Writing the post on del.icio.us's password policy got me thinking about passwords and online security again.
The On online security and password policies article by Aral Balkan, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 2.0 UK: England License.
Having a strong password policy such as "passwords must be longer than six characters and must contain a number or a symbol and a mix of uppercase and lowercase characters" is great in theory but let's take a moment to follow Joe User as he encounters such a policy and chooses his password:
Joe User: Ah, it won't let me use my normal password, I need to create a new one... ok, done!
Joe User: Hmm, I'm never going to remember this, let me just write it down on this Post-it note.
Joe User: Better not lose this, let's stick it on my monitor.
Joe User: Cool, now that's done, I can leave for lunch.
See the problem?
The weakest link in online security is not password strength but the human being who owns the password. Having a complicated password policy that enforces strong passwords may actually become a security issue if it results in the user writing her password down to remember it as that becomes the weakest link in the chain. (By the way, this isn't fiction, I’ve actually seen passwords on Post-it notes stuck to monitors — good, honest, strong passwords — completely compromised.)
It's a balance, for sure, but not always between security and usability as it is often portrayed. It's a balance between security and security. Specifically, beyond a certain point, increasing the complexity of password policies may actually start compromising the overall security of the whole system where the user, not the password, is the weakest link.
It's also a matter of psychology. Different applications handle data of varying sensitivity and users have varying expectations of what comprises adequate security. You expect a bank to have a strong password policy. Twitter? Not really.
Usability, of course, is also a very important consideration. There are some applications where you spare nary a thought for the authentication system, it just works and stays out of your way. Yet there are others were it seems you are always filling out the forgotten password form. Guess which ones users like more.
The On online security and password policies article by Aral Balkan, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 2.0 UK: England License.
I agree with you Aral, I don’t understand why some website force the user to have a minimmal length for they user name as well.
Simplicity should always remain one of the top goal when building a website.
ps: This is the first time I post a comment but I read all your posts, keep on the good work ;)
Users should learn basics of l33t and they will never have a problem remembering their strong passwords.
The other thing which bothers me whenever I register with a new site is the question: how do they store the passwords in their database? Can for example some intern that works in their IT department simply open up phpmyadmin (or whatever other database admin tool) and browse through the user database and see those passwords in clear text? Of course that’s a big nono and in my opinion passwords should always be stored in a one-way encrypted scheme (like md5) so it’s not possible to restore them even if you wanted to.
Ideally there would be an independent (of course trustworthy) certification institution which companies can voluntarily open access to their user database so they can control if certain standards are met. Then they are allowed to add some official seal to their site. Of course the next problem is – how can that control organization be structured so one can trust them with one’s data?
I was just talking about this issue with my sys admins after being given a new fairly strong password that I will never remember. Have to keep somewhere or ask for repeatedly when needed.
I’ve long advocated multi-segmented password policies for companies.
Essentially you have a personal password plus a prefix and suffix. Different logins would correspond accordingly.
> company prefix might be ‘wanu3′
> personal password might be ‘catpi11ar’
> site/server suffix would vary
- ‘ved3xob’ (development server)
- ‘mbx’ (mail box)
- ‘navalforce’ (ie: for salesforce)
OR a pattern (such as no vowels).
- dvsrvr3
- mlbx
- slsfrc
***
What this would do is multi-fold. First there is a generic corporate prefix. This can be changed periodically across the board. (Say once a year, or after a big layoff.)
Then there is a personal password, this makes it so that a password is unique to you. Now in the case of system passwords, you might have a generic for this be it for a sysadmin account or a database authentication virtual user.
Than finally you have a suffix, this distinguishes each device. It should be fairly simple and easy to remember for all devices (such as a pattern). But this helps make things more secure by ensuring that if one site is compromised (web server) they cannot simply use that password against other infrastructure elements (ie: your database). Because they’ll be different.
Essentially, you’re reducing the passwords to only three significant components. Now your users need only remember three things for all their corporate passwords. The current corp password, their personal password, and the device pattern.
B-I-N-G-O
You can have passwords that are extremely complex from a technical point to break. Symbols, spaces, numbers, etc. While being easy enough to remember rather than being kept on sticky notes under keyboards, in drawers or text files on local machines.
Victor is completely wrong…
Because L33t does not always guarantee you will remember your password. For example:
x site has a 8 character minimum.
y site has a restriction on non-alpha numerics
z site refuses spaces
q site wants a 4-digit pin
The problem is every site is different. So it’s impossible to make a password you can use everywhere. I like to have “password levels”. I have one for public internet, a different form for financial sites, etc.
talking about security is extremely delicate and difficult. i’m always amazed how many ppl give “advice” on such topics.
i wouldn’t care less if they just use their bad practice on their own. but no! they have to preach it to the whole world.
