Although the leak of 32 million passwords from RockYou is somewhat old news, two things that happened today brought it back to mind.
First, there was an excellent discussion on the Security Metrics list about the incident. The most obvious take away from it is how bad the passwords people choose are. From CXO we learn that the most common passwords are:
- 123456
- 12345
- 123456789
- Password
- iloveyou
- princess
- rockyou
- 1234567
- 12345678
- abc123
with the “123456” being choosen by ~1% of the sample. Clearly these weren’t sites that placed any restrictions on the strength of passwords!
This agrees with my findings from running cracklib against a NIS file from a site that didn’t enforce any password complexity requirements. The most common choice for a password was to make it the same as the username, with “abc123” and “123456” also making a strong showing. (When we suggested to one of these users that “abc123” wasn’t a great password, he replied that it was an excellent password as no hacker would think he’d be stupid enough to choose such a bad password!)
However, the second thing that brought this to mind is one of our users sending their password off in response to a phishing email. If a user will tell you their password, then password complexity doesn’t help. Even worse, if the application (as happened with the RockYou data) stores passwords in plain text and is insecure, everyone’s password is gone, strong or not.
Two factor authentication also isn’t a solution. For a University, it’s (currently) cost-prohibitive to given tokens to all students and staff; neither does it make financial sense for random web applications (and how many tokens could one person carry).
So we are left with the bad situation of trying to detect breaches after the event.
In the web world, single sign on would help. Sign on via two factor auth to a single provider with which everyone federates. The problem here is as much a business one as a technical one - how many business would trust a competitor (Google?) with something as vital as their user data? And indeed, since the ecomomics of many sites depends on data mining your user’s data, giving away any of that data seems unlikely.
If Verified by Visa had been designed to help customers, rather than to pass liability onto them it might have been the start of such a scheme. So, maybe that’s the best we can hope for: Visa providing authentication for sites that handle cards, and Google handling the rest.
Seem likely to you? Be neither, but I finding it hard to think of other options that improve on where we are now and have any change at all of happening.
