Technocrat's Weblog

Mon, 01 Sep 2008

Changing your password frequently

Organizations often set policies that require passwords to be changed frequently. I've seen that frequency as high as once every thirty days! This not only gives a false sense of security but it can actually be less secure.

Mathematics

A password is a combination of keys that authenticate the user. The number of possible combinations is determined by the number of possible characters and the length of total characters in the combination.

n = number of characters
l = length of passwor
x = number of possible password
x = n*n ... repeated to the number l
x = n^l

Let us assume that any single password character has seventy possibilities. This would include fifty-two letters (upper and lower case), ten digits and a conservative eight symbols. Thus for password with a length of eight:

x = 70^8
x = 5.76 exp 14

That's a big number. How big is it? Suppose you were a really fast typist and that you could type an eight character password in just a single second. It would take you to type all possible combinations? More than eighteen million years!

5.76 exp 14 / 60s/m = 9.2 exp 12 min
9.2 exp 12 min / 60m/h = 1.6 exp 11 hours
1.6 exp 11 hours / 24h/d = 6,666,666,667 days
6,666,666,667 days / 365d/y = 18,264,840 years

Incidentally this number increases to 1.3 billion years just by increasing the length of the password from eight to nine. No cracker worth his salt is going to brute force a password by hand. He'll use a computer to do it for him. Suppose his has access to a very fast computer that can make one thousand attempts per second.

5.76 exp 14 / 1000/s = 5.76 exp 11 sec
5.76 exp 11 sec / 60s/m = 9,600,000,000 min
6,666,666,667 days / 60m/h = 160,000,000 hours
160,000,000 hours / 24h/d = 6,666,666 days
6,666,666 days / 365d/y = 18,264 years

As you can see from our original one password per second evaluation we can simply our answer to the answer from the first evaluation divided by the number of password checks per second. With this in mind let's ramp up our cracking super computer. Let's suppose that our computer can make nine million attempts per second.

18,264,840 year / 9,000,000 = 2.03 years.

Many reason that if it takes 2 years to crack a single eight character password then if I change the password regularly the cracker will keep having to start over. Thus then argue it will be impossible to crack.

Other cracking methods

Other than brute force how else can passwords be cracked?

  1. Key stroke loggers.
  2. Man-in-the-middle attacks.
  3. So called social engineering whereby the user is duped into revealing their password.
  4. The Password written down for easy retrieval. This is popular when users cannot remember their password since it is changed so often.
  5. Guessing, a password while fitting the format policy may be guessable. For example consider this personally significant date: May;22-nineteen95. These types of passwords are also common when passwords are frequently changed.

If any of these methods is successful then only changing the password immediately will prevent an intrusion. Changing the password thirty days later gains nothing.

If a password as short as eight digits requires two years to crack by brute force and other methods of cracking result in immediate intrusion what is the benefit to rotating passwords so frequently?

References

  1. http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
  2. http://www.schneier.com/blog/archives/2007/01/choosing_secure.html