Forcing users to use insecure passwords

30. November, 2009

Q: What’s the most efficient way to force your users to use insecure passwords?
A: Try to force them to use secure ones.

What’s a secure password? It’s complicated, unguessable, easy to remember, contains several strange characters, different per site, changed often.

But how much security can you buy with that?

Changing your password helps to lock out people who have cracked your password. But unless they are in for long time surveillance, crackers will abuse your account within five seconds of cracking it. In the usual scenario, (i.e. when the crackers is not your better half), changing your password buys you nothing. It’s enough to wait for a mail which says that you account has been cracked and change the password then.

Different passwords for sites looks like a good idea but this only has an effect when a cracker manages to crack your password in one place and has list of other accounts. Usually, they crack your account for a specific purpose, not to compete in a find-them-all contest. So that doesn’t buy us much, either.

Strange characters look like a good idea until you travel and sit in front of a foreign keyboard in an Internet cafĂ©. Yay, hide and seek! And if you’re using a complex algorithm to build your password which includes strange characters, you’ll encounter the odd site which expects you to either have more or less strange characters in your passwords. Also, unless you’re a software developer, you’re not used to all the strange symbols which your computer can produce.

Easy to remember is at odds with hard to guess and complicated.

Lastly, good passwords don’t protect you against the most common forms of attack: Phishing and keyloggers.

Links: “So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users” (Cormac Herley, Microsoft Research)