Neilsen on password security vs usability

I read Jakob Neilsen’s post on password security, and although he has a point, there are several issues as to why this is a monumentally bad idea.

First, passwords are a fundamentally bad idea for all data risk classifications. Instead of trying to make passwords more usable, how about getting rid of them?

Second, exposing folks’ passwords in a shared environment will expose them in more ways than one. For example, most folks use the same password everywhere. I used to do this when I was 16. Then I migrated in 1989 to having low, medium and high security passwords. Then about five years ago, I migrated to using long random passwords for nearly everything. I do not know my password for my blog. I cut n paste my passwords from a password manager. I’m ashamed to say that I still use the low security password from 1989 from time to time – mostly to recover access to long lost internet sites. So if your social networking site – where you’ve evaluated YOUR risk to be low, well… that user uses the same password EVERYWHERE, including high risk sites such as Internet Banking, for tax, for their insurance login, etc.

Third, malware that currently snaps screens when used with visual keyboards (security theater!) will have a bonus time with this scheme, or any scheme like it (think iPhone where the last character typed remains on the screen for a second or so and then becomes a bullet). However, if you have malware, you have more interesting problems than just clear text passwords.

I am all for killing passwords. They are crap. They are insecure. They are hard to remember. IT Security folks with NO UNDERSTANDING of human nature or how this terrible usability costs the business ask us to change them every 30 days and you can’t have the same password for the last five years and the password must not be a dictionary word and must contain punctuation and numbers and upper and lower case characters. The only people who can do that without ringing the help desk are the tin foil hat people like me who use password managers with long random passwords. I love going to sites with those sort of rules – the passwords are nearly universally on post it notes or written on the cubicle wall or dry erase board. Dumb!

So how do we improve the situation? I strongly believe that for the average user, the browser should take over the credential for the user. A nice auto-generated certificate login managed basically transparently by the browser’s credential manager makes the most sense. This should be able to export to a standard file format that all the browsers agree upon so that users can upgrade their machines, and move amongst them. Obviously, Apple already has MobileMe to help sync those credentials around, and this will help folks like me with more than one computer. If you’re out and about and need to log in remotely, you log in to MobileMe (or similar), and approve the site you want to log on to for (say) 10 minutes from the computer you’re currently on. Then you go to the site you want to go, like Wikipedia or Travelocity with your full strength credential… that will not stay on that machine and will not work after a few minutes.

For value transactions, the use of SMS transaction signing and two factor transaction signing should be mandated where PII, finanical or health data is concerned.

Then we can put passwords out of their misery, and folks never need to remember their passwords ever again. Jakob is right – passwords suck. It’s time for them to die.

Comments

6 responses to “Neilsen on password security vs usability”

  1. Wireghoul Avatar

    I commented on the appsec street fighter blog as well.
    Password complexity is meant to make the passwords harder to brute force, yet password length far outlast complexity and there is no reason you cannot have a simple yet long easy to remember password.

  2. AbiusX Avatar

    Hi there, I strongly agree. Had a presentation about 2 years ago about passwords and people loved it. I think less than 1% of people use Password Managers (i do) and i think those aint good as well, since you’ve got to have them on your PDA or always carry them around on your notebook.

    My solution is, every entity should have a digital certificate assigned with himself, somewhere around, and have its counter-part in a token or on a secure space accessible everywhere, and access that storage with a password:D

  3. AbiusX Avatar

    and to Wireghoul, try http://www.passcracking.com to see how long-easy-to-remember-password s do! Its not about brute-force at all. Your 5 letter pass would take a zillion years on brute-force, since only stupid systems allow you to brute-force them!

    Take a peek at Hellman’s Time Memory Trade-off for more info.

  4. Wireghoul Avatar

    @AbiusX
    Sorry for the late follow up…
    Well I explicitly said from a brute force perspective. In the other end my long passwords usually consist of a sentence that containa 8+ character complex password. A silly example would be setting my password to:
    “to access my email I enter #eXgp6)Q”
    quotes included, and if I advice others I usually recommend combining their normal password with a street address or email address not directly related to them and add some meta, ending up with something like;
    abc123!6 Johnson Place,55123,Wisconsin

    Neither ones are particularly weak to dictionary attacks.

  5. AbiusX Avatar

    @Wireghoul
    But there’s a trade-off among simplicity and security there, And I bet users would rather cut their own head’s off than to have passwords like these remembered and actually used in different scenarios, including the point that both the meta and data are not directly related to themselves!

    I think using a password manager here with a complex 20 char or 12 char mixture works best, and thats what me and my guys are using and suggesting to other people,

    BTW tnx for the follow up.

  6. Clive Robinson Avatar
    Clive Robinson

    There are a couple of problems with client/container certificates.

    The first is “tracability”, the second is “context and roles”.

    Both arise from the “geek think” technical solution to human problem issue (which is where passwords originated from).

    The saying “on the Internet nobody knows your a dog” makes the average person think they have the ability to be anonymous however in reality the Internet does not care if you are a dog or not only if you are a “good dog” or a “bad dog”.

    But humans like cut jems have many sides to them and all give a different perspective.

    Humans have many different aspects to them

    1, proffesional
    2, work
    3, social
    4, family
    5, spouse

    And many of us actualy keep these areas of our lives seperate out of self protection. Further we break these down into sub groups.

    In Face to Face (F2F) off-line communications most of us automatical assume a “context” within which we have a “role” at the time. We give them names such as “proffesional manner”, “loving parent”, “devoted spouse”, etc.

    If you use the wrong “role” in a given “context” you commit an error or “gaff”.

    As humans we have a myriad of informal protocols to let others know they are commiting a gaff in a F2F context. Usually gaffs are mildly embarising fairly quickly resolved and forgoton, unless they are repeat offenders in which case they tend to be rejected by others in that context (it should be noted that “geeks” tend to have ASD and cannot see the contexts or respond to the subtal protocols).

    One joy of the Internet is it “never forgets” and has a habit of “remembering” “inconveniant statments” and “embarising behaviour”.

    Another is it is relativly easy to search so such “inconveniant statments” or “embarising behaviour” that are on-line are easy to find if they can be linked to an individual (traceability).

    There are other issues with the Internet in that it has no notion of context or roles, and importantly it is not only “broadcast public” but permanently so. And as such there is no place to hide, not just currently but from your past as well.

    We have all seen or heard people being interviewed on TV get asked about their past views. Often the snipet used is taken out of context and used as a “political tool”

    A client certificate is a sure fire way to link even suposadly “anonymous” comment back to a persona.

    Therefore we need not client or container certificates but role certificates, and the tools to handle them correctly.

    Otherwise in just a few years certificates will be just as discredited as passwords are.

Leave a Reply

Your email address will not be published. Required fields are marked *