LONGER IS STRONGER

The value of passphrases

Kevin SullivanDirectory of Sales Engineering Specops Software

Agenda

• Password Management overview• Limitations and mitigations• Math behind password strength• Walk through

– DDP– FGPP– PowerShell– Specops Password Policy

• Questions

AGENDA

PASSWORD MANAGEMENTOverview

Security

• Password policies that are in line with the business role of the end-user– Flexible targeting– Deep control over complexity

• Balance end-user efficiency and security needs

LOCK IT UP

Self-Service

• What can they self-serve?• What is the cost value of self-service

password reset– Estimates are up to 2 calls per year per user– Short calls – relatively easy– Roughly $20 per call average

• Branded, intuitive, helpful, informative

OPEN IT UP

Global Identity Management

• SSO – implementation cost vs. value to business?

• Password Sync– Typically far less $$$ than SSO– Maybe not for all users – requires flexibility– Sync targets may be unknowns

MOVE IT OUT

LIMITATION AND MITIGATIONSLet’s talk about Passwords

What are the concerns?

• Rainbow tables• Dictionary attacks• Brute Force attacks

RISKS

Home Work

Some ‘techniques’ to strengthen

• Random password generation• Character substitution

– Common character substitution is built into most brute force attacks!

• Passphrases

+-*/

Random

• 3!pIcn&P• The problem

– Super hard to remember– Super easy to crack

• < 1 day

+-*/

Character Substitution

1. “Fred and Wilma sat down for a dinner of eggs and ham”

2. F+Wsd4adoe&h

• The problem – #1 is cracked in 170 centuries based on some

common algorithms– #2 is cracked in 10 years

+-*/

Example from Sophos’s Graham Cluley https://www.youtube.com/watch?v=VYzguTdOmmU

THE MATH AND SCIENCEBack to school

LONGER IS STRONGER

Which is stronger?

• D0g.....................• PrXyc.N(n4k77#L!eVdAfp9• ‘The Grateful D3@d is my Favorite Band!’

SAY NO TO PASSWORD1!

Re – Steve Gibson GRC.com

Concepts

• Entropy – Lack of order or predictability• How Big is Your Haystack?

– https://www.grc.com/haystack.htm– Every password is a needle in a haystack– A single character, only allowing alpha characters

is a very small haystack!

HEAD ACHES!

Basic Stuff – brute force

• If I ask you to guess a number between 1 and 10, you have 10 possibilities– Single digit– 10 = 10

• If I ask you to guess a number between 1 and 100, you have 100 possibilities– Two digits– 10 x 10 = 100

• If I ask you to guess number between 1 and 1000, you have 1000 possibilities– Three digits– 10 x 10 x 10 = 1000

FUNDAMENTALS

Brute Force – cont.

• What if I ask you for a single character and it can be either a number or a letter (English)?– 26 letter + 10 number– 36 possibilities

• OK… now 2 characters– 36 x 36 = 1296

• 3?– 36 x 36 x 36 = 46,656

• Upper case, lower case, number, special character?– 94 possibilities for each character– 3 required characters

• 94 x 94 x 94 = 830,584 possibilities

FUNDAMENTALS

Passphrases

• Longer is stronger• Number of possible letters – 52 in English • Number of digits – 10 (0 – 9)• Special characters – 32 • Add them together 94 possibilities for each

required character in length• Entropy is 94n where n is the number of required

characters

+-*/

With just alpha in a 25 character passphrase the ability to crack is astronomical

Additional Considerations

• Do all systems support passphrases?• How to train your end-users?

– http://success.specopssoft.com

• User multi-factor when you can, consumer and corp

• Preferences vs. Facts– I like peanut butter - preference– I lived in Towson MD - fact

Questions

• Do you believe passphrases increase security?

• Do you believe passphrases are easier for users to remember than traditional passwords?

• Do you think you will receive fewer password reset calls if you enable passphrases?

THOUGHTS?

Wrap Up

• Use Two/Multi Factor where you can, always!– https://twofactorauth.org

• Understand the vulnerability– Haystack – https://www.grc.com/haystack.htm– Passfault –

https://passfault.appspot.com/password_strength.html?#menu

• Some fun reading– http://

cups.cs.cmu.edu/rshay/pubs/passwords_and_people2011.pdf

– https://howsecureismypassword.net/

TAKE AWAYS