Communications of the ACM

 

In fact, I think I have found the most difficult password policy in existence today. It was a US government web site, of course. Here were the password policies the site had in place:

 

It actually took me about a dozen tries to create a password that covered all of the critera, plus was something I had a chance of remembering. Here are examples of passwords that failed:

I even tried a few randomly generated passwords, guaranteed to be strong passwords, which also failed some of the required criteria.

 

Of course, this password expires after 60 days (on a site that I only need to use every 90 days, no less). And when it did expire, it only took me an extra 15 minutes to figure out who to call to reset the password, plus a 13 minute hold, before my password was finally reset. 

 

Makes one wonder how much real security is actually being offered with such measures, especially given the costs of staffing a help desk and the wasted time to end-users of having to get their passwords reset.

 

Why do web sites have such stringent password policies? 

 

It all comes back to the opening statement: your inefficiency is someone else's bottom line. In a lot of organizations, there is an individual whose role is to keep computing systems secure. They are the people who get yelled at when things go wrong and whose job is on the line. In extreme cases, it becomes fully rational behavior to keep increasing security, no matter what the cost is for end-users, regardless of whether it is effective or not in practice. (Replace the words "computing systems" with "air travel" and we have a decent explanation for the challenges that TSA faces.)

 

In fact, a 2010 paper by Dinei Florencio and Cormac Herley, two researchers at Microsoft Research, presented an analysis of password policies of 75 different web sites. They found that, almost counterintuitively, "[s]ome of the largest, highest value and most attacked sites on the Internet such as Paypal, Amazon and Fidelity Investments allow relatively weak passwords," primarily because these web sites earn revenue by having people login.

 

In contrast, it was government and university sites that tended to have stricter (and less usable) policies. They explained these results by arguing that "[t]he reason lies not in greater security requirements, but in greater insulation from the consequences of poor 

usability. Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back. When the voices that advocate for usability are absent or weak, security measures become needlessly 

restrictive."

 

Unfortunately, there aren't a lot of ways forward here. Passwords are cheap and pervasive, and aren't going away anytime soon. Forcing all members of Congress and all Generals to personally experience the joy of using these web sites themselves also isn't realistic, even if highly desirable. 

 

In the long-term, we need more ways of getting the incentives of all stakeholders better aligned. Putting helpdesk costs and information security costs under the same budget and under the same person is a good start, as it would force people to think more about the relative costs and benefits of a security policy. Having customer satisfaction be part of the performance metrics for information security folks would also help. 

 

In the meanwhile, until usability thinking and holistic thinking become more pervasive in computer security, the rest of us will just have to keep suffering the pains of stricter password policies.

 

---

Anonymous

August 28, 2011 12:09

From the BBC News Website:

Comedian Nick Helm has won an award for the best joke of the Edinburgh Fringe.

He won for the joke: "I needed a password eight characters long so I picked Snow White and the Seven Dwarves."

---

Anonymous

August 29, 2011 02:57

It sounds like they have an archaic system that can't use passwords longer than 8 characters. It's very difficult to get humans to create passwords that will resist a brute force attack under those conditions.

Hopefully they have the means to migrate from that old system.

---

Anonymous

August 30, 2011 05:27

The rule that the characters be non-repeating reminds me of the fatal flaw in the Enigma that every letter had to encrypt to something other than the input.

---

Anonymous

August 31, 2011 11:08

Those that think users will just write the pw on a note beside the computer, need to understand 2 things:

1 - the only security thus compromised is that of the individual user and not the whole website

2 - the culpability lies with the user, not with the organisation

So what if one user has their account hacked? It is a lot less worse than 100,000 accounts.

---

Anonymous

September 04, 2011 01:43

So, you knew the rules and still couldn't create a valid password? How lame is that?!
Also, how did you manage to think of using a randomly generated password when you had some rules to follow in order to create a valid password?!
Wtf is wrong with you?!

---

Anonymous

September 07, 2011 01:56

And of course at the end of the Password policy is the statement that, indeed, only one possible password meets all the criteria and it will be given out and published on the company's website...

And with the more complex password requirements just encourage people to make their passwords serial. This time its Pa5$word1, next time its Pa5$word2, after that its Pa5#word3, etc...

Safeboot has the most effective password process. Each false guess doubles the delay time. 10 seconds, then 20 seconds then 40 seconds then 80 seconds. I once had this up to 20 minutes.....

---

Anonymous

September 12, 2011 12:59

Another example of how government always tends to do everything worse than an organization that must consider the cost-benefit constraints of a private motive.

---

Anonymous

September 19, 2011 02:16

Reminds me of the Digital VAX days when the password was generated by the system -- 16 alpha-numeric. You had to write it down to memorize it, thereby negating security.

---

Anonymous

September 26, 2011 08:58

Don't "think up" passwords!
Best Practical security: Generate random passwords, write them on a business card,
and keep it in your wallet.

http://www.aprltd.com/Tutorials/PrettyGoodPasswords.html
is a simple snoop proof 44+ bit scheme.

---

David Lambert

September 27, 2011 08:06

Unusual password "strength" rules have the added advantage of discouraging people from re-using the same password for multiple sites ... which means that even if a site's users' accounts are compromised elsewhere, they might still be safe on *that* site.

What I'd like to see is a study of how easy it is for people to remember a password restricted by various rules a day later. Actual data in that direction would really help backing up the "it leads to more help-desk calls" argument.