Passwords and Convenience
Off the Beat: Bruce Byfield's Blog
The cracking of at least six million passwords from LinkedIn this week (http://www.bbc.co.uk/news/technology-18338956) had me scrambling to change my own password. It also has me considering whether LinkedIn is a social media site I could do without. But mainly, it has me thinking how predictable -- and, in many ways, how useless -- the response has been.
The problem is not that LinkedIn hasn't handled the situation well by the usual standards. The company responded quickly, and posted blogs telling users what was happening, what would happen, and how to set a strong a password (http://blog.linkedin.com/2012/06/06/updating-your-password-on-linkedin-and-other-account-security-best-practices/).
Probably, most users are unaware of the blog, but that wasn't the real problem. The problem was that the blog dished out the usual advice -- things like make your password a mixture of characters, don't write it down, don't use the same password for every site, and change it every few months.
All this is sound advice, in keeping with the best security practices. Unfortunately, though, most users are going to ignore some or all of the points. Security requires care and thought, and the majority of users are going to choose short-term convenience or care and thought every time.
Unclear on the concept
If you have any doubts, consider the surveys of the leaked password. All the passwords that security experts tell you not to use, such as "qwerty," "password," and "123456" are among those that were cracked. Others, such as "linkedinpassword" and "ihatemyjob" would be easy to guess in the context of the LinkedIn site (http://www.geek.com/articles/news/linkedin-passwords-cracked-here-are-the-worst-2012067/#).
What these passwords suggest to me is that many users are unaware of what a password is for. At the most, they must see passwords as simply a way to make sure they open their own data. The idea that the password might protect their data doesn't seem to have occurred to them, or they would pay more attention to choosing a good one. If they are aware of security, then I suspect that they have concluded that the chances of anyone wanting to crack their accounts is so remote that they can ignore it.
Either way, many people seem to act like the Facebook users who chatter away about their private concerns, unaware that anyone who comes along can read what they are saying -- an attitude so prevalent that, charges were brought against a number of participants in last year's Stanley Cup riots in Vancouver based on their boasting online.
Mind you, I can't say I'm surprised. When friends and neighbors ask me for computer help, I almost never find them using passwords. If I add even a simple one -- let alone a strong one -- invariably, I find it's been removed the next time I help out. Apparently, it's not inconvenient to haul computers into the shops to get viruses and trojans removed every six months or so, but it's unacceptably inconvenient to spend ten seconds entering a password. Very likely, the only reason their wireless routers have passwords is because the setup programs insist on one these days.
This attitude is hardly unique. A few years ago, a small business was even offering notebooks for recording your passwords (http://web.archive.org/web/20080516004343/http://www.analogonbook.com/). The site emphasized the convenience of these notebooks compared to writing your passwords on scraps of paper. It also suggested that the notebook was more secure than storing passwords online, although to be any use, the notebook would presumably be left close to a computer.
But, for me, the strongest indication of how the average user regards passwords was a survey done in 2004 on the London subway. A man offered a chocolate bar in return for the office passwords of passersby -- and seventy percent made the exchange (http://www.nytimes.com/2004/04/25/weekinreview/ideas-trends-your-password-please-pssst-computer-users-want-some-candy.html?_r=1).
When the study was repeated three years later, the number who gave their password was sixty-four percent (http://www.theregister.co.uk/2007/04/17/chocolate_password_survey/). The number was only twenty-two percent at an IT conference, but when asked if the password was something like the name of their pet and engaged in conversation, another forty-two percent eventually revealed their passwords indirectly.
The list of weak LinkedIn passwords suggests that nothing has changed. Despite the efforts of security experts, many people still fail to understand why passwords matter and why they should choose a strong one.
In my experience, when taxed with not using a strong password, most users will give an embarrassed grin then go right on using a weak one -- assuming they use one at all.
Under these circumstances, no wonder alternatives like fingerprints or picture passwords (http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx) are being considered. However, fingerprint authentication has failed to catch on, and I suspect that picture passwords will be too easy to crack. At any rate, for better or worse, conventional passwords are likely to predominate for some years to come.
So, what, if anything can be done to improve how passwords are used? The pessimist in me says very little. You can enforce strong passwords with packages that disallow weak ones, but that only means that users are more likely to write their passwords down. Close one security problem and another pops up to replace it.
However, I suspect that security experts may have been too uncompromising in their efforts to educate the average user. Instead of telling people not to use the same password on every site, maybe they should advocate setting up a list of four to six words that can be recombined to produce different passwords while still being easy to remember. Instead of repeating the characteristics of a strong password, maybe they should advocate using the initial letters of a line from a favorite song. Add a few numbers and special characters, and the result would be a strong password that users would actually remember.
Even if the result was not as strong as it could be, it would probably be good enough for average users -- besides having the added advantage that they might actually use it.
