Monday, September 13, 2010

Strong Passwords - not really so important?

It's been several years since I read Bruce Tognazzini's "D'ohLT #2: Security D'ohLTs," an article about the ridiculous steps security experts go to to secure systems, and why the real effect is to reduce security. Bruce is a human interface specialist who used to work for Apple computer, among many others. While he is known for his ability in computer/human interfaces, reading just a few of his articles has made it clear that everything we do is human interfacing, and what kind of result we get is in part dependent on how well we take that into account.

This brings us to the point of this post. One of Tog's points is that password requirements often guarantee that passwords will be stickynoted to the monitor, or under the keyboard, or somewhere else easy to get to that totally undermines the purpose of having a password in the first place. That was in 2003. It appears that security experts are beginning to get the same idea a mere seven years later. In the NY Times Digital Domain column, Randall Stross reports that some security experts are becoming less concerned with passwords and more concerned about threats that can undermine or circumvent password security:

Here’s one threat to keep you awake at night: Keylogging software, which is deposited on a PC by a virus, records all keystrokes — including the strongest passwords you can concoct — and then sends it surreptitiously to a remote location.

“Keeping a keylogger off your machine is about a trillion times more important than the strength of any one of your passwords,” says Cormac Herley, a principal researcher at Microsoft Research who specializes in security-related topics. He said antivirus software could detect and block many kinds of keyloggers, but “there’s no guarantee that it gets everything.”

So what is leading the security professionals - long time proponents of strong, hard to guess (and remember) passwords - to consider simpler passwords as a viable option? The real world experience of millions of users on sites like eBay, Amazon, and Paypal. These are sites that have users financial information - bank accounts, credit card numbers, and can access them. Considering the simple requirements for their passwords, you would expect these sites to have breaches all the time. But they don't. Why? One possibilty is tht most commercial web sites lock you out for a period of time, anywhere from an hour to a day, after a certain number of failed attempts. According to experts quoted by Mr. Stross, that limited number of fails followed by a lockout period is key:

A short password wouldn’t work well if an attacker could try every possible combination in quick succession. But as Mr. Herley and Mr. FlorĂȘncio note, commercial sites can block “brute-force attacks” by locking an account after a given number of failed log-in attempts. “If an account is locked for 24 hours after three unsuccessful attempts,” they write, “a six-digit PIN can withstand 100 years of sustained attack.”

That's pretty good, and good enough for most people. My passwords are a little tougher than that, but not much, and I've been using the same passwords on eBay, Amazon and Paypal for at least 5 years now. I think I'll keep 'em a little longer.