Is Password Security Broken? Yes… But Whose Fault Is It?

Being a database administrator for a number of years, I dealt with many password issues on a daily basis. Not only passwords from an administrative standpoint, but also dealing with user password issues into the various systems I supported. Over the years, I have often asked my fellow employees (as well as family and friends) what they think of when they’re making up a new password. The general response I receive is an exasperated groan and a 15 minute tirade about how it’s “such a pain to keep track of all of those passwords” and “it’s okay to use the same password for everything because it would be really hard to guess.”

Passwords are our first line of defense to protect our private information, our social profiles, and in some cases our identities. So why do I get fired up when I find out someone has written their password on a Post-it® note under their keyboard? Why do I think that no password is secure enough? Because there are a variety of things that can break down the security of password protection such as weakness, carelessness, phishing, reuse, laziness, ignorance… I could go on but you get the idea. These issues not only plague users, but also the system owners (vendors) who are using passwords for authentication. These issues are just the beginning of the problem. Before I suggest how to fix password security and placing blame as to why it broke in the first place, let’s investigate a little more.

The Users…

To the average user, password security is an inconvenience. As we all know, when something is not fun to do, most people just don’t do it; or in the case of password security, they keep it to a minimum. Password reuse is, in my mind, one of the biggest issues of all time. As soon as one password is guessed, the attacked gains access to any number of systems with little or no additional effort. One study has found that password reuse can be as high as 50% among average users.[i] Password reuse is identified by using an identical or similar (same words different case or by changing a trailing digit) password for various systems.ⁱ

Additionally, most users may feel that their password is secure enough and very strict password policies are unnecessary.[ii] Despite a variety of websites that list various policies, most users see them as unnecessary. For instance, Microsoft lists some of the following best practices for users:[iii]

• Use strong (i.e. complex) passwords. (Weakness)
• If passwords must be written down, store them in a safe place. (Carelessness)
• Never share passwords or type them in strange places. (Phishing)
• Use a different password for every account. (Reuse)
• Change passwords as soon as you suspect an attack. (Ignorance)
• Having your computer “remember” your password is a security threat. (Laziness)

Even though these six tips are present to all users online (and in Windows help pages), how many of us follow ALL of them? If so, kudos to you… but is that even enough? Shouldn’t the vendors protect the users by making it easier and more secure at the same time?

The Vendors…

It is common knowledge that most systems and websites rely on password protection to authenticate users. In fact, there are so many different systems that each seems to have its own set of rules (and flaws). For example, Verizon’s password policy on their website states:

8-20 characters. At least 1 number and 1 letter. No spaces or special characters (*, #, &, etc.).[iv]

On the other hand, Comcast’s password policy states:

8-16 characters. At least one upper case letter, at least one lower case letter, and at least one number or special character (! @ # $ % ^ & *) are required. No spaces. Case-sensitive.[v]

So already, two common user accounts have different password policies. But why are the policies different? Are Comcast’s web developers smarter than Verizon’s and figured out how to pass special character to the database without error? Is Verizon’s system case sensitive even though it is not mentioned? Now take into account the myriad of account that any given user has. These minor differences quickly add to user frustration. Even by adding a capital letter and an “!” to the end of the password (Reuse), the user begins to have difficulty remembering which password has the special character, which one is case sensitive, and is tempted to begin keeping a password list (Carelessness).

Vendors have the ability to help users make good decisions when it comes to password security. While not all issues can be addressed, it’s a good start. For instance, Microsoft lists some of the following best practices for vendors:ⁱⁱⁱ

• Enforce password history policy. Don’t let users keep the same passwords. (Reuse)
• Define the maximum password age policy setting so that passwords expire. (Laziness)
• Define a minimum password length and complexity policy. (Weakness)

Vendors may think that good password practices are primarily the users’ responsibility. However, there are additional risks with password security behind the scenes. Vendors are also susceptible to attacks. What if I (as a vendor) didn’t follow the rules and my phished Gmail password was reused for my database account with DBA privileges. Someone with the skills could steal a lot of money from a lot of unsuspecting users. While details are still scarce, LinkedIn recently suffered a breach in their security and a number of user passwords were stolen.[vi] Even if all of the users followed password best practices, the attackers now have unlimited time to try to compare hashes of common passwords to gain access an account. Clearly, password security is everyone’s responsibility.

