2011-05-08

Speak, friend, and enter

Ubiquitous and universal single-sign on is never going to happen.  Everyone wants to own the user, or at the very least not relinquish control of the user to possible competitors if they can help it.  This just seems to be a fact of life;  whether informed by reason or fear.   A bit of both I suppose.

This of course means that we need to keep track of gazillions of passwords.  Which is a problem.  A balancing act between convenience and security.  Every so often you are faced with another registration screen that requires you to type in a password.  And what on earth should you type in?

You may have a system for choosing passwords -- in itself a security risk, but still a very common way to cope with the massive number of accounts you have without having to write anything down.  The risk being that someone will figure out your scheme.  The gamble is that a) the scheme won't be self-evident by cursory study of one or a few samples, b) you are not that interesting so why would anyone invest time in cracking your password scheme.

So, you are looking at a form and you need to choose a password.  You type in something and the validation scheme of the site says you can't use that as a password.  This is annoying.  Because it means you have to come up with something that might be harder to remember.  Perhaps you'll even have to write it down to ensure you remember it.

I particularly dislike password validation schemes that require you to enter mixed case characters and digits with a minimum length of N characters.  I have a theory that this does not enlarge the search space for possible passwords:  it is going to severely limit the space.  Why?  Because we're human and it is very likely that we are going to pick a memorable password string that has these properties.

Ask yourself:  what information has mixed case and a number and will be easy to remember?  What are the first 5 password schemes you can think of that uses information you would remember that has these properties?  Next, how much of this information exists in some form in the public space?

I believe the correct response to this question contains at least one expletive.

Unlike in the movies, where the hacker manually types in passwords until he or she succeeds, in the real world you have web crawlers, you have frequency dictionaries, you have oodles of neat software to look for patterns and you have ways of automatically assembling a dossier on your target.  A dossier that can be used to generate password candidates.  Password candidates that can be used to mount a brute force attack.

(Okay, so sometimes it happens like in the movies.  Sarah Palin's mail account was broken into because her security question asked for information that was readily available on her wiki page.  This is why security questions to enable password reset is a Really Bad Idea).

We have to assume that the people who write validation code for websites are not going to be experts in information theory, psychology or cryptography.  This is why I wish people who actually know something about this subject would put together a sort of manual of sound practices in designing password validation and helping people choose sensible passwords.

I know nobody wants to stick their neck out for fear of criticism.  Especially not people with computer security backgrounds since they have the most to lose if they were to write something that just makes things worse (which is a very real possibility).  But I would wish that there at least existed some design guidelines or a brief discussion that programmers could have a look at before adding counterproductive password validation schemes to their websites.   A go-to resource that "everyone" knows about.

Before we part I thought I'd point out that possibly the biggest security risk is right in front of you.  You're looking at it.  Your browser.  It most likely has a cache of a considerable number of passwords that you use to access your most important web sites.

How well guarded do you think that password database is?

1 comment:

  1. 1Password or similar tools are a step in the right direction, I think. Sort of a local SSO option. But I dont think i could get my grandma to understand it. Schneier has mentioned that a slip of paper in your wallet is an ok security measure for this sort of thing as well.

    Implanted chips and NFC, FTW! :-)

    ReplyDelete