sys·ad·min·ol·o·gy [sis-ad-mih-nol-uh-jee]

noun

  1. The scientific study of system administration and related phenomena.

Thursday, 20 December 2012

The wisdom of the crowd? Not with Passwords!

Passwords, the ever present staple of computer security everywhere. They have been chosen, in part by the today’s security conscious forbears, and in part by the rest of us in our eager adoption as the de facto standard for securing everything from accounts to telephones.

But how effective are they? Well that depends on the password. A password should be hard to guess, but must be easy to remember. If it’s not easy to remember, then as any Security professional will tell you, users have a nasty habit of writing it down. I for one know of several people that write down all of their passwords in a book.
However users are people, and so, will tend to go for the path of least resistance. And in some cases that means passwords that are very easy to remember, but also, very easy to guess! This is great news for hackers, not so great for users (especially if an important account gets hacked!) But contrary to what you might think, it’s not catastrophic!

Before you think I am going crazy, I am not saying that any account being hacked is a good thing. But we know hackers, they like to do things by volume, so if your account is compromised, then you can be pretty sure you’re not alone! Cold comfort perhaps, but in general, whatever information is available to hackers, is also available to those of us fighting the hackers.

So back in December 2009 when hackers stole over 30 millions passwords from the social gaming site RockYou, sure it gave hackers access to a lot of peoples accounts, (and in some cases Facebook AND Myspace access too) but it also gave security professionals a large dataset with which to extract all sorts of interesting statistics on peoples password. These statistics would have been very hard to come by had the hacker not released some of the password data into the public domain.

So what did the statistics reveal about the hacked passwords?


Over 1% of users had chosen either 12345 or 123456 as their password. Ergo, in a database of 32 million accounts, than means that 352000 users had this very easy to remember password. That stat alone is like hitting a mother lode for hackers, and for security professionals alike. It also shows that RockYou should have implemented a password policy which demanded a certain level of complexity. As it turned out, they actively discouraged it by not allowing punctuation in their passwords!
So what else did the stats show? Typically, Korean or German passwords were the most secure, and interestingly, older people had more secure passwords than the young. What’s more the stats showed that users who’s account had been hacked (and the user was informed of the breach) chose no more secure passwords than before the breach.
Interestingly, "nag pages" that encouraged users to make their password stronger had no noticeable effect on the overall strength of user’s passwords. This frightening piece of evidence suggests that users don’t see their accounts security as their responsibility.

What can be done about users account security?


Clearly it’s up to the website authors to implement and enforce passwords of a certain complexity. Before you think, “yes but my site doesn’t store any credit card information” keep in mind that most users will re-use their passwords. Therefore, it’s not just about the security of your site, but of many others as well.
A fine balance must be achieved to effect a password complexity that is strong enough to withstand most attacks, but easy for the user to remember, and importantly to invent. The user of pass phrases is widely seen as a possible solution, and has been touched on here before. Pass phrases can used by memorising a line or phrase. In the spirit of the Star Wars Saga being released in 3d, lets use
"These aren't the droids you're looking for"
We take the first letter of each word, and turn it into our password: "Tatdylf" throw in at least two easy to remember digits, and you have a pretty strong password ( I wouldn't use this one though!)

No comments:

Post a Comment