Pedo mellon a minno, speak friend and enter
4 min
Introduction
On Moria’s door, the elder dwell of Durin, king of the dwarves, it was written: PEDO MELLON A MINNO. In Overstron language it sounded like “Speak friend and enter.”
The mighty wizard struggled for almost a day to crack the password, and finally Frodo just inferred what it was, carved in a sort of ancient, monolithic, elven post-it: MELLON (friend).
Quite a weak password, some would argue. However, it was written in a runic language that very few people knew, and it was probably not even intended to be a password, given the well-known hospitality of the dwarves in Middle Earth during the realm of Durin.
PCI-DSS Requirement 8.2.3
With that in mind, let’s consider PCI-DSS requirement 8.2.3:
Password Requirements
Passwords/phrases must meet the following:
- Require a minimum length of at least seven characters
- Contain both numeric and alphabetic characters
- Alternatively, have complexity and strength equivalent to the above
At first glance, this might seem reasonable, but is it really enough?
Weakness of Minimal Compliance
It is not the same as writing your password on a doormat or sticking it on your monitor, but is seven characters with numbers and letters truly secure?
Password Requirements
Assuming no salting and focusing purely on brute-force attacks:
- “aaaaaa1” technically satisfies the requirement
- Variants like “aAaaaa1” or “AaAaA1a” also comply
But are they secure? Strictly speaking, yes, they are compliant. Practically speaking, no, they are extremely weak.
Brute-Force Reality
Based on password strength calculators:
- “aaaaaa1” → cracked instantly
- “aAaaaa1” → cracked instantly
- “aa#aaa1” → ~3 minutes
- “AaAaA#1” → ~1 hour
- “AaAaA#1a” → ~3 days
But are they secure? Strictly speaking, yes, they are compliant. Practically speaking, no, they are extremely weak.
A 7-character password with letters and numbers, at a speed of 10,000,000 guesses per second, would take 13 min to crack. If you increase complexity by upper and lower case and symbol. It will take up to 87 days to crack it.
PCI-DSS Requirement 8.2.4
Another relevant requirement is password rotation. Password must be changed at least once every 90 days. However if a password can be cracked in 13 minutes, then logically shouldn’t it be changed every 10 minutes instead?
But are they secure? Strictly speaking, yes, they are compliant. Practically speaking, no, they are extremely weak.
A 7-character password with letters and numbers, at a speed of 10,000,000 guesses per second, would take 13 min to crack. If you increase complexity by upper and lower case and symbol. It will take up to 87 days to crack it.
Practical Security Improvements
To make passwords meaningfully secure while staying compliant, additional rules should be enforced:
- Minimum 8 characters (or more)
- Use of upper and lower case letters
- Inclusion of symbols
With these in place, the cracking time can reach 23 years even if an attacker had that time, the password rotation would invalidate their effort.
Password Reuse (Requirement 8.2.5)
Another important control is that users must not reuse the last four passwords. This helps prevent cyclical weak-password reuse in the future.
Real-World Observations
As a QSA, when reviewing Active Directory GPO settings and Linux PAM confiugrations go beyond requirement 8.2.3.
Why does the requirement not explicitly mandate symbols like:
, ; . : - _ ' * ¨ ^ + ? \ ! ” # ¤ % & / ( ) = } ] [ { \ @ £ $ §
This omission highlights a gap between compliance and real security.
The Case for Passphrases
A much stronger and more user-friendly approach is the use of passphrases. Exempel ”Iwatchedthelordoftherings30times”:
- Extremely long
- Easy to remember
- Highly resistant to brute-force attacks
Estimated cracking time will be 18 duodecillion years. Even if hte number changes, the strength remains similiar. Do not use example passphrases like ”Iwatchedthelordoftherings30times” and ”Iwatchedstarwars100times”, such example often end up in password dictionaries and rainbow tables.
Multi-Factor Authentication
The most effective protection is multi-factor authentication (MFA), which combines something you know (a password) with something you have or something you are.