The Password Audit

If you have received an email claiming that you have a weak password, or you happen to read this blog posting, then this post explains the process used in the password audit. And yes, IS is sending out emails to those with weak passwords letting them know. If you are reading this just to find the link to change your password, click the relevant link below :-

If you have changed your password after November 2014, then any emails you receive from the password audit are in relation to your old password. However you may still wish to follow the advice to set a long and strong password if your new password is similar to your old password.

Selecting A Long And Strong Password

Choosing a password is of course up to you, and any method of choosing a password that generates a long and strong password is perfectly valid. However if you have been notified that your password is weak, you may wish to pay attention to the advice within the email and here. The method we suggest is to pick three to four words. Preferably at least one should be rare, and the sequence of words should not make sense. Separate each word with a symbol (‘=” or something) – not a space! The two examples given in the email should demonstrate :-

  1. Blue / Parrot / Police / Boodle
  2. Tree ( Blink ( Bubble ( Whistle

If you choose another method, the following are things you should not do :-

  1. Use a single word in whatever kind of transformation you apply.
  2. Using any kind of word that has any meaning to you. Using your pet’s name, birthplace, etc. in a password makes an attacker’s life much easier.
  3. Use a short (anything less than 8 characters) password.
  4. Use any example (such above) of a strong password. By it’s very nature an example of a strong password demonstrates what a strong password should look like but is itself weak as it is known. Well known passwords such as the Xkcd example of “correcthorsebatterystaple” is found in any attacker’s dictionary.
  5. Don’t assume that because you know a language other than English, that an attacker won’t. In fact attackers know far more languages than you do (they use multi-lingual dictionaries).
  6. Predictable sequences of characters found on the keyboard (“qwerty”, etc.) are also bad choices. Those attackers have all those kind of sequences in their attacker dictionaries.

What Is A Weak Password?

There are probably nearly as many definitions of what a weak password is as there are security researchers, and many of the definitions will travel down the path of information entropy which whilst academically interesting is not especially useful. It is almost an arbitrary choice as to what definition to use. However the IS Security Team have decided to define a weak password in a manner that becomes relatively easy to test :-

A weak password is a password that an attacker can obtain by running password cracking tools against the password hash within a reasonable amount of time using commodity hardware (1 day).

Whilst this definition may be gibberish to many, it does have certain advantages – we can use standard password cracking tools to determine whether an account password is weak or not using a very similar methodology to the attacker. And a password’s role is defeat an attacker; not meet an arbitrary standard for strength.

But Password Hashes Are Not Public

Attacking password hashes might be considered to be a bit of a cheat. Most password attacks that we see are those where the attacker guesses the password. However :-

  1. Attacking the password hash will get easily guessed passwords.
  2. Raising the bar a bit above where the attackers are seems to be a sensible precaution.
  3. Just because we do not see more sophisticated attacks does not mean they are not happening.

Whilst password hashes should not be visible to an attacker, there are many circumstances where they are. The standard methodology for an attacker breaking into servers is to dump any available password hashes to be attacked. Or an attacker who steals your laptop. It is also the least disruptive password strength test we can run. Other methods (guessing) run the risk of causing account lockouts; attackers cause enough of these, we do not want to add to the problem!

What Were The Results?

Obviously the results may well be considered to be sensitive. If I get the authority to publish the results, they will be made available here. However I can say that the technical part of the password audit has completed, and there are a large number of accounts with weak passwords.

And The Email?

Performing a password audit is one thing, but what do you do with the results? The most obvious thing to do is to send an alert to everyone who has a weak password letting them know. To avoid overwhelming the support mechanism in place, it has been decided to send out the emails over a period of time, so if you do not receive an email message today it does not mean that your password is strong.


Why should you use a strong password? For members of staff, it should be enough that your employer asks you to; it falls under the “… any reasonable request” phrase (which most of us have in our contracts). But there are good reasons in addition to that :-

  1. Using a weak password increases the likelihood that an attacker can obtain your account details and use them to attack the university. Whilst this may not have a direct impact on you, it does provide a good reason for the university to tackle the problem of weak passwords. And in some cases, your account gives you access to privileged data, so the university is required to make sure you use a long and strong password.
  2. If your university account gets compromised, one of the most obvious uses an attacker will use it for is to attempt to send large quantities of spam email. In the event this happens, your email address will suffer a permanent loss of credibility; some of your previous contacts will block all email from you. And there is nothing we can do about this.
  3. More subtly, an attacker could use your access to interfere with your academic work.
  4. Long and strong passwords are good practice, and once you are used to using them here, you will find it less inconvenient to use it elsewhere. And an attacker can do a lot more direct damage if they can access you bank accounts, social networking sites, etc.
This entry was posted in Passwords. Bookmark the permalink.