When size doesn’t matter

Is a longer password a better one? Most people will answer this with an unconditional “yes”. In fact, we’ve successfully conditioned our users to choose long and complex passwords and in some cases force them to do that using password enforcement policies. It came to a point where even a web site that helps me search for a cheap airline fare (where the most sensitive information in my account is the latest list of searches I did) forces me to a password scheme that look like it came from the NSA Orange Book.

My bank, on the other hand, lets me choose a four number password without complaining. Are they missing something? Shouldn’t they be forcing me to an eight-character-minimum-one-digit-one-letter password like just about everyone else on the internet? No. In fact, I think my bank is one of the few sites that actually did the threat analysis and understands the problem at hand.

Many of you have seen the following picture:

http://www.syslog.com/~jwilson/pics-i-like/kurios119.jpg

Putting a strong security measure in the wrong place doesn’t help security; in fact, it usually weakens it, as our users find ways to circumvent it altogether. The fact that I have dozens of different passwords that are impossible to remember means that my browser remembers everything for me. In fact, most of my passwords are easy to discover: they are stored in my browser, in my digital wallet and handwritten in notes on my desk. All you need is to gain access to one of these and you can pretty much impersonate me on the web – but you won’t gain access to my bank account – because that password is easy enough to remember and I never needed to write it down or store it.

Wait, am I telling you that a short, simple password is a good thing? Yes, that’s exactly what I’m saying. Lets analyze the threat: The web site is trying to protect me against someone who does not know my password and needs to perform a brute-force attack in order to guess it. But if we assume my username has 10 tries to get the right password before it’s locked for 24 hours (this is a mild assumption, usually we have less tries and we get locked for a longer time), a simple 4 letter password will take 62 years to crack on the average. Even a 4 digit PIN will take more than a full year to guess – that is, assuming the bank doesn’t view the logs to see something strange has been happening (thousands of wrong password attempts in a row). There is no feasible way for an attacker to brute force even the most trivial passwords (with the exception of ’1234′, everyone’s favorite luggage combination) since after a handful of passwords the attack will be flagged; we have actually solved the brute force problem completely, and yet some sites still force me to use long and complex passwords for a problem that should have been fixed elsewhere .

Don’t even get me started on guessing the username: some banks for some reason think that usernames should be complex too.

Why does that happen? People are lazy, and tend to stick with known patterns. Long passwords were good in the 1980s when UNIX had a world-viewable password file encrypted with a weak cypher. But did anyone stop and think if this axiom is still true in this day and age? My bank did. I hope others will follow.

Share
  • http://peterdawson.typepad.com /pd

    agreed, but was it not the security consultants who advised all these institute’s to have a min of 8 char +4 digit password policy ??

    :) -

  • http://improbable.org/chris Chris Adams

    Password rotation policies are even worse – they seem to be derived from an ancient, non-networked DoD mainframe environment and are worse than useless now since they encourage weak, serial-based passwords. The fact that this is such a well-known problem – to the point of being cliched joke fodder – and that the world has not yet come to an end because of it really supports your argument.

    I’d like increased use of out-of-band confirmation for the riskier behaviours – e.g. rather than attempting to have perfect passwords, simply use telephone confirmation for commonly abused activities such as transfers, credit card transactions from new/out-of-country merchants, repeated authentication failures, etc. That’d avoid this issue entirely and make a big dent in spyware/phishing-fallout.

  • http://anti-virus-rants.blogspot.com kurt wismer

    “Wait, am I telling you that a short, simple password is a good thing? Yes, that’s exactly what I’m saying. ”

    there’s more to it than just short and simple… your short and simple bank password is also one of the FEW passwords that you try to remember…

    even if all your passwords were as short and simple as your bank password, you wouldn’t be able to remember them all unless they were all the same…

    it’s not just the size of the password that necessitates it’s recording – it’s also the sheer number of them…

  • CCC

    so true!

  • http://www.BeyondSecurity.com Aviram

    Kurt – good point.

  • http://pmelson.blogspot.com PaulM

    “But if we assume my username has 10 tries to get the right password before it’s locked for 24 hours (this is a mild assumption, usually we have less tries and we get locked for a longer time), a simple 4 letter password will take 62 years to crack on the average. Even a 4 digit PIN will take more than a full year to guess.”

    Aviram, I believe that you are assuming that the attacker doesn’t know (and can’t find out) the password lockout parameters the bank is using. This is leading you to further assume a maximum of 10 guesses per day with a daily lock of the account. Which, not only prevent the attacker from guessing the PIN, but also DoS that account leading to a manual investigation.

    If the attacker does know the lockout policy, then it is possible to achieve something closer to 216 (9*24) guesses per day. By using timing-based online guessing, a PIN (10^4) can be cracked in less than 46 days and 9 hours, well within its lifetime, and possibly before it can be detected by the bank.

  • http://anti-virus-rants.blogspot.com kurt wismer

    i’m not sure how you can guess more than 10 times in a day without the legitimate account holder entering the right password once that day…

    9*24 a day seems to suggest the user would need to enter the right password 23 times per day or that the count of wrong password attempts expires each hour (which doesn’t seem to appear as an assumption anywhere in the original post)…

  • http://pmelson.blogspot.com PaulM

    Kurt,

    For my example, I did assume a 1 hour expiration, which is arbitrary, but not atypical. In my experience, most authentication software expires failed login attempts as a matter of usability. Otherwise, a user could enter 1 bad password at any interval over his account’s lifetime and lock the account on the 10th occurrence, even if this took place over the course of several months.

  • http://anti-virus-rants.blogspot.com kurt wismer

    i think usability is sufficiently served by clearing the failed login attempts count when a login for that account succeeds…