A few weeks ago, Bruce Schneier linked to two new papers on password policies. I’ve now got round to reading the first of theese, by Florêncio and Herley from Microsoft Research and I’m not convinced.
Before we start, one quick clarification. The paper limits itself to talking about plain passwords and not 2-factor auth (2FA) etc., so we need to consider it in that context.
Here’s the abstract:
We examine the password policies of 75 different web-sites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complex-ity on their users. We compare different features of the sites to find which characteristics are correlated with stronger policies. Our results are surprising: greater security demands do not appear to be a factor. The size of the site, the number of users, the value of the assets protected and the frequency of attacks show no correlation with strength. In fact we find the reverse: some of the largest, most attacked sites with greatest assets allow relatively weak passwords. Instead, we find that those sites that accept advertising, purchase spon-sored links and where the user has a choice show strong inverse correlation with strength.
We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic.
In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement.
That’s a fair summary of the paper, but I think there’s a number of problems with it that invalidate their thesis.
- In the section, “Who lives with the cost of a breach”, they argue that since banks bear the cost of any loss via fraud, the fact that some banks allow weaker passwords rules out any link between liability and password policy. This is because such a financial liability would be expected to lead to stronger password policies if such policies prevented loss
The flaw here is that simple direct financial loss from stolen passwords is, from the Bank’s point of view, a simple cost/benefit analysis. They know that ~N passwords will be stolen each year, and can guess that increasing their password strength will reduce this to ~M but lead to an extra cost C in support and possibly lost business. They will also know the average cost per breach. Given that, it’s a straight cost/benefit analysis to decide what to do.
Since there’s no reputational risk for a bank if a customer’s password is stolen, allowing weak passwords and taking the resultant loss as a business expense may make perfect sense.
One interesting comparison that wasn’t done for the paper would be to compare the password polices of banks aimed at high-net-worth individuals (e.g. Coutts) with that of high street banks. One would expect the former to have stronger password policies since their cost per breach is much higher. Even that mightn’t tell us much though since they could decide that annoying their very valuable customers with strong passwords isn’t worth the loss of custom and just monitor accounts closely and insure against loss. - There’s a basic category error in the types of account compared. Comparing a bank customers account with a University account isn’t like-for-like. The University account is almost certainly single sign on, and so gives access to data, login rights etc. To compare the two, you’d have to compare the password policies the bank applies to its staff accounts. I’ll put money te policy won’t the same as for cutomers, and may well be stronger than that required by the University (e.g. using 2FA)
- Following on from these two, we get to reputational risk, or the maximum possible loss from a breach. The maximum loss from a user account is bad: loss of commercially confidential or other sensitive data (c.f. the recent hack at UEA). This is just a re-stating of points 1 and 2: given the category error of confusing the two types of accounts, the author’s argument that commercial sites have stronger password polices because of market forces doesn’t follow.
- Finally, for ad-supported sites, I’d expect weaker password policies. Companies protect their customer’s interests, and the customer isn’t the user, it’s the advertisers. Here the commercial imperative is to get eyeballs, and main reason to have logins at all is probably just to gather more user data
I was rather disappointed in this. Herley’s previous papers, especially So long and no thanks for all the externalities have been excellent, but this one seems a bit of a Friday afternoon special.