@jason
“Victor is completely wrong…”
.. let’s hope you’re not completely wrong:
‘wanu3ved3xoby’
“what a great password!” some security nubs might claim. or is it?
well it must be! it looks really good!
execpt for my boss’ password is ‘wanu3ved3xobx’ but i’m sure it’s secure anyway, because it looks complicated!
@aral
why do you write such things? you could also write:
’strong passwords are bad.. because a user is not able to type it fast. that means everybody can copy the password. you should force the user to choose a password which he can write in less than 0.5s.’
sounds good, right?
@all
how about reading some security papers before preaching bad practices?
don’t take it personally.. such things just make me angry :)
cheers robs
Hey Aral,
I agree with you, sites like a social networking application shouldn’t require super strong passwords. I generally have a light password I use for these types of sites, and a stronger one that I use (with variations) for more secure things like my banking. Its incredibly frustrating when you can’t use something you typically use elsewhere because your missing a capitol letter or something. I’m just talking from a usability standpoint, not from a security standpoint.
The one thing I’d like to point out is that sites that have added stronger password requirements don’t typically do this retroactively. For example I still keep a hotmail account that I opened in 1998. At that time I could have an all letter 5 character password. I can still log in today with that same password. I’d expect if making a stronger password was that important that I would have gotten a message at some point at least encouraging me to change it, it not requiring me to do so when I logged into the account.
I’d say its fine that a site requires stronger passwords, but they need to let you know that in a clear and usable way up front (pownce does a great job with this). Thanks for the post!
From a usability point of view, I think all websites and applications should encourage their users to choose a strong password even if it’s not required. Just have an indicator showing the strength of the password and then let the user decide. If it is a weak password you could always give the users tips on what a stronger password would be like.
As Aral is saying, at times it could be wrong to force the user to go for a password that probably will be forgotten by the end of the day. In some cases it’s just better that the user has a weak password that nobody knows about as opposed to getting a stronger one but writing it down somewhere.
Mario brings up a good point in his comment. I have actually seen passwords being stored as plain text! This is just wrong and no website should do this. Always encrypt the user’s password before storing it. Another irritating thing is when some websites send you an email with your password. It’s ok to send a randomly generated password if the user has forgotten it and requested it but don’t send an email with the users password.
Thanks for the article Aral, makes one think.
Hey Mario,
That’s always a concern I share too.
There’s nothing worse than to be forced to use a strong password only to have it stored in plain text and (here’s the best bit) have it emailed to you after signing up!
@robs: Your comment doesn’t make any sense.
You do know that password fields don’t show you the password you’re typing, right? So, no, it doesn’t sound good at all; sounds quite daft, actually.
How about rationally addressing the issues that I raise and engaging in intelligent debate to further our collective understanding of the topic? Your comment is sarcastic but doesn’t make a rational argument.
I don’t think services like twitter and facebook, which don’t handle very sensitive data, are particularly concerned with security. It’s not about whether the account gets hacked, but who’s responsible if it is. A strong password requirement protects them from dictionary attacks, and after that it’s your responsibility to keep the account secure.
I too have seen passwords written on post-it notes stuck to monitors. To use this as an argument against secure web passwords is just plain ridiculous though. A weak password on a website can be easily cracked by a hacker anywhere in the world. Try as he might though, that hacker will not be able to gain access to a password on a post-it note without gaining physical access to the room containing the monitor.
My personal bugbear over passwords is with idiot sysadmins that enforce constantly changing passwords. At one place I worked a few years back, passwords had to be changed every month and it remembered – and refused to let you reuse – the previous ten passwords. The solution I came up with was to use passwords such as:
december2002, january2003, February2003…
Completely insecure and solely due to a ridiculously overzealous password policy.
This type of discussion can lead to so many places and I was wondering what your thoughts on password managers were.
Louise
(*disclaimer – I write for a password manager)
The biggest gotcha with using the same password in multiple places: Using your email password on a site where your login name is your email address. Hello! You just handed them your email address with its associated password. I am amazed how many people in my family have done this. (ok, I admit it…I did it a few years ago too before it dawned on me how stupid that was)
Hi Daniel,
I was actually thinking of devoting a blog post to just that. I think most people would be much safer if they chose one password for their email and used another for everything else (of course, they could choose different ones for every service — but again, we get into the issue of memorizing them and writing them down.)
Thanks for bringing it up!