What Can We Do About It?

There are a variety of things that can be done. First of which should be the education of both users and vendors alike. Not just to preach password policies (that’s what got us in to this mess in the first place), but to get everyone on the same page. Rules need to be agreed upon that allow for an acceptable level of password complexity for everyone. For instance, if all vendors allowed for spaces and higher character limit in their passwords then easy to remember but difficult to guess passwords could be used. For instance: correct horse battery staple.[vii] I would even argue that a passphrase with numbers and punctuation would be even better: The 19 purple sock monkeys 8 my TV! Take into account the mixed case letters, spaces, numbers, punctuation, and general absurdity of the sentence and we have a winner. These types of passwords and pass phrases are not outside of the realm of vendors to implement, they’ve just been trained to think just like the users.

Additionally, tokens for two-step verification have been around for quite some time. With advances in technology there should be little keeping anyone from implementing a two-step verification process. Unfortunately, some RSA key fobs still cost anywhere from $50 to $120 each on Amazon.com. That price is still a little much to give one to every person in the world; especially if a different one was required for each vendor. Now consider that over 35% of Americans carry smartphones in their pockets?[viii] If Google Authenticator works for all things Google, why can’t it (or something similar) work for a wider range of products? No additional cost aside from some minor royalties paid to the service provider. The technology is there, we just have to use it.

Let’s take it to the next level: reliable biometrics can’t be that far away. Even taking into account factors that make biometrics difficult on a day to day basis such as pattern variance, subject age, time frame, and even relative humidity they are still just about ready for main stream use.[ix] To bring existing technology into the mix, cell phones and laptops have successfully integrated fingerprint scanners into their construction. Even the sometimes gimmicky facial recognition techniques used on Android cell phones is improving.[x] Surely someone is ready to make a bit of money off of these capabilities by making them more ubiquitous?

Finally, there needs to be a voice for the users and vendors alike. They need to understand one another’s needs as well as difficulties. Perhaps the founding of an alliance is in order get these goals accomplished. Only time will tell (be sure to look for my email rallying you to my cause).

Whose Fault Is It… Really?

In conclusion I’ll ask again: Whose fault is it? It’s mine, yours, the vendors, and everyone else. I know that I have not been the best practitioner of password security – professionally or personally. Every time I see an article where a company loses thousands of user account to a hacker, I wonder how many people know their hashed passwords may have been taken. How many actually change it as soon as possible? Unfortunately, it sometimes takes a credible threat to get users and vendors to take password security seriously. However, it may already be too late to prevent the damage.

For a global society with so many computers, smartphones, and social networking accounts (over 1 billion and counting[xi]), we do not take security seriously enough. No, it’s not easy. It’s not meant to be. Don’t be at fault for being a victim. Know your responsibilities and understand what the vendors can (and cannot) do for you. Learn the rules of password safety but most of all, ask the vendors for help. A well-formed passphrase could save the day. Together, the users and vendors can make information security just a little better.

---

[i] http://www.infoworld.com/t/data-security/study-finds-high-rate-password-reuse-among-users-188

[ii] http://www.infoworld.com/d/security-central/test-strength-your-password-policy-437

[iii] http://technet.microsoft.com/en-us/library/cc784090(v=WS.10).aspx

[iv] https://ebillpay.verizonwireless.com/vzw/accountholder/profile/getProfilePasswordAction.action

[v] https://customer.comcast.com/Secure/Users.aspx

[vi] http://www.informationweek.com/news/security/attacks/240002698

[vii] http://xkcd.com/936/

[viii] http://ansonalex.com/infographics/smartphone-usage-statistics-2012-infographic/

[ix] http://www.securityinfowatch.com/blog/10474734/biometrics-ready-for-mainstream

[x] http://www.droid-life.com/2012/06/29/google-adds-liveness-check-option-to-face-unlock-in-jelly-bean-requires-blinking/

[xi] http://techcrunch.com/2012/05/14/itu-there-are-now-over-1-billion-users-of-social-media-worldwide-most-on-mobile/