Is a longer password a better one? Most people will answer this with an unconditional “yes”. In fact, we’ve successfully conditioned our users to choose long and complex passwords and in some cases force them to do that using password enforcement policies. It came to a point where even a web site that helps me search for a cheap airline fare (where the most sensitive information in my account is the latest list of searches I did) forces me to a password scheme that look like it came from the NSA Orange Book.

My bank, on the other hand, lets me choose a four number password without complaining. Are they missing something? Shouldn’t they be forcing me to an eight-character-minimum-one-digit-one-letter password like just about everyone else on the internet? No. In fact, I think my bank is one of the few sites that actually did the threat analysis and understands the problem at hand.

Many of you have seen the following picture:

http://www.syslog.com/~jwilson/pics-i-like/kurios119.jpg

Putting a strong security measure in the wrong place doesn’t help security; in fact, it usually weakens it, as our users find ways to circumvent it altogether. The fact that I have dozens of different passwords that are impossible to remember means that my browser remembers everything for me. In fact, most of my passwords are easy to discover: they are stored in my browser, in my digital wallet and handwritten in notes on my desk. All you need is to gain access to one of these and you can pretty much impersonate me on the web – but you won’t gain access to my bank account – because that password is easy enough to remember and I never needed to write it down or store it.

Wait, am I telling you that a short, simple password is a good thing? Yes, that’s exactly what I’m saying. Lets analyze the threat: The web site is trying to protect me against someone who does not know my password and needs to perform a brute-force attack in order to guess it. But if we assume my username has 10 tries to get the right password before it’s locked for 24 hours (this is a mild assumption, usually we have less tries and we get locked for a longer time), a simple 4 letter password will take 62 years to crack on the average. Even a 4 digit PIN will take more than a full year to guess – that is, assuming the bank doesn’t view the logs to see something strange has been happening (thousands of wrong password attempts in a row). There is no feasible way for an attacker to brute force even the most trivial passwords (with the exception of ’1234′, everyone’s favorite luggage combination) since after a handful of passwords the attack will be flagged; we have actually solved the brute force problem completely, and yet some sites still force me to use long and complex passwords for a problem that should have been fixed elsewhere .

Don’t even get me started on guessing the username: some banks for some reason think that usernames should be complex too.

Why does that happen? People are lazy, and tend to stick with known patterns. Long passwords were good in the 1980s when UNIX had a world-viewable password file encrypted with a weak cypher. But did anyone stop and think if this axiom is still true in this day and age? My bank did. I hope others will follow.