The achilles heel of the Internet

It won’t surprise you if I say the achilles heel of the Internet is passwords. But the problem is not that our passwords are too weak: in fact, the bigger problem is that our passwords are too strong.

Preventing brute force password attacks is a problem we know how to solve. The problem is that web service providers have bad habits that cause our passwords to be less secure. Remember the saying “the chain is only strong as the weakest link?” If you are strengthening an already strong link in the chain but weakening another, you are not improving security and usually decreasing the overall security of the system. Those “bad habits”, mostly of web services that require a login, are all wrapped in supposedly ‘security concerns’: meaning some security consultant fed the CSO a strict compliance document and by implementing these rigid security methods they are actually making their users less secure.

Here are some examples.

Don’t you remember who I am?
What’s the easiest way to fight phishing? Have the web site properly identify itself. When the bank calls, most people don’t ask the person on the other side of the line to prove they are really from the bank (though they really should). The reason is you assume that if they knew how to reach you, they are indeed your bank.

So why not do the same for phishing? The bank of America uses Sitekey, which is a really neat trick. But you don’t have to go that far: just remember my username and I’ll have more confidence that you are the right web site. In fact, if I see a login page that does not remember my username I’ll have to stop and think (since I typically don’t remember all the usernames) and that gives me more time to spot suspicious things about the page.

If you can tell me what my username is, there are higher chances you are the legitimate site. But some sites block my browser from remembering my username, on the excuse of increasing security. Well, they’re not.

Let me manage my passwords

This is where most financial sites really fight me – they work so hard to prevent the browser from remembering my passwords.

Why? I can see the point when I’m on a public terminal. But what if I’m using my own laptop? By letting my browser remember the password I am decreasing the chance of phishing, and in fact if I know for certain a web site will let me remember the password (rather than force to type it in) I select a strong, complicated password – since I don’t have to remember it. In some cases I even stick with the random-assigned password; I don’t care as long as my browser remembers it.

But some people are stuck with “security!=usability” equation. They are wrong; in many cases usability increases security. This is one of those cases.

Not to mention they will almost always lose the fight. If paypal won’t let firefox remember the password, I’ll find ways around it. Or maybe I’ll just write a post-it note and put it on my monitor. All of those ways are less secure than firefox’s built-in password manager.

Oh, and forcing me to choose a strong password (‘strong’ being something absurd and twisted that makes no security sense)? Good luck with that. I don’t really mind these silly efforts just because they are so easy to circumvent they are not even a bother anymore. But just remember that putting security measures in place that will be circumvented by 90% of your users means teaching them not to take your security seriously.

Stop blocking me
Next week I will have my annual conversation with the Lufthansa ‘frequent flyer’ club support people. It’s a conversation I have at least once a year (sometimes more) when my login gets blocked.

Why does my login get blocked? Because I get the password wrong too many times. What’s “too many”? I wish I knew. Since I usually pretty much know what my password is, I get it right within 4-5 tries, so I guess Lufthansa blocks me after 3 or 4. I don’t know for sure, because I also need to guess my username (long story, lets just say Lufthansa has 2 sets of usernames and passwords and you need to match them up correctly). So the bottom line is that I get routinely blocked and need to call their office in Germany to release it.

Why are they blocking me? I’m guessing to prevent brute-force password attacks, and that’s a good thing. But why not release it automatically after a day? A week? An hour? Why not authenticate me some other way (e-mail)? I bet I can guess why: Because everybody that complains is told that “it’s due to security concerns”. Nobody can argue with that, can they? After all, security is the opposite of usability. Our goal as security professionals is to make our services not work, and hence infinitely secure.

So Lufthansa is losing my web site visit, which means less advertising money, and they are making me agitated which is not the right customer retention policy. Some credit card issuers like to do this a lot, which means I can’t login to see my credit card balance and watch if there is any suspicious activity. Now that’s cutting your nose off to spite your face.

Don’t encourage me to give out my password
How many web sites have my real twitter password? Must be over half a dozen, maybe more. If you are using any twitter client, you have given them your twitter username and password. If you are using twitterpic, or any of the other hundreds of web 2.0 that automatically tweet for you, they have your login credentials. Heck, even facebook has my twitter credentials – I bet Facebook can flood twitter in an instant if they decide to fight dirty.

