{"id":258,"date":"2011-02-15T16:51:47","date_gmt":"2011-02-15T16:51:47","guid":{"rendered":"http:\/\/www.slyman.org\/blog\/?p=258"},"modified":"2012-06-22T08:45:44","modified_gmt":"2012-06-22T08:45:44","slug":"preventing-password-reuse","status":"publish","type":"post","link":"https:\/\/slyman.org\/blog\/2011\/02\/preventing-password-reuse\/","title":{"rendered":"Preventing reuse of passwords"},"content":{"rendered":"<p>Passwords are traditionally chosen by users themselves.&nbsp; This presents a challenge for security engineers, since regardless of the minimum password length enforced, creative users might still choose cryptographically weak passwords that break security design assumptions.&nbsp; Best-practices such as password hashing and hash salting are industrially well known but frequently ignored by software developers.&nbsp; <strong>Password reuse<\/strong> further threatens security, either by <strong>giving attackers a greater opportunity to break in<\/strong> using old passwords that are more vulnerable to brute-force attack, or by enabling attackers to break in to a high-value computer system using password data stolen from a less secure system.<\/p>\n<p><strong>Preventing<\/strong> the reuse of historical passwords may be accomplished within a closed system by maintaining a history of password hashes (to prevent the user from choosing a password that would result in a similar hash to one generated previously); however, where systems are designed to prevent even their administrators from knowing users&#8217; passwords, it&#8217;s hard to gauge directly how frequently identical passwords have been used across software systems run by different organisations.<\/p>\n<p>Researchers have <a title=\"Measuring Password Use Empirically&#xd;&#xa;&#x2014;&nbsp;Joseph Bonneau @ Cambridge University\" href=\"http:\/\/www.lightbluetouchpaper.org\/2011\/02\/09\/measuring-password-re-use-empirically\/\" target=\"_blank\">studied the prevalence of password reuse and the impact of this practice on system security<\/a>.<\/p>\n<h2>Here I present a method of strongly discouraging password reuse across systems:<\/h2>\n<ol>\n<li><strong>Statistically evaluate the strength of new passwords<\/strong>: when users change their password, check the strength of the new password by <a title=\"Password strength&#xd;&#xa;&#x2014;&nbsp;Wikipedia.org\" href=\"http:\/\/en.wikipedia.org\/wiki\/Password_strength\" target=\"_blank\">using information theory to evaluate its unpredictability<\/a>.<\/li>\n<li>If password strength is poor, or <strong>if the password hash is identical to a previous hash for a password used by the same user, prompt the user to try again<\/strong> Otherwise, amend the password and record the hash in a table of historical password hashes (I call this \u201c<em>hash caching<\/em>\u201d.)<\/li>\n<li><strong>Enforce password validity periods&nbsp; L<sub>n<\/sub> for a user&#8217;s n<sup>th<\/sup> password<\/strong> where<br \/>\nL<sub>n<\/sub> = p \u00d7 a<sup>n<\/sup>;&nbsp; L<sub>n<\/sub> &lt; L<sub>MAX<\/sub>;&nbsp; where<\/p>\n<ul>\n<li><strong>p<\/strong> is a proportional constant period of time, e.g.<br \/>\n20 days \u2264 p \u2264 40 days<\/li>\n<li><strong>a<\/strong> controls the rate of increase in password validity period.<br \/>\n1.4 \u2264 a \u2264 2<\/li>\n<li><strong>L<sub>MAX<\/sub><\/strong> is a hard cap on password validity periods, e.g.<br \/>\n4p \u2264 L<sub>MAX<\/sub> \u2264 16p<\/li>\n<li>Values and limits for&nbsp; a, p,&nbsp; L<sub>MAX<\/sub> \u2215 p&nbsp; may vary according to administrative discretion and the strength of the selected password.&nbsp; Where applicable, inform users that a longer, more convenient password validity period may apply if they strengthen their password.<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.slyman.org\/blog\/wp-content\/uploads\/2011\/02\/password_validity_periods_example.png\"><img loading=\"lazy\" decoding=\"async\" width=\"401\" height=\"325\" class=\"alignnone size-full wp-image-324\" style=\"width: 525px; margin: 0.75em 0em;\" title=\"Example of this policy, where password strength is constant.\" src=\"http:\/\/www.slyman.org\/blog\/wp-content\/uploads\/2011\/02\/password_validity_periods_example.png\" alt=\"Graph showing password validity periods according to formulae described in this article, for a constant password strength score (example parameters: a=1.68, p=30)\" srcset=\"https:\/\/slyman.org\/blog\/wp-content\/uploads\/2011\/02\/password_validity_periods_example.png 401w, https:\/\/slyman.org\/blog\/wp-content\/uploads\/2011\/02\/password_validity_periods_example-300x243.png 300w\" sizes=\"auto, (max-width: 401px) 100vw, 401px\" \/><\/a><\/li>\n<\/ol>\n<p>System users will soon have comparatively unique and secure passwords; since each user&#8217;s favourite passwords will typically be exhausted during the initial six months of their user account, subsequent choices will be influenced by hard policies and soft ergonomics, and any new passwords reused on 3rd-party systems will eventually expire.<\/p>\n<p>Can anyone devise an alternative way to prevent this folly?&nbsp; Are there other vulnerabilities in this design?&nbsp; How can I improve the design?&nbsp; Comments are welcome.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Password management is challenging because passwords are traditionally chosen by users themselves.&nbsp; This article presents a method of strongly discouraging the reuse of potentially compromised passwords. <a href=\"https:\/\/slyman.org\/blog\/2011\/02\/preventing-password-reuse\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[17],"tags":[77,64,55,57,56,66,67,60],"class_list":["post-258","post","type-post","status-publish","format-standard","hentry","category-security","tag-cryptographic-salt","tag-hash-caching","tag-password","tag-password-hashing","tag-password-reuse","tag-preventing","tag-reuse-of-passwords","tag-statistics"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/slyman.org\/blog\/wp-json\/wp\/v2\/posts\/258","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/slyman.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/slyman.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/slyman.org\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/slyman.org\/blog\/wp-json\/wp\/v2\/comments?post=258"}],"version-history":[{"count":0,"href":"https:\/\/slyman.org\/blog\/wp-json\/wp\/v2\/posts\/258\/revisions"}],"wp:attachment":[{"href":"https:\/\/slyman.org\/blog\/wp-json\/wp\/v2\/media?parent=258"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/slyman.org\/blog\/wp-json\/wp\/v2\/categories?post=258"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/slyman.org\/blog\/wp-json\/wp\/v2\/tags?post=258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}