Communications of the ACM

 

In fact, I think I have found the most difficult password policy in existence today. It was a US government web site, of course. Here were the password policies the site had in place:

 

It actually took me about a dozen tries to create a password that covered all of the critera, plus was something I had a chance of remembering. Here are examples of passwords that failed:

I even tried a few randomly generated passwords, guaranteed to be strong passwords, which also failed some of the required criteria.

 

Of course, this password expires after 60 days (on a site that I only need to use every 90 days, no less). And when it did expire, it only took me an extra 15 minutes to figure out who to call to reset the password, plus a 13 minute hold, before my password was finally reset. 

 

Makes one wonder how much real security is actually being offered with such measures, especially given the costs of staffing a help desk and the wasted time to end-users of having to get their passwords reset.

 

Why do web sites have such stringent password policies? 

 

It all comes back to the opening statement: your inefficiency is someone else's bottom line. In a lot of organizations, there is an individual whose role is to keep computing systems secure. They are the people who get yelled at when things go wrong and whose job is on the line. In extreme cases, it becomes fully rational behavior to keep increasing security, no matter what the cost is for end-users, regardless of whether it is effective or not in practice. (Replace the words "computing systems" with "air travel" and we have a decent explanation for the challenges that TSA faces.)

 

In fact, a 2010 paper by Dinei Florencio and Cormac Herley, two researchers at Microsoft Research, presented an analysis of password policies of 75 different web sites. They found that, almost counterintuitively, "[s]ome of the largest, highest value and most attacked sites on the Internet such as Paypal, Amazon and Fidelity Investments allow relatively weak passwords," primarily because these web sites earn revenue by having people login.

 

In contrast, it was government and university sites that tended to have stricter (and less usable) policies. They explained these results by arguing that "[t]he reason lies not in greater security requirements, but in greater insulation from the consequences of poor 

usability. Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back. When the voices that advocate for usability are absent or weak, security measures become needlessly 

restrictive."

 

Unfortunately, there aren't a lot of ways forward here. Passwords are cheap and pervasive, and aren't going away anytime soon. Forcing all members of Congress and all Generals to personally experience the joy of using these web sites themselves also isn't realistic, even if highly desirable. 

 

In the long-term, we need more ways of getting the incentives of all stakeholders better aligned. Putting helpdesk costs and information security costs under the same budget and under the same person is a good start, as it would force people to think more about the relative costs and benefits of a security policy. Having customer satisfaction be part of the performance metrics for information security folks would also help. 

 

In the meanwhile, until usability thinking and holistic thinking become more pervasive in computer security, the rest of us will just have to keep suffering the pains of stricter password policies.

 

---

Anonymous

August 25, 2011 01:51

Special characters and capitalization, etc aren't really that much harder for password cracking algorithms to break. They're just harder to remember. It's the length of the password that really makes a difference. This point is illustrated well in this xkcd comic: http://xkcd.com/936/

---

Anonymous

August 25, 2011 02:16

Don't underestimate the planned buck passing.

By virtually guaranteeing that users break the rules by writing down their passwords, the policy also "criminalizes" users to make it easier to blame them when there is a breech.

---

Anonymous

August 25, 2011 03:29

The other day I saw a similar story in regards to a password policy for elementary school users (fifth grade). The author of the blog noted the password requirements and they looked almost exactly the same as the standard password policy for server 2008 logins. So, I concluded that what we had was a windows admin that was too lazy (or didn't have the knowledge) to change the password policy within the domain or server to make it easier for the school kids. The kids supposedly log in via a web page to get at their homework. So, it's not necessarily the policy that's bad but the system admin who is bad for not changing the default policies to make them a little more lax. Why protect fifth grade homework with such policies and make things so difficult for little kids? It's not necessary.

---

Anonymous

August 25, 2011 03:45

I support useability and other research to debunk these legacy 'best practices'. Until then they will continue to appear on auditor checklists, in compliance requirements, and thus in institutional password policies. Especially in universities, which stand at the crossroads (or in the cross hairs) of regulatory compliance requirements, there's little ability to fly in the face of this convention wisdom. Auditors, research sponsors, DoE, DHS, payment card industry, you name it, all require these kind of password policies at the risk of board sanctions, loss of funding, loss of access to research datasets, and fines and penalties. Now what say we all about 2-factor?

---

Anonymous

August 25, 2011 05:27

XKCD comic has covered this and in easy-to-understand terms:
http://www.xkcd.com/936/

The kind of password this site is asking for is far less secure than a long string of arbitrary lowercase words, which are much easier for a human to remember than some gobbledygook.

That is to say, "8L@d3!rUnN3r!" is darn near impossible to remember, even if Blade Runner's your favorite movie, because of the forced uppercase. Maybe if you use it all the time it becomes easy to remember.

On the other hand, "invisible giraffe steroid sandwich" is much more easily memorized by a person and ironically far more secure from computer cracking than the previously mentioned nasty mess.

A web comic is smarter than security professionals.

---

Anonymous

August 25, 2011 09:14

I recently encounted a policy that included one of "!@#%".

This probably actually makes the password easier to crack...

---

Anonymous

August 25, 2011 09:47

To the person that said "think sentences" . . . exactly!

---

Anonymous

August 25, 2011 11:29

My *BANK*, which has a long and decent on-line banking record, does NOT care about capitalization these days.

I realized this when realized I didn't know it's capitalization for sure anymore. :) I tested, and it didn't care about it.

I also don't have anywhere near as many failed attempts as I get with other sites in day to day usage, and I've never 9in many years) had to do anything with it due to too many failed attempts in one session.

---

Anonymous

August 26, 2011 05:16

To have simple sentences as longer but easier and more secure passwords, you need to allow spaces in the password. Some sites don't even allow special characters, much less spaces.

---

Anonymous

August 26, 2011 05:21

Sounds familiar :-)

http://www.subspacefield.org/security/security_concepts/index.html#toc-Subsection-36.6