Manicode

Michael Coates started an interesting thread on the OWASP Leaders list about password policy complexity guidance. http://lists.owasp.org/pipermail/owasp-leaders/2013-December/010492.html

I think that password policy overall is a failure and we indeed need to update our guidance on this topic.

Password length is the most important mathematical aspect to password policy, so passphrases seem like a good idea. But if your passphrase is a known sentence from a book, or just a collection of dictionary words - then the benefit decreases significantly. Here are some interesting articles that discuss this problem to some degree from the perspective of offline password cracking.

http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/
http://dashburst.com/bible-hackers-password-cracking/
https://bitcointalk.org/index.php?topic=85862.25;wap2

Jeffrey Walton suggested to me that one of the most important aspects to a good password policy is to not allow users to use commonly used passwords; even passwords that fit your corporate password policy. For example, the password Password1! probably would be accepted by most corporate password policies, but it's a dangerously bad and commonly used password. Hackers conduct "reverse brute force attacks" where they take a commonly used but supposedly strong password, and make one attempt against a large list of accounts. This and other reasons have prompted some banks to enforce strong policies on usernames!

I feel like the use of Password Managers is one of the key aspects to secure user password management. I know of several mid-size companies who have or are starting to enforce their use. Bob Lord, the Director of Security at Twitter, has led the charge of enforcing this on the entire Twitter staff. I think this move is a big win for Twitters internal security. 

http://news.softpedia.com/news/Hack-in-the-Box-13-Twitter-s-Bob-Lord-Forces-New-Employees-to-Use-Password-Managers-344699.shtml

Last, any password advice needs to push multi-factor. Poorly misquoting John Steven (as well as taking his quote out of context), "Using passwords to protect your account will help you as much as motorcycle helmets will protect you at high speed."

Dear all,

We are pleased to announce SecAppDev Leuven 2013, an intensive one-week course in secure application development. The course is organized by secappdev.org, a non-profit organization that aims to broaden security awareness in the development community and advance secure software engineering practices. The course is a joint initiative with KU Leuven and Solvay Brussels School of Economics and Management.

SecAppDev 2013 is the 9th edition of our widely acclaimed course, attended by an international audience from a broad range of industries including financial services, telecom, consumer electronics and media and taught by leading software security experts including

• Prof. dr. ir. Bart Preneel who heads COSIC, the renowned crypto lab. 
• Ken van Wyk, co-founder of the CERT Coordination Center and widely acclaimed author and lecturer. 
• Dr. Steven Murdoch of the University of Cambridge Computer Laboratory's security group, well known for his research in anonymity and banking system security. 
• Jim Manico, an OWASP board member. 
• John Steven, a sought-after architect for high-performance, scalable JEE systems. 

When we ran our first annual course in 2005, emphasis was on awareness and security basics, but as the field matured and a thriving security training market developed, we felt it was not appropriate to compete as a non-profit organization. Our focus has hence shifted to providing a platform for leading-edge and experimental material from thought leaders in academia and industry. We look toward academics to provide research results that are ready to break into the mainstream and attract people with an industrial background to try out new content and formats.

The course takes place from March 4th to 8th in the Faculty Club, Leuven, Belgium.

For more information visit the web site: http://secappdev.org.

• Places are limited, so do not delay registering to avoid disappointment.
• Registration is on a first-come, first-served basis.
• A 25% discount is available for Early Bird registration until January 15th.
• Alumni, public servants and independents receive a 50% discount.

I hope that we will be able to welcome you or your colleagues to our course.

Kind regards,

Lieven