continue to harvest this information over time.
To make things worse, there are all other variations of these “tools” that threat actors would use to gain your password. Anything from the above examples, to merely looking over your shoulder at the café and watching you type your password. With all of these obstacles in the way, how can you help protect yourself and your company? Implement a strong password policy.
A password policy is a set of rules defined by you or your company to attempt to encourage the actual use of strong passwords to enhance your company’s overall security. Sometimes these are formal and sometimes informal.
Even if your organisation doesn’t include a formal policy, it is good to be aware of the best practices and know your users. This last part is crucial. Some companies will deploy a password vault (such as Keeper or LastPass) company-wide; others would forbid the use of them. Understanding what your users will tolerate and the kind of policy they will adhere to is critical to its efficacy.
Is a passphrase different from a password?
A passphrase is a password of sorts that uses a series of words strung together. It can include spaces (whitespace can be a valuable special character) and punctuation; the more random, the better.
Consider the example and instruction in the popular webcomic, XKCD:
The comic demonstrates that the random password that we might typically think is difficult for a computer to “guess” is more difficult for a human to remember and contains less entropy than four random common words. Now, this does assume a great deal about the average person’s ability to create anything random. It comes back to knowing your users and helping them avoid common pitfalls when choosing passphrases. While the password “correct horse battery staple” is relatively random, it is just as likely that a user would use something like “Jason facebook password 2021”. Similar in length and style, but not as random.
The difference being that anyone targeting me and trying to gain access to my Facebook password could programmatically weight their guesses with any of these words and potentially guess the password much more quickly.
The password versus passphrase discussion is not new, and several trusted sources are directing policymakers towards the same conclusion. Last year the FBI made a similar recommendation.
“Instead of using a short, complex password that is hard to remember, consider using a longer passphrase. This involves combining multiple words into a long string of at least 15 characters. The extra length of a passphrase makes it harder to crack while also making it easier for you to remember.
For example, a phrase such as ‘VoicesProtected2020WeAre’ is a strong passphrase. Even better is a passphrase that combines multiple unrelated words, such as ‘DirectorMonthLearnTruck.'”.
What should you do?
I am always reminded of the scene from the movie War Games, where Mathew Broderick’s character is breaking into the school’s computer system and says, “They change the password every week, but I know where they write it down…”
For me, this so clearly emphasises the point that password technology is an ongoing paradigm between security and convenience. The harder a password is for a human to remember, the more likely it is to be written down and the added security circumvented. The easier it is for a human to remember, often the less secure it is.
This is where knowing your users comes back into play. Understanding when it is appropriate to recommend using passphrase technology or when it might be better to implement a password vault for your organisation, all comes down to understanding how your users will adhere to the policy you’ve set forth.
Need more help with email security?
Do you have a specific need for your organisation’s password policy? Do you need advice or guidance on creating a password policy? Our team of email security experts here at atmail are available to assist you with your password policy needs and answer any questions you might have.
With 22 years of global, email expertise, you can trust us to deliver an email hosting platform that is secure, stable and scalable. We power more than 170 million mailboxes worldwide and offer modern, white-labelled, cloud hosted email with your choice of US or (GDPR compliant) EU data centres. Talk to us today.