Communications of the ACM

 

In fact, I think I have found the most difficult password policy in existence today. It was a US government web site, of course. Here were the password policies the site had in place:

 

It actually took me about a dozen tries to create a password that covered all of the critera, plus was something I had a chance of remembering. Here are examples of passwords that failed:

I even tried a few randomly generated passwords, guaranteed to be strong passwords, which also failed some of the required criteria.

 

Of course, this password expires after 60 days (on a site that I only need to use every 90 days, no less). And when it did expire, it only took me an extra 15 minutes to figure out who to call to reset the password, plus a 13 minute hold, before my password was finally reset. 

 

Makes one wonder how much real security is actually being offered with such measures, especially given the costs of staffing a help desk and the wasted time to end-users of having to get their passwords reset.

 

Why do web sites have such stringent password policies? 

 

It all comes back to the opening statement: your inefficiency is someone else's bottom line. In a lot of organizations, there is an individual whose role is to keep computing systems secure. They are the people who get yelled at when things go wrong and whose job is on the line. In extreme cases, it becomes fully rational behavior to keep increasing security, no matter what the cost is for end-users, regardless of whether it is effective or not in practice. (Replace the words "computing systems" with "air travel" and we have a decent explanation for the challenges that TSA faces.)

 

In fact, a 2010 paper by Dinei Florencio and Cormac Herley, two researchers at Microsoft Research, presented an analysis of password policies of 75 different web sites. They found that, almost counterintuitively, "[s]ome of the largest, highest value and most attacked sites on the Internet such as Paypal, Amazon and Fidelity Investments allow relatively weak passwords," primarily because these web sites earn revenue by having people login.

 

In contrast, it was government and university sites that tended to have stricter (and less usable) policies. They explained these results by arguing that "[t]he reason lies not in greater security requirements, but in greater insulation from the consequences of poor 

usability. Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back. When the voices that advocate for usability are absent or weak, security measures become needlessly 

restrictive."

 

Unfortunately, there aren't a lot of ways forward here. Passwords are cheap and pervasive, and aren't going away anytime soon. Forcing all members of Congress and all Generals to personally experience the joy of using these web sites themselves also isn't realistic, even if highly desirable. 

 

In the long-term, we need more ways of getting the incentives of all stakeholders better aligned. Putting helpdesk costs and information security costs under the same budget and under the same person is a good start, as it would force people to think more about the relative costs and benefits of a security policy. Having customer satisfaction be part of the performance metrics for information security folks would also help. 

 

In the meanwhile, until usability thinking and holistic thinking become more pervasive in computer security, the rest of us will just have to keep suffering the pains of stricter password policies.

 

---

Anonymous

August 25, 2011 09:03

The sad thing is that adding a bunch of random characters to a password still won't make it more effective/memorable than a sentence. "Il()\/2rE4D80| All a password structured like the first guarantees is a sticky note on the side of the computer monitor

---

Anonymous

August 25, 2011 09:10

I like the irony of reading through this post and seeing this captcha at the bottom. Not just type in the words, but then you have to copy-paste a string into a box! :D

---

Anonymous

August 25, 2011 09:22

I wish more sites would allow *longer* passwords. I like to use a passphrase. I find them easier to remember and the length makes them difficult to brute-force.

Example: "This is my password and I will not forget it."

It has capital letters, punctuation, and a pretty hefty length, but It's easy to remember and easy to type, even on most modern phones.

---

Anonymous

August 25, 2011 09:29

see also http://xkcd.com/936/

---

Anonymous

August 25, 2011 09:40

I agree (to an extent), however, although your arguing speech seems completely bias towards the increasing security of a suitable password for use. Don't forget to look at why the security needs to be increased rather than the advantageous points of condoling weak passwords I.E your statement about the Microsoft investigation. I'm not going to go on about the reasons as I'm sure you'll most likely know. In contrast I would suggest that the most general solution would be to establish the correct policy in the correct situation. A common phrase I came across suits this well: One size doesn't fit all. I noticed you never put your opinion across as to what your suggested solution of this problem would be. Care to expand on this?

---

Anonymous

August 25, 2011 09:55

Fun thins is that those passwords ain't even that secure to begin with.

---

Anonymous

August 25, 2011 10:19

Hi,

I don't know if you can read spanish or not, but I blogged about the exact same thing a while back. My bank is as stupid as it can be.

- You can't use the keyboard for numbers, you need to use a java applet
- You can't use the applet for letters, only the keyboard
- The java applet rearranges the numbers randomly each time
- Expires in two minutes, so if you are looking for where you wrote down the password (or emailed it to yourself as you need to change it every 60 days) then you may need to start all over again
- THREE screens to log in
- Vowels are not allowed
- And then on the third screen you need to use the RSA number generator

In my blog I pretty much say that the reason people get their passwords is stole is because they have to write down their password and that paper can get lost or misplaced.

Easier password can be remembered by memory and when used with the RSA thingy would be much safer.

Say what?...

http://www.xaviermorera.com/2010/06/por-que-se-dan-estafas-con-el-sitio-electronico-del-banco-nacional/

---

Anonymous

August 25, 2011 10:28

Thanks for broaching this subject. (The TSA analogy was a nice aside as well.) What gets me is that I have to maintain a secret file someplace to remember all these passwords because each site has its own crazy idea of what is a safe pw. It also burns me when you get sites that *don't* allow special chars in pw--why not?

---

Anonymous

August 25, 2011 10:37

One of the great ironies of stringent password policies is that they aren't actually more secure against an automated attack. My_P@$$w0rd is just as easy for a computer program to figure out as any other password of the same length, assuming they are including character iteration in their attack and not just dictionary-based attacks.

---

Anonymous

August 25, 2011 11:17

Aloaha Smartlogin with USB Sticks is now free for private use: http://blog.aloaha.com/2011/08/25/aloaha-smartlogin-with-plain-usb-memory-stick-now-freeware-for-private-use/