Thursday, 23 September 2010
Str0ng P@22w!rd?
« Stuxnet - Going from virtual attacks to physical | Main | People Like Tech More Than Security »On Sunday September 5, the New York Times printed an article about password strength. I have mixed feelings about this article. On the one hand, publication in a widely-circulated periodical brings application security issues to general audience. However the analysis in the NYT piece lacks the depth of a security publication. Security professionals are obliged to provide that depth. Consider the theses of the Times' piece, their destructive implications, and how we can guide the conversation to the benefit of users.
1. Complicated password policies are counter-productive. No one likes to create a new password of length eight to twelve characters, using a a combination of uppercase and lowercase letters, numbers and non-alphanumerics. Furthermore it is difficult to create a new one every ninety days, and to remember it. Multiply this onerous task by three or five or ten such accounts and one sways toward Donald Norman and Microsoft's security researchers quoted in the article.By referring to Amazon, PayPal, and Fidelity's websites, the Times insinuates that since a simple password policy is good enough for these guys, it ought to be for everyone. But this obscures the fact that these corporations' simple password policies are just one element of multi-faceted information security infrastructure. If your information security policy is no more than your password policy, your system is in danger. Effective security policy is multi-layered; no single factor will adequately harden the target.
A strong password policy contributes hardness. A non-dictionary password, eight or more characters long defends against an off-line password guessing attack. Bruce Schneier wrote on this in 2007; his technical analysis remains sound.
Most of us do not set security policy in the organization; we merely abide. In 2009, Slate Magazine offered salient password creation guidance. Create your password out of a memorable pass-phrase. You might know that I'm a rabid Abba fan, but that won't help you or your password-cracking software deduce Dqy&so17
Dancing queen, young and sweet only seventeen...
2. Complicated password policies do not provide security. A second thesis of the NYT piece avers that password policies provide a false sense of security. False because a password will not protect against some more onerous threats. To evaluate this claim, one must consider the threat highlighted by the Times: a key-logger. Key-logging software on your machine will take your password, your bank account number, your mother's maiden name, and your best friend's e-mail address. Perhaps anti-virus software can detect this malicious program, though I've not found a security expert willing to risk her social security number on an anti-virus suite.
I acknowledge that this is a damning, damaging attack; as such it makes for good copy. A strong password would not stop a key-logger, nor would a dictionary password. Then again, multi-factor authentication, identity-based cryptography, and military-grade command and control would be ineffective. A key-logger is an infallible scribe recording each tap and click. Mentioning this omniscient, omnipresent demon obscures the discussion of passwords entirely. Security policy should prevent a key-logger from landing. A most conservative approach would restrict software downloads. But this circles back to Don Norman's criticism that security policy hampers usability to the point that users ignore the policy.
The NYT makes a valid statement in the title "A Strong Password Isn't the Strongest Security". A strong password is a necessary element of strong security. What are some additional elements?
[Trackback URL for this entry]
I think the point that the Times is making is that people are LAZY. Even if the strong security measures are in a company's policy, the workers are still going to find ways of getting around them.
Instead though, people will tend to use easy to remember passwords, across as many sites as they can. Moreover, they'll write (or worse - store on their browser) these same passwords.
I think the time has come to work towards a better solution. Evangelizing strong passwords has been going on for over 30 years - and human behavior still hasn't changed (big shock). Let's work on authentication mechanisms that don't FIGHT against the person who is responsible's best interests.