Twitter wants me to use all these clients because it raises my twitter activity, and that’s ok. But there are plenty of single-sign-on methods out there, that are not too complicated, and are all more secure than spreading my real username and password all over the place. Even Boxee has my twitter login, which makes me think. If I was building a web 2.0 service and asked everyone who opens an account to give me their twitter login details – how many would do that just out of habit?
Giving my credentials is not necessarily a bad thing. Services like mint and pageonce are good because they make it unnecessary for me to login to all my financial web sites; the less I login the better: assuming these sites have better security than my own computer, I’d rather have them login to my financial accounts than me. This leap of faith is not for everyone – some will ask what happens if these startups go out of business. Cybercrime experts like Richard Stiennon will argue that an insider breach in one of those companies can be devastating. And of course Noam will say that until they’ve been scanned by Beyond Security he won’t give them any sensitive information. I agree with them all, and yet I use both Mint.com and PageOnce. So I guess it boils down to a personal judgment call. I personally think there’s value in these type of services.

Stick with passwords

One thing I am almost allergic to, is the “next thing to replace passwords”. Don’t give me USB tokens or credit-card sized authentication cards. SMS me if you must, but even that’s marginal. Don’t talk to me about new ideas to revolutionize logins. A non-trivial password along with a mechanism that blocks multiple replies (blocks for a certain period of time, not forever – got that Lufthansa?) is good enough. It’s not foolproof – a keylogger will defeat all of those methods, but those keylogging Trojans are also capable of modifying traffic so no matter what off-line method you use for authentication, the transaction itself will be modified and the account will be compromised. So Trojans is a war we have lost – lets admit that and move on. Any other threat can be stopped by simple and proper login policies that do not include making the user wish he never signed up for your service.
There are other password ideas out there. Bruce Schneier suggests to have passwords be displayed while typing them. I think that makes absolutely no sense for 99% of the people out there, but I do agree that we are fighting the wrong wars when it comes to passwords, and I think fresh thinking about passwords is a good thing. The current situation is that on one hand we are preventing our users from using passwords properly, and on the other hand we leaving our services open to attack. That doesn’t help anyone.

Share
  • http://www.sophos.com Michael Argast

    Really?

    I mean if all this involved was ‘can I remember my password’ or ‘is it an annoyance to forget my password’ it would be one thing, but what about:

    1) Malware which infects your machine and steals your passwords – whether that be in your Firefox password store or elsewhere
    2) Malware which intercepts your passwords via keyloggers (and screencaptures, infuriating the security of Bruce’s proposal)
    3) Sites which get cracked into, which results in your passwords being stolen, and then when you’ve used a weak password on multiple sites you end up losing a broader set of security controls

    I agree that we have a problem with passwords. I don’t think simpler passwords are the answer, nor cleartext passwords. I do think sites that lock down failed attempts are a good thing…

    Michael

  • http://www.BeyondSecurity.com Aviram

    Michael, all your scenarios are real and accurate, but none of them is solved by either complex password or virtually anything else that’s being done today to secure passwords. Namely:

    1+2 Malware that infects your machine can easily also intercepts network traffic and change it. So complex passwords get captured as part of the network traffic and 2nd channel security (sms passwords, one-time passwords on cardboard as German banks use) are useless since it’s the transaction itself that is changed. This is not theory: it is happening today, as you very well know. As I wrote in my last paragraph, that war is lost: if malware compromises your machine it’s game over.

    3- That is a reason to keep passwords different, not to keep them complex. In fact, having firefox remember passwords allows you to both keep the passwords different AND keep them non-trivial. On the other hand, if I have to memorize passwords I will most likely choose the same passwords for everything, so your third scenario actually supports my theory.

    I agree with you that simpler passwords are not “the answer” (what is?), but IMHO they are an improvement over the current situation. And when you say ‘sites that lock down failed attempts are a good thing’ -> do you mean temporarily lock down? Or permanently (so that I have to call support)?