In my response to the TED Talks, ???????What????????s wrong with my password???????, I feel passwords have become the most protected means of security control to online services. With this success has come a vast variety of attacks, each login page represents an opportunity for someone to compromise with just a short sequence of pass codes away from someone????????s personal accounts. Who is to blame on our ability to create passwords that can be easily compromised? A password no matter how strong or how complex cannot be the only line of defense we have against attackers.
We are constantly reminded of the risks of financial fraud, identity theft, and most financial institutions have security pages on their websites which offer advice on detecting fraud and good password practices. As to good practices, users have been advised to choose strong passwords, change their passwords frequently, and never write their passwords down. Unfortunately, these recommendations appear somewhat deceiving. The most common ways accounts are compromised are through phishing, keylogging, brute force, bulk guessing, attack on all accounts at the institution, or special knowledge access to accounts by random guesses based on information about the user/username, over the shoulder spying, and remote console access to a computer where password autofill is used or a password manager is in use.
I believe ???????password good practices” above does not offer any real protection against the two major hacks, phishing or key-loggers, which are also the most common attacks. Strong or complex passwords are just as susceptible to being stolen by a phisher or key-logger as weak ones, and changing the password frequently helps only if the programmer is slow to exploit the collected passwords. Nonetheless, it is common to assume that stronger passwords help against guessing and brute-force attacks. A relatively weak password withstands a brute-force attack on the user’s account as long as the administrators have a lockout rule is in place.
A good strong lockout rule has to be another layer of protection for the consumer/user. If administrators force lockouts after a certain number of false tries of bad username/password attacks the use of brute force or bulk guess will be all but eliminated. If we look at the most recent popular hack of the ???????Apple iCloud??????? hackers were able to use brute force because there was no active lockout of an account after a number of false tries with a password. So if security administrators add this extra layer it helps minimize the risk to us and makes passwords that much stronger.
Username’s have not traditionally been seen as playing any role in protecting against attack, and have not traditionally been regarded as secret. Is it fair to ask if the list of all valid username’s at an institution can indeed be kept secret. Clearly websites guard the files that contain password hashes very securely; but is the same true of the username list? Suppose that an attacker gains access to the entire username list and that a company locks out any account for 24 hours after three unsuccessful logins. With this user list the programmer can lock every account with 3 login attempts per username. This can bring a huge impact financially to any institution as they have to staff people in order to help end users to regain access to their account after proper vetting. So if account break-ins from bulk guessing were not a concern, administrators have a real concern to prevent the valid username list from being compromised.
To really combat this issue I believe forcing of more complex usernames and passwords greatly increase our added security to online access. I feel it is the combined size of the username plus password strength rather than the password character length/complexity alone that protects users against bulk guessing attacks. Greater security for the institution can be achieved by allowing users to keep relatively short passwords, so long as they choose longer/complex username’s. This reduces the number of compromises a programmer with limited passwords can expect, and reduces the burden on users or institutions. For smaller institutions, those with hundreds rather than thousands or millions of users, there appears to be little reason to use strong passwords so long as good lockouts are in place.
After reviewing the question of weak password vs strong/complex password accounts. I conclude that forcing users to choose strong passwords appears misguided, because this offers no defense against the common password stealing programs/malware. The prevention of unauthorized access need to fall in the responsibility of security administrators as not all users are aware of how they can be compromised. Additional layers may be an inconvenience to most, but in the end it prevents the headaches and costs associated with trying to fix problems that come with attacks. If we as administrators remove the ability for consumers to have a weak password/username combo and put up layers of protection than we are no longer giving misguided information but building actual barriers that cannot be misguided.
If you are looking for more information, check out our
User Security Basics Brochure