The point is, we know that security will never be as important to the average user as convenience. Perhaps it's time to stop delivering lectures that are going to be ignored and start developing on ones that have some chance of being listened to. The result might not be ideal security, but it could be considerably better than what we have now.
Password managersNo mention of the role of password managers? Such tools make it easier to use many different complex passwords, although the manager itself needs to be well protected!
I use a popular password manager with Linux and Windows versions - including portable - that keeps the info in a database file which I store in an encrypted online location. I can get at my passwords from anywhere (risky yes but protected twice with strong passwords). The inconvenience of using a password to get at the database file, and using another password to open it, is outweighed by the convenience of having a different strong password for every online site I use and not needing to remember them all.
LastPassWhat about password managers like lastpass? Assuming of course that the master password is strong, you could let LastPass set unique passwords per site. You can also use Google Authenticator (as well as some other options) for a second level of authentication.
Passwords and ConvenienceColin
Numeric substitution is very old news and yes there are already dictionary attacks that know this and try the variations.
As for putting the month in the password, you might as well not bother, again its a standard attempt for the password cracking algorithms.
Any password that uses Dictionary words ( with or without the standard numeric substitutions ) is fairly easy pickings for these scammers, again given the stupidity of a lot of users you've got away with it for now but if the standard users knowledge increases even by a small extent, you may find your accounts being compromised ( I hope they don't )
I now use random 32 char Mixed case Alpha, Numeric, and punctuations marks for my important passwords.
( If the server/software allows that complexity, and if not I look for another service/site that will )
These scammers can have thousands of BotNet machines trying to crack your accounts, generally they aren't interested in getting your account cracked they just want to crack any account, they tend to pick the 'low hanging fruit' and yours so far has evaded that.
I strongly suggest a more rigorous password regime, I mean, better safe than sorry!
Passwords and ConvenienceSome thoughts.. The easiest way I've found to set up 'non dictionary' passwords is to use a familiar word, then replace any characters that look like numbers with the number. eg S looks like 5, I looks like 1, O looks like 0 etc.
For example, I live in Osoyoos, BC, Canada. If I was stupid enough to use that as a password, (I'm not I could make it 0(Zero) 5 0(Zero) y 0(Zero) 0(Zero) 5. 050y005 is definitely harder to guess or do a dictionary search on.
Since I'm European and grew up with a basic grasp of German, French and Italian, taking a foreign language translation of your English word and then numerizing (is there such a word?) that makes me fairly confident that passwords I use aren't going to be cracked in a hurry.
Off course a quick a regex could be run on a standard dictionary to replace letters with numbers fairly quickly , making a dictionary attack using that new list possible as well, but it would add significantly to the time an attack would take to run. (but then there are the permutations, for example replace o with Zero, but don't replace if the first letter of word).
Finally for passwords I change monthly, I add the month as text to the pwd string, as a postscript in odd months, prescript in even months.
Once you have a rule for 'your' passwords, I think you'll be getting close to unbreakable for most attacks that are designed to find the obvious. Yet you will still have logical remember-able ones.
Passwords and ConvenienceI was one of those surveyed in London and got my free choccie bar, the password and UserId I disclosed bore no resemblance to my real ones. so maybe this test also shows the naivety of journalists.
As for notebooks for passwords, recent opinion has flowed back towards storing a hard copy of your passwords in a secure place at home/work. As anyone trying to compromise your account(s) would really have to try hard and burgle your house to get the hard copy ( assuming they are not easily guessable ).
Remember no method is %100 secure, all you do is make your passwords or data harder to get at than most other peoples so that the casual scammer by-passes your info and goes for easier pickings.
It's very much like securing your car.
chocolate passwordif someone offered me chocolate for a my password, of course I would provide him with one - easy enough to make one up on the spot or give him a long since expired one. Not sure his survey is in any way meaningful.
Not sure of the value of changing passwords - sooner or later people give up and resort to adding a digit to the end of a good (or bad one) every month.
Re: Password security mistakeThe rationale for changing passwords regularly is that, if your account has been cracked and nobody has noticed, the cracker won't have permanent access.
But I agree that having to memorize another strong password every month is likely to discourage a lot of users. Unless thir sysadmin enforces the change, they won't do it.
Password security mistakeBruce, one of the things you mentioned that is commonly offered as good advice is to chnage passwords regularly. But that would almost certainly work against having a strong password. And when you look at it, it doesn't make any sense anyway. What is the threat that would be prevented by changing your password every few months? Nothing very interesting, I suspect.
Passwords and ConvenienceI'm sorry, but the "don't write down your password" advice is nonsense.
How are people supposed to learn good enough passwords? Ever heard of dictionary attacks etc? People should be using passwords good enough to defeat attacks, therefore they must write them down and then secure the paper.
Plenty of good computer security experts agree, the "don't write down your password" advice leads to poor passwords that are easy to defeat.