Impossible Dream

A student once told me, in all seriousness, that his password of “password” was secure because:

It’s a double bluff. No-one would believe I’m stupid enough to use that as a password

Yeah, right.

The trouble is that passwords are hard. One password is easy, two ok but most of us need tens, if not hundreds, of passwords for all our different services. Work password, personal email, facebook, Google, ebay, three banks, that random quiz site, phishme.com…. 

Then each of these sites will have a different password complexity/strength checker, work insists your password is changed every 30 days and on it goes.

In attempting to deal with this, most people work their way down this sequence:

1. I’ve thought of a good password. It’s “fred”.
2. Oh dear. It’s rejected as too short. Let’s try “fredfred”
3. Now it needs numbers. Try “fr3dfr3d”.
4. Accepted

And we’re all good to go until….

5. The next site comes along. Now we have to have a special character as well. So let’s use ‘fr3dfr3d!’. 
6. Now sign up to internet banking. Best use a different password. Ok. ‘G30rge!’. Done
7. Now what about the credit card? ebills? Oh dear.

The only way to deal with this and keep everything in a human brain is to have two or three basic passwords (say one for banking, one for login and one for other websites) and reuse them everywhere, with random variations to deal with different sites password policies. This way madness lies. The small variations cause endless problems and the sharing of password across sites means that one compromised site is a disaster.

The solution: write your passwords down. As prohibited in every security policy ever.

Use the paper, Luke

By ‘write it down’ I don’t suggest you physically write it down in any way, but rather than you stop trying to remember passwords and use a password manager to store them.

Password mangement (or “Password Safe”) software encrypts away all your passwords with one master password so that you now only have one password to remember, but your passwords are still safe from prying eyes. Unlike the ‘post-it-note under the keyboard’ approach.

Once you stop trying to remember passwords, all sorts of good things happen:

1. You can (and should) have a unique password for every single site or application. Even the silly ‘joke’ websites. Everything
2. You can stop trying to think up passwords. Just let the password manager generate a random one for you. It’ll be impossible to remember (e.g. mine has just generated ‘eRxz%b3gtV’ for me) but it doesn’t matter. You never need to remember it

And that’s it. Now you can have complex, unique passwords everywhere and also have less stuff cluttering up your brain and making you stupid. What’s not to like? Just do it.

The Details

That’s the basic principle, but like everything, the details matter.

1. You’ll still have to remember your login password and a master password for your password safe. That’s only two passwords. Not so bad
2. You may also want to remember your internet banking passwords.
3. Remember that the strength of this whole system depends on the strength of the master password you set for your password safe. Since you don’t have to type it very often I suggest just going for a very long phrase (30-50 characters).
4. Don’t use any random piece of software. Writing secure cryptographic products is hard and you want to be very sure that if you are putting all your passwords in one place that you haven’t just made it easy for them to be all stolen at once.

Finally, most of us use many different computers over the course of a day so need these passwords everywhere. There’s two basic approaches:

1. Let the software itself store the data in the cloud, or,
2. Store the encrypted file on a sync service like Dropbox

Either works. You’ll also want to have a copy of the program and your passwords on your phone for those times when you want to login into a site on a different computer/internet cafe etc. 

All of the recommended products below can be integrated into your web browser as well to allow for seemless logins to everything web based (which is going to be 95% of everything for most of us).

Recommended products

• KeePass: Works on Windows and Linux. Supposed to work on OS X but I gave up waiting for Mono to install. Also has version for most phone OSs. Open Source
• LastPass: nice, but costs to use on mobile. 
• 1Password: those that use it love it. Works on Windows, OS X, iOS and Android. Costs.

Edit: thanks to Max Spicer for prompting me to get off my arse, change my password management and actually write this up :) 

A few weeks ago, Bruce Schneier linked to two new papers on password policies. I’ve now got round to reading the first of theese, by Florêncio and Herley from Microsoft Research and I’m not convinced.

Before we start, one quick clarification. The paper limits itself to talking about plain passwords and not 2-factor auth (2FA) etc., so we need to consider it in that context.

Here’s the abstract:

We examine the password policies of 75 different web-sites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complex-ity on their users. We compare different features of the sites to find which characteristics are correlated with stronger policies. Our results are surprising: greater security demands do not appear to be a factor. The size of the site, the number of users, the value of the assets protected and the frequency of attacks show no correlation with strength. In fact we find the reverse: some of the largest, most attacked sites with greatest assets allow relatively weak passwords. Instead, we find that those sites that accept advertising, purchase spon-sored links and where the user has a choice show strong inverse correlation with strength. 

We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. 

In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement. 

