In 2015 we published some pretty revolutionary password guidance which highlighted widely accepted password policies that we thought caused more harm than good.
The feedback from this guidance has generally been very positive, but certain parts of it have proven difficult for some of our customers to implement. This blog post discusses these issues, and what we're trying to do about it.
Two of the key recommendations in the guidance are:
- Help users cope with password overload
- Help users generate appropriate passwords
One of the things system administrators would like to do (to address both the above points) is to turn off password complexity rules, and let their users pick memorable passwords which work for them. However, this would mean that there’s nothing stopping users from picking passwords like password or letmein, which frequently appear in the "most common passwords" lists worldwide. To mitigate this, we tell users not to pick "obvious" passwords. But of course not all users have the same idea of what an "obvious" password is. And when we can't see or control users' password choices using technical means, we don't really know if they're following our advice or ignoring it.
So is this approach effective? If you assume an organisation has a policy where password complexity is not enforced, but an account locks out after repeated failed login attempts (say, 10), there are two key attacks that need to be prevented:
- An attacker brute forces the most common 10 passwords for every user of the system;
- An attacker trickles in 9 passwords per day from a list of common passwords; the user logs in and resets the count.
To stop these attacks, we added an extra mitigation into the password guidance – “Blacklist the most common password choices”. If you’re developing your own application then that’s fairly straightforward to do, but if you’re a Windows network administrator then it’s not obvious what action you can take here.
We’re working on a number of solutions to try and address the common passwords problem, but first we’d like to collect some data on how much of a problem they are in Windows domains. We’ve built a simple tool that generates some high level statistics on how many "Top 10,000" passwords and variants there are in your organisation, and therefore how much of a risk it is for you. It's simply a Powershell script which takes a few seconds to run and outputs a simple text file. This text file contains anonymised data which we can use as part of our research study, and we’d be grateful if you’d share those statistics with us (though there is no obligation to). As the script looks only for known passwords that generally don't meet any complexity rules, the results are only going to be meaningful if users can choose their own passwords and you don't enforce complexity on your domain.
So if you're a network administrator who doesn’t enforce password complexity on your Windows domain, and you want to know how much of a problem commonly-used passwords are in your domain then drop an email to firstname.lastname@example.org and we’ll be in touch with the necessary tools. For now, we'll limit participation to organisations that handle OFFICIAL information, but we'll share our tools more widely afterwards. We look forward to hearing from you in the near future.
EUD Security Research Lead