Today I did an interesting experiment that I thought was worth sharing with others. I tried to come up with a ten item list of password/access management policies based on increasing levels of security. On my list, a "10" effectively means the most secure access management and password polices whereas as "0" effectively means nothing. Here is my list:
- Open Authentication: Exactly like it sounds. No username or password required. If you can access the application, then you can get in.
- Non-Limited Credentialed Authentication: The use of a username or some form of non-open authentication, but perhaps a globally shared account or extremely weak password like "password". (ex: "password")
- Weak Credentialed Authentication: The use of a unique username plus a basic password policy simply limiting the number of characters, but not the content. (ex: "google")
- Complex Credentialed Authentication: The use of a unique username plus a basic password policy not only limiting the number or characters, but also requiring some level of complexity. This can be easily defeated using Supercharged Password Cracking Techniques. (ex: "G@@gl3")
- Complex Non-Random Credentialed Authentication: The use of a unique username plus a password policy limiting the number of characters, requiring complexity, and checking against permutations of dictionary and commonly used passphrases, but supporting combinations of multiple dictionary words. (ex: "i@teAHors3")
- Complex Random Lengthy Credentialed Authentication: The use of a unique username plus a password policy where passwords are truly randomly generated and are of a sufficient length to effectively be unbreakable. Something in the neighborhood of 20+ characters is pretty decent. This is the point where passwords become so complicated that the average user cannot remember them on their own and are forced to record them somewhere. (ex: "Hh#8qcFhe9H$#324dnakfB3q4fUY@*")
- Non-Complex Two-Factor Authentication: The use of a unique username plus what is commonly referred to as "two factor" authentication. The use of "something you know", like a basic 6-digit PIN that is easy for you to remember, alongside "something you have" that is a unique and randomly seeded value. The key here is that the "something you have" part is something that changes on a very frequent basis such as every 60 seconds. (ex: "147246965201")
- Complex Two-Factor Authentication: The use of a unique username plus the two factor authentication where the "something you know" is a password that is more complex than a simple numeric and the "something you have" is unique, randomly seeded, and changing frequently like above. Perhaps the "something you have" is even something more than a simple numeric here as well. (ex: "H8n@m78an1vA")
- Non-Complex Three-Factor Authentication: The use of a unique username, the "two factor" authentication piece in number seven above, plus a third "something you are" component. This is a unique biometric value such as a palm scan, fingerprint scan, or retinal scan.
- Complex Three-Factor Authentication: The use of a unique username, the "two factor" authentication piece in number eight above, plus a third "something you are" unique biometric value.
I will admit that this list is dumbed down quite a bit as there are other factors that most certainly can weigh in here as well. For example, having a maximum password age of one day instead of ninety days can significantly change the amount of time that an attacker has to brute force an account. Other influencing factors could be the remembered password history and our account lockout policy. For the most part, though, these can be a component of any of the above policies.
Worth noting here is that as security increases, the user experience is likely decreasing due to increased complexity. The exception here may be as we move from number six to number seven on my list. The move to two-factor authentication should add enough constant change to our formula to allow us to have a more simple password while still making it more difficult to brute force the account. There is a trade-off of having to always carry a token retrieval device with you and having to handle the situation where a user is unable to access their token, but otherwise, this becomes the real sweet spot where usability meets security.
What do you think? Is my list fairly accurate or am I way off base here? Am I missing something important? Please feel free to comment and provide your own list and/or feedback for mine.