That’s a fair summary of the paper, but I think there’s a number of problems with it that invalidate their thesis.

1.  In the section, “Who lives with the cost of a breach”, they argue that since banks bear the cost of any loss via fraud, the fact that some banks allow weaker passwords rules out any link between liability and password policy.  This is because such a financial liability would be expected to lead to stronger password policies if such policies prevented loss
   
   The flaw here is that simple direct financial loss from stolen passwords is, from the Bank’s point of view, a simple cost/benefit analysis. They know that ~N passwords will be stolen each year, and can guess that increasing their password strength will reduce this to ~M but lead to an extra cost C in support and possibly lost business. They will also know the average cost per breach. Given that, it’s a straight cost/benefit analysis to decide what to do.
   
   Since there’s no reputational risk for a bank if a customer’s password is stolen, allowing weak passwords and taking the resultant loss as a business expense may make perfect sense.
   
   One interesting comparison that wasn’t done for the paper would be to compare the password polices of banks aimed at high-net-worth individuals (e.g. Coutts) with that of high street banks. One would expect the former to have stronger password policies since their cost per breach is much higher. Even that mightn’t tell us much though since they could decide that annoying their very valuable customers with strong passwords isn’t worth the loss of custom and just monitor accounts closely and insure against loss.
2. There’s a basic category error in the types of account compared. Comparing a bank customers account with a University account isn’t like-for-like. The University account is almost certainly single sign on, and so gives access to data, login rights etc. To compare the two, you’d have to compare the password policies the bank applies to its staff accounts. I’ll put money te policy won’t the same as for cutomers, and may well be stronger than that required by the University (e.g. using 2FA)
3. Following on from these two, we get to reputational risk, or the maximum possible loss from a breach. The maximum loss from a user account is bad: loss of commercially confidential or other sensitive data (c.f. the recent hack at UEA). This is just a re-stating of points 1 and 2: given the category error of confusing the two types of accounts, the author’s argument that commercial sites have stronger password polices because of market forces doesn’t follow.
4. Finally, for ad-supported sites, I’d expect weaker password policies. Companies protect their customer’s interests, and the customer isn’t the user, it’s the advertisers. Here the commercial imperative is to get eyeballs, and main reason to have logins at all is probably just to gather more user data

I was rather disappointed in this. Herley’s previous papers, especially So long and no thanks for all the externalities have been excellent, but this one seems a bit of a Friday afternoon special.

It’s that audit time of year again, and password ageing comes up again. Across the sector there’s a wide variety of policies ranging from never expire to every 90 days and can’t reuse the last 20+.

So, is there any evidence for doing this?

If Mathematics is only concerned with three numbers (0, 1 and infinity) and computing with two (0 and 1) then maybe the place to start is with the difference between some ageing and none.

Before we can do that however, we need some threat models. What are we trying to protect against by forcing users to change their passwords? Here’s the six threats I came up with:

1. Password stealing malware
2. Passwords shared unofficially
3. Un-authorised use of shared accounts
4. Passwords that no longer meet the complexity standard enforced for new/changed passwords
5. Password guessing
6. Password cracking (e.g. with Crack or John the Ripper)

So lets test our long term change policy against this. Let’s say we age passwords once a year.

Read More

I’m really surprised to hear (via LWN.net) that Google Chrome doesn’t use a master password to encrpyt stored password. Clearly everyone that uses Chrome has their disk encrypted. Erm…..

In that same article, I also came across the “Free as in Beer but not as in Freedom”

LastPass password manager. It runs as a plug in to IE, Firefox and Chrome. I can’t see any great benift when using Firefox over setting a master password and using Weave but for IE or Chrome, this looks very good. It also solves a problem that most people haven’t even considered yet, that of encrypting storage of forms/passwords etc. on mobile devices. The mobile version costs, but not a lot.

Once I get an Android phone, I see this going on it asap.

Although the leak of 32 million passwords from RockYou is somewhat old news, two things that happened today brought it back to mind.

First, there was an excellent discussion on the Security Metrics list about the incident. The most obvious take away from it is how bad the passwords people choose are. From CXO we learn that the most common passwords are:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

with the “123456” being choosen by ~1% of the sample. Clearly these weren’t sites that placed any restrictions on the strength of passwords!

This agrees with my findings from running cracklib against a NIS file from a site that didn’t enforce any password complexity requirements. The most common choice for a password was to make it the same as the username, with “abc123” and “123456” also making a strong showing. (When we suggested to one of these users that “abc123” wasn’t a great password, he replied that it was an excellent password as no hacker would think he’d be stupid enough to choose such a bad password!)

Read More