Welcome to the SecAware blog

I spy with my beady eye ...

18 Aug 2015

Persistently painful piss-poor password params & processes

Let me start by acknowledging that passwords are a weak means of authenticating people, for all sorts of reasons. I know passwords suck ... and yet passwords are by far the most common user authentication method in use because of two factors (pun intended):
1) Passwords are conventional, well-understood, commonplace, and the natural default 'no-brain' option. People are used to them and [think they] understand them. Passwords or PIN codes are almost universally built-in to operating systems and many apps, websites etc. 
2) Compared to other methods, passwords are faily cheap to implement, manage and use. There is no need to invest in biometric sensors, PKI, crypto-tokens or whatever unless you need multifactor authentication ... in which case you probably still need passwords. 
That said, there are many different ways of employing passwords for user authentication, many design parameters, most of which affect the level of security achieved in practice. Designing and implementing relatively strong password authentication mechanisms is not nearly as trivial as it may appear to the untrained eye.

Take for example eBay and PayPal, formerly one company but now split. Given their common origin, one might have thought they would have similar approaches to passwords, and indeed they do. They both suck.

Both sites make it a mission even to find the 'change password' option in the first place. 
On eBay, there is nothing as obvious as a "Change password" menu option or button, oh no, that would be far too easy. After hunting around for a while, I eventually discovered the requisite option tucked away under 'Hi Gary!' --> 'Account settings' --> 'Personal information' --> 'Edit' the password line.
On PayPal, once again there is nothing as obvious as a "Change password" option/button. It is in fact in under  'My account' --> 'Profile' --> 'My personal info' --> 'Change' the password line.
It is almost as if the eBay and PayPal IT teams have conspired to make their processes different. Are there good reasons, I wonder, why we have to 'edit' on eBay but 'change' on PayPal, or why it's 'account settings' on one but 'profile' on the other?  ... Or do you think perhaps nobody even bothered to check what the other was using?

The mission continues once we have found the password change function, since the password change mechanisms also differ: 
eBay first of all requires me to login again (since, I guess, the persistent eBay session may have been taken over by someone else), then to enter my old password, then the new password twice.
PayPal first of all requires me to enter my credit card number (in effect, a second password) then gives me the option to change either my password or my 'security questions', then to enter my old password, then the new password twice. 
Furthermore, the two sites define valid passwords differently.
The rules for valid eBay passwords are summarized in a tooltip ... 

... and separately, in more detail, in a pop-up help window:  

... which is fair enough.  There's plenty of advice there and the restrictions are sensible, although it is not clear whether the password is case-sensitive (I guess it is but it doesn't actually say so).
In contrast, valid PayPal passwords appear to be solely defined by a simple tooltip:
If there is any more detailed information on valid PayPal passwords, it is so well hidden that I can't find it, despite searching within help.
I don't know why PayPal restricts passwords to a maximum of 20 characters (quite long for a classic password yet too short for a decent passphrase) but perhaps it is a good thing since, most annoyingly of all, PayPal requires me to enter my new password, twice, manually: I am prevented from pasting in a very complex password generated by my password manager software. Consequently, I have two lame choices:
  1. I can think up a classic memorable password, type it in twice to the website then a third time to my password manager. This restricts the complexity of my password to one I can think up, remember and type easily, negating a large part of the value of using a password manager to generate long, complex passwords;
  2. I can generate a random complex password in the password manager, type it in twice to the website then paste it into my password manager. In practice, I can either mess around with window positions or write down the password on paper since the password generator function popup disappears when I go to enter it into the website - and there's an even greater chance of me mistyping a complex password at least once out of the two times I have to enter it.
So far, I have only commented on the 'change password' function from my perspective as a user of these two related websites, pointing out arbitrary differences in the menu choices, terminology, process and password parameters, and factors that make it quite hard to use long complex passwords. Curiously, despite being a banking/financial services company, PayPal's password rules restrict the maximum length of a password to just 20 characters whereas eBay allows a maximum of 64, hence a lot more entropy [I can't be bothered to figure how much more: I'll leave it as an exercise for the attentive reader]. 

The 'forgotten password' processes are also different, and I strongly suspect the ways these two sites hash and store the passwords also differ, behind the scenes. Even the way the sites inform users that their passwords have beenh changed differ. There are still other password security aspects I haven't checked, for instance how many invalid password attempts are allowed, what happens once the limit is reached, what other information from the user's system/browser is used as part of the authentication, and whether either site block simple SQL injection attacks ... because I'm not a hacker and it's not my job. 

Aside from the specifics, the more general point is that despite these two sites coming from common stock, there are substantial but seemingly arbitrary differences in practically identical functions. Now consider all the other gazillion websites and apps Out There, each with their own password parameters, processes and constraints. There are no universal methods for users to manage our passwords, and limited consensus even on the minimal password requirements (in my experience, few sites today accept passwords of less than 6 characters being both letters and digits ... but some do).

Given how commonplace they are, isn't it odd that there are no generally-accepted global standards regarding passwords? Perhaps I should suggest just such a standard to ISO/IEC JTC 1/SC 27 for inclusion in the ISO27k suite - what do you think? It's not hard to envisage a standard giving advice on aspects such as password parameters, password change functions, password storage etc., along with the risk- and business-driven design, testing and implementation of password authentication and related processes. It might even be possible to come up with a limited suite of cases demonstrating the main functions in conformance with the standard, with a consistency so obviously lacking in practice today albeit perhaps with high/medium/low security variants for the corresponding risk levels. More than enough guts there for an ISO27k standard, I'd say, with further standards covering multifactor authentication, biometrics, PKI-based digital certificate approaches etc.

Meanwhile, think about your own organization. Do you currently have policies, procedures, standards and guidelines laying out consistent methods of user authentication, password management etc. for your systems and apps? Do your systems re-use properly defined, designed, developed and proven parameterized password functions, or indeed security functions as a whole? Do you even consider these issues when selecting commercial apps? Or are you happy to continue compromising your security and make your users' lives a misery (not to mention the long-suffering Helpdesk)?


1 comment:

  1. A colleague on CISSPforum pointed me at a cool JavaScript hack to regain the capability to paste stuff into such forms: http://www.prioritized.net/blog/re-enabling-password-pasting-on-annoying-web-forms/

    Feel the power! And remember, folks, that client-side scripting is modifiable.