However, these issues are not the main subject of this post. I wish to discuss online implementations, which take an already-challenging issue and make it many times worse. Passwords, although clearly flawed, are here to stay for the foreseeable future, due to their current ubiquity and simplicity. Some applications aim to improve usability, offering password hints to jog the memory of a forgetful user. Obviously this can reduce security, but if the hint is well-chosen it should only resonate with the appropriate party, not an attacker. Unfortunately, many websites try too hard and as a result make strong passwords virtually unusable, forcing users to downgrade their security and making them targets for attack. Below I will summarise several of the major flaws.
Whilst at an ATM, it is appropriate to have my PIN number hidden; after all, any shady onlooker should be able to memorise four digits in a public place. These machines have large screens and a row of impatient customers standing behind you, so clearly obscuring the password is sensible in this case. However, we use passwords on a whole range of different devices, and in a whole range of different places. It is often hard enough see your own phone screen in sunlight, without trying to spy a glance at another’s tiny screen. Although people generally select poor passwords, they are rarely four characters in length and would also be more challenging to memorise. Whilst we use our devices on the go, a lot of computer use still takes place in the comfort of our own homes, then only having family members and pets as surveillance. The justification is security, but the need to fully repeat a mistyped password can motivate users to make shorter selections. The use of the asterisk on Windows machines might be frustrating, but the Linux command line often does not even give an indication of the number of characters typed. Hiding passwords might be appropriate in the street or the workplace, but should not be essential.
A second gripe is at backup “security questions”; the archetypical example being “what is your mother’s maiden name?”. These are intended to offer an extra layer of protection if you forget your regular password, but unfortunately just presents an easier route for intrusion. We know that people often use their favourite football team or hometown as part of their password, but posing the question just gives further assistance to an attacker. In an age of social networking promiscuity and widespread data collection, discovering a parent’s details might be no challenge whatsoever. A more secure approach would be to reply to the question with a nonsense answer, but this relies upon you remembering a different contextless “password”. Although password resets via email have their flaws, as I will discuss later, they are definitely preferable to these artificial questions.
Bafflingly, I have encountered several websites where I simply cannot use non-alphanumeric characters in my password. You want to use “$3c\/re_p@$$word”? You can’t! Despite most sites wisely advising their consumers to pick passwords from a large character set, a minority seem to be unable to process these symbols. This might be due to insufficient input sanitisation, with the administrators looking to avoid SQL injection attacks, or problems with the underlying software, but in either case it presents a problem for security. We can complain of users using substandard passwords, but sometimes they aren’t given a choice.
In discussion with colleagues several months ago, we came across the topic of login errors. One noted that despite most websites giving a generic “incorrect email/password” message, you can easily find whether