Welcome to the SecAware blog

I spy with my beady eye ...

12 Aug 2017

NBlog August 12 - passwords, again

A survey of password security on 48 popular websites [by a company selling a password vault system] 'reveals' that several don't enforce password parameters [that pretty much any password vault system would fulfill]. It also reveals an issue for online organizations whose users may or may not use password vaults.

With a click or two, users with password vaults can easily generate and regurgitate very long, complex, unique passwords, no problem. Sensible vault users don't particularly care what password parameters websites define, just so long as the sites don't unduly constrain their choice of long, complex, unique passwords. From my perspective, sites that prevent me choosing passwords longer than, say, 16 characters, or passwords with spaces, punctuation and other "special" characters, are intensely annoying, and also very revealing: such organizations are evidently not clued-up on user authentication. They are inadvertently whispering "Hack us!".

On the other hand, non-vault users need their passwords to be easy enough both to generate and remember. Often that means short, simple passwords, typically the same or similar across multiple sites. They - the users - are the limiting factor. 

Websites that let users set weak passwords are asking for trouble in terms of low-assurance user authentication. 

On the other hand, websites that demand strong passwords are also asking for trouble from users who can't be bothered, or can't remember their passwords, or write them down, or ... whatever.

The managers behind them are therefore stuck between a rock and a hard place.

Some try to deal with this issue by displaying 'password-strength-o-meters', those bars that head from red through orange to green as passwords grow stronger - at least, we presume so. Since there is no universal standard for password strength-o-meters, we can only guess at what they are indicating ... in just the same way that the 'researchers' who produced the 'survey' arbitrarily chose 5 parameters to 'research'.

There might be a better way to deal with this, namely a kind of captcha or automated test to determine whether the person behind the screen has the benefit of a password vault, or not. If so, let the vault take the strain. If not, the users need all the help they can get. A password complexity metric is one approach since people are so much worse (and slower!) at generating long, complex passwords than machines.

No comments:

Post a Comment