Strong passwords fine, but not necessarily necessary

Randall Stross, writing for the New York Times last week, has a good article up about the necessity of strong passwords.  For those of us in the security industry, when we say “strong passwords” what we mean is one that has a lot of characters (usually at least 10), contains upper case and lower case letters, contains at least 1 number and a really strong password would also contain a non-standard character such as a +, *, $ or %.  The reason for having such a long password is that all of the combinations and permutations that can be put together would take a brute force attacker an exceedingly long time to break.  For example, if you have a six character password and it is all lower case, then knowing this it would take only 26 ^ 6 = 308 million possible combinations of letters.  This is impossible for a human but not for a computer.  However, if you have 10 characters (includes letters, numbers, and all the non-standard chars on a typical US keyboard), then it is 84 ^ 10 = 17.5 million trillion combinations.  It would take a computer an inordinate amount of time to break that and by the time it did (barring a lucky combination), the information contained therein would be useless (global warming will have caused us all to go extinct by then).

Unfortunately for us in the security industry, we often miss the bigger picture.  We want users to have complex passwords, but the reality is that users forget them. They write them down and put them in obvious locations and that kind of defeats the purpose of a secure password.  Humans are the ones that are responsible for maintaining password security and humans use heuristics – short cut mental processing tools designed to reduce computational time and speed up decision making.  If a password has to be changed routinely, and we have to do it a lot, we simply cannot keep up with the amount of mental baggage that this takes.  And so we use the same ones.  And we sometimes use ones that are simple for us to remember.  In fact, we do a lot of things that are designed to make it easier, against the advice of the security industry.

According to Microsoft Research, part of the problem for us in the security industry is us is not realizing that the brute force attack method.  From the article:

A short password wouldn’t work well if an attacker could try every possible combination in quick succession. But as Mr. Herley and Mr. Florêncio note, commercial sites can block “brute-force attacks” by locking an account after a given number of failed log-in attempts. “If an account is locked for 24 hours after three unsuccessful attempts,” they write, “a six-digit PIN can withstand 100 years of sustained attack.”

So you see, we need to realize that a password is designed to protect humans.  A machine can do things in quick succession, but if you throttle down the rate at which a machine can attempt to guess a password, suddenly the comparable advantage that a machine has over humans has been neutralized.  To a human, we can’t react quickly enough anyhow.  If a machine has to wait seconds before each login attempt, then it is going to take them forever to brute force someone’s 6 character password before they get it (barring a lucky guess).  Now we are accounting for human reality while at the same time protecting the very things we are trying to protect.  This mechanism, of course, would need to be tested.  For a commercial web site, you could only allow a login attempt/failure once per 10 minute interval (AT&T does this).  Or, you could throttle based upon IP address and username login for more granularity, but this weakens when a distributed attack is going on, that is, many computer systems attempting to login to the same account using parallel processing.

At the end of the day, password policy is not very useful anyhow if you have keystroke logging malware on your computer, says Microsoft Research.  You could have a great password but if the sites you are logging into are having your passwords captured and sent back to the attacker, the best password in the world won’t help you.  Running good antimalware software is clearly the most important thing to counteract things like this.  Thus, while we do like to emphasize good password policy, asks Stross, are we prioritizing the right things in the correct order?

Comments (5)

  1. Martijn Grooten says:

    Very good point, Terry. If a system lets 'users' try to login many times in quick succession, then that system isn't secure, regardless of ther user's password. (Still, it's not impossible for a person with bad intentions to get hold of some kind of hashed file — e.g. /etc/password on Linux — so having a secure password for important things keeps being a good thing.)

    On a related note: — the beginning of the comic makes an implicit point how it's better to have different mildly secure passwords for all accounts, than it is to have one Super Secure password for all your accounts.

  2. Anon says:

    One solution to the "how to remember my passwords" problem is to utilize Password Gorilla: (…/wiki).  That way you can have both different and strong passwords for all your sites, without the mental effort of remembering any of them.

  3. Nathan says:

    Strong passwords make your password information less vulnerable to rainbow table attack. If I use upper-case, lower-case, numbers, and various keyboard symbols, I've made it very hard to crack my password with a rainbow table–the table will have to be exponentially larger.

  4. Tom says:

    True. I wish every website would only allow a few logins and then stall the user. What's even worse are websites that dont even allow longer phrases or symbols.

    But once a password gets into the wrong hands, criminials will have access to more websites as people tend to use the same password over and over again. And even a software won't help as you don't have it always with you, right? I just stumbled a few hours ago across a very clever method to use a "single" password and still be on the safe side:

  5. I am using a software (e.guardo) for this type of problems. It blocks IP and my accounts never locked on brute force attacks.