Introduction
Part of the Synapse HIPAA/PHI compliance evaluation (PLFM-5197) has been focused on the existing password policy used by Synapse (PLFM-5210). This evaluation has highlighted the need to reevaluate our existing Synapse Password Policy. The following is the result of that evaluation.
Recommended Synapse Password Policy
- Exponential back-off for failed password authentication attempts.
- All passwords must be at least 8 characters.
- No special characters requirements.
- No forced password rotation.
- No password strength meters.
- Common passwords are blocked
- All PHI is identified and only accessible with Multi-factor authentication.
- Eventually, completely replace Synapse managed passwords authentication with Google & ORCID authentication (see PLFM-5311).
Note: The above recommendations closely mirror the recommendations from Microsoft 8.
What is the current Synapse Password Policy?
The Synapse Password Policy as of December 4th 2018 is composed of three parts:
- All new passwords created after April 2016 must have a minimum of eight characters (PLFM-3820)
- Failed authentication attempts are throttled (PLFM-3818). Specifically, each machine in the cluster will limit authentication attempts to 10 requests per 300 seconds. With eight machines in the cluster we can expect, on average, to be limited to 1 failed request per 3 seconds.
- The UI will show the user an estimated password strength meter (using zxcvbn).
The problem with users-chosen passwords?
For decades, system administrators have assumed that password security was about preventing brute-force attacks. A simple brute force attack consists of an aggressor attempting every possible permutation until correctly guessing the password. So how do we measure the strength of a password to resist such an attack?
The guessing resistance of user-chosen passwords is often estimated by modeling passwords as random choices from a uniform distribution. ...The logarithm of the size of this uniform distribution in this model is often called entropy, in reference to Claude Shannon’s famous measure H1 of the minimum average number of bits needed to encode symbols drawn from a distribution. - [6]
The size of a uniform distribution (D) is simply the complexity (c) raised to the power of length (l):
D = c ^ l
The number of bits of entropy (e) is then simply:
e = log2(D) = log2(c^l)
With this model, the size of the uniform distribution grows quickly with small increases in either the required password complexity (c) or required length (l). For example, consider the a simple banking PIN consisting of only digits (c=10) and four characters (l=4). Such a PIN has 13 bits of entropy (log2(10^4)). The maximum number of guess to needed to correctly guess such a PIN would be 10^4. Put another way, the odds that a single random guess would correctly matching a PIN from this domain is 1 out of 10^4. With this model it seems logical to require the largest possible values for both complexity (c) and the length (l).
There are two problems with this model. The first problem is users do not choose random passwords. Users are far more likely to choose passwords based on predictable patterns [1,2,3,6]. The second problem is attackers know these patterns and will model their attacks accordingly [4,5]. There is also evidence attackers develop specially tailored attacks to counter new tricks learned by users such as xkcd's CorrectHorseBatteryStaple suggestion[4].
The password "correcthorsebatterystaple" perfectly illustrates disconnect between how we model password strength and real users passwords. According to the entropy model "correcthoresbatterystaple" belongs to the domain with 117 bits of entropy (log2(26^25)). That level of entropy assumes each letter of each word contributes to the overall size of the distribution. This assumption works for a simple brute force attack. However, if the attacker knows this trick they can try word combinations instead of letter combinations. If the attacker uses the top 100 most common words in every possible combination with string of up to four words, then the actual size of the domain is actually 26 bits of entropy (log2(100^4)) instead of 117. Since it is difficult to memorize four random words in a string, but easy to memorize a real phrase, users learning to choose phrase for a password 11. Simple attacks can try the most common phrases, so the password "fromtimetotime" can be guessed in under 8 tries even though it has 66 bits of entropy. More sophisticated attacks employ phrases from many sources including the Bible and Youtube 11.
If users are required to use special characters, they will often use simple leet substitutions such as changing "password" to "p@$$word". If users are required to add digits they are likely to add them to the end so "password" becomes "password123" [4]. If they are required to use capital letters they will put the capitals at the beginning of each word, so "fromtimetotime" becomes "FromTimeToTime". Each of these patterns are easily exploitable by attackers so password entropy is not actually increased with the increased complexity requirement [4].
The basic idea behind password strength meters, is they help users choose better passwords. One study found that password meters can encourage users to pick passwords with increased entropy 9. If passwords are randomly generated then increasing password entropy would certainly slow down hackers. But since users choose passwords using predictable patterns, the increase in entropy does not translate to stronger passwords. Password strength meters continue to classify short randomly generated passwords as weak and long user-chosen passwords as strong which is backwards.
How to be secure when users choose weak passwords?
As one group of researches points even weak passwords are secure when there is a limit on the number of failed attempts 10. This is why bank card PIN numbers are secure even though they only have 13 bits of entropy. With an enforced exponential backoff for failed attempts an attacker will have less than a dozen attempts per year. With so few attempts only the most common passwords would be hacked. A system that blocks users from selecting the most common passwords combined with exponential backoff would be secure even when users choose "weak" passwords.
References
- Carnavalet, Xavier et al "A Large-Scale Evaluation of High-Impact Password Strength Meters" madiba.encs.concordia.ca, 2015.
- Zhang, Yinqian et al "The Security of Modern Password Expiration: A n Algorithmic Framework and Empirical Analysis" cs.unc.edu, 2010.
- Schneier, Bruce "Real-World Passwords" schneier.com,
- Goodin, Dan "Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”" arstechnica.com, 2013.
- Schneier, Bruce "Choosing Secure Passwords" schneier.com, 2014.
- Bonneau, Joseph et al "Passwords and the Evolution of Imperfect Authentication" jbonneau.com
- Wheeler, Daniel "zxcvbn : Low-Budget Password Strength Estimation" usenix.org August 10–12, 2016
- Hicock, Robyn "Microsoft Password Guidance" microsoft.com
- Egelman, Serge et al "Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection" microsoft.com
- Florencio, Dinei et al "Do Strong Web Passwords Accomplish Anything?" microsoft.com
- Goodin, Dan "How the Bible and YouTube are fueling the next frontier of password cracking" arstechnica.com, 2013