War Room

Shells from above

RSM logo

Home > Defense > Stanford Password Policy

Stanford Password Policy

By

A creative solution for stronger passwords

Rules, Rules, Rules

Most of us are familiar with basic password rules:

  • Don’t use ‘password’. Duh.
  • Don’t use your username as your password. Got it.
  • Don’t repeat the same password for multiple accounts.
  • Don’t choose an easily guessable password combination, even if it looks complex, e.g. ‘Winter2016’. Ok…
  • I know you’re tempted, but don’t save a list of those passwords on your desktop. But…
  • Use a 12-character seemingly random string of letters, numbers, and symbols.
  • Now, just as you’re getting used to that password, change it, and keep changing it every month or so. Seriously?

Most people recognize password strength is important, but password rules can be pretty onerous. And they make our passwords hard to remember. Organizations are tasked with balancing security and efficiency, and stringent password requirements can seem too burdensome. Especially in large or fast-paced environments, remembering several complex passwords can be seen as a hindrance to productivity.

This is exactly why companies struggle to enforce strong password policies. Over and over again, we see organizations with minimal password requirements. And over and over again, weak passwords serve as the first step in a network compromise. What can organizations do?

A Creative Solution

Stanford University has come up with a creative solution. By far the best characteristic of a good password is its length. Instead of requiring increasingly complex and randomized passwords, Stanford’s policy encourages easier to remember, but longer, passwords or passphrases.

The policy sets different requirements for different password lengths. The shorter the password, the more complex it needs to be. The longer the password, the less complex it needs to be. For example, an 8-character password (which is the shortest allowed by Stanford) needs to have mixed case letters, a number, and a symbol, whereas a 20-character password can be all lower case letters if you so choose. Stanford threw in a few other rules for good measure, such as prohibiting the use of previous passwords or user ID.

By decreasing complexity requirements as passwords lengthen, users can choose a phrase that means something to them – say, ‘cheeseburgersaresuperdelicious.’ It’s easy to remember, and easier to type into a mobile phone. Randomize that phrase just a bit (maybe throw in a number or symbol somewhere), and you get an even stronger password. Even using spaces adds another layer of complexity and makes the password longer: ‘cheese burgers are super delicious’.

Why Stanford’s Policy Works

If these passwords are less burdensome, are they just as secure? Yes. To understand why, you need a little background on why weak or common passwords are easy to compromise. Two primary attack methods are used.

  1. Guessing – Attackers can attempt to guess passwords through brute-forcing (running numerous password guesses against a couple accounts) or reverse brute-forcing (running a couple passwords against numerous accounts). In our experience, one of the most common password structures consists of season + year, e.g. ‘Winter19’ or a similar iteration like ‘Winter2019!’ if you’re trying to be extra sneaky. These passwords may meet complexity and length requirements, but since they are commonly used, they are trivial to guess. In a big organization, we can bet at least one person is using this kind of a password.
  2. Cracking – The other primary attack against passwords involves cracking password hashes. When users log in, their passwords are converted into a cryptographically secure string called a hash. These hashes are stored locally, in a restricted area, so that your password can be verified as correct every time you log back on. For this method to work, the attacker would have already achieved some level of compromise and now has access to these password hashes. There are lists of thousands of common password combinations and their corresponding hashes. So an attacker who obtains hashes can run their word lists against these hashes to see if there are any matches. If there are, the attacker now knows the password and can proceed with the compromise.

Length, Not Complexity

By emphasizing length over complexity, Stanford’s policy helps mitigate those 2 primary avenues of attack. The longer the password, the harder it is to guess or crack.

A 20-character, all lower-case password is more secure than an 8 character, super complex password. For every position in a password string, there is a finite number of potential characters that could occupy that slot. For each extra slot you add, you exponentially increase the computational power it would take to determine the correct character in each slot. It’s math, people.

Plus, it’s harder to choose a really common, easily guessable passphrase that is 20 characters long. ‘cheeseburgers are super delicious’ may not sound that complicated to you, but out of all the possible combinations of letters out there, it’s pretty hard to guess this exact phrase. Furthermore, though long passwords will not prevent hashes from being obtained in the first place, they are much harder to crack, since word lists used for password cracking do not typically contain passphrases of 20+ characters.

Businesses may do well to follow in Stanford’s footsteps. Compromising just one account may lead to a treasure trove of sensitive data or can provide a foothold for further network penetration. Longer passwords are an easy (or easier) way to protect accounts and your organization—because ‘Password1234’ and “Summer2019!” ain’t fooling anybody anymore.