Password Unprotected

I seem to be spending an inordinate amount of time these days resetting my password.  I used to have a handful of passwords which I rotated between types of sites--one for email, one for financial, etc.  But the number of sites that I use has grown, and so has the complexity that many of them demand.  This eventually triggered a sort of a vicious cycle--as I got more passwords, it became harder to remember which one I'd used where, and the number of passwords I'd employed greatly exceeded the three-attempt limit after which many systems lock you out.  That meant I needed to get my passwords reset, often by sites that do not allow you to recycle, so now I had even more passwords . . . 

After investigating password requirements in a variety of settings, Mr. Herley is critical not of users but of system administrators who aren't paying enough attention to the inconvenience of making people comply with arcane rules. "It is not users who need to be better educated on the risks of various attacks, but the security community," he said at a meeting of security professionals, the New Security Paradigms Workshop, at Queen's College in Oxford, England. "Security advice simply offers a bad cost-benefit tradeoff to users."

One might guess that heavily trafficked Web sites -- especially those that provide access to users' financial information -- would have requirements for strong passwords. But it turns out that password policies of many such sites are among the most relaxed. These sites don't publicly discuss security breaches, but Mr. Herley said it "isn't plausible" that these sites would use such policies if their users weren't adequately protected from attacks by those who do not know the password.

Mr. Herley, working with Dinei Florêncio, also at Microsoft Research, looked at the password policies of 75 Web sites. At the Symposium on Usable Privacy and Security, held in July in Redmond, Wash., they reported that the sites that allowed relatively weak passwords were busy commercial destinations, including PayPal, Amazon.com and Fidelity Investments. The sites that insisted on very complex passwords were mostly government and university sites. What accounts for the difference? They suggest that "when the voices that advocate for usability are absent or weak, security measures become needlessly restrictive."

Speaking as a former network administrator, I think the breed substantially underestimates the inconvenience to which they are putting their users. That's because network administrators have to log in to the network many times a day on different machines, which keeps their absurdly long gibberish password fresh in their minds. Once that changes, the challenges of remembering a fifteen-digit string of letters, numbers and special characters rapidly mount.

There's also an element of administrator convenience. The article offers the following explanation for long university passwords:

A short password wouldn't work well if an attacker could try every possible combination in quick succession. But as Mr. Herley and Mr. Florêncio note, commercial sites can block "brute-force attacks" by locking an account after a given number of failed log-in attempts. "If an account is locked for 24 hours after three unsuccessful attempts," they write, "a six-digit PIN can withstand 100 years of sustained attack."

Roger A. Safian, a senior data security analyst at Northwestern, says that unlike Amazon, the university is unfortunately vulnerable to brute-force attacks in that it doesn't lock out accounts after failed log-ins. The reason, he says, is that anyone could use a lockout policy to try logging in to a victim's account, "knowing that you won't succeed, but also knowing that the victim won't be able to use the account, either." (Such thoughts may occur to a student facing an unwelcome exam, who could block a professor from preparations.)

This is, bluntly, a lunatic reason for long passwords. In any sane system, such a tactic would work for about five minutes: the length of time that it takes the user to call the help desk and get the password reset. If you are worried about what happens after hours, you have multiple options: run the helpdesk after hours (shouldn't be too expensive with all the insomniac students available); set up a system that can send a new password to a cell phone or private email; allow people to retry logging in after an hour wait; using a password reset system that has user-provided information a malfeasant-student wouldn't know.  All of these options are widely employed already, and can be readily adapted to your local environment.

It's as if they decided that the easiest way to prevent mugging was to force everyone on campus to walk around in body armor all the time. And of course, that is the easiest way--if you're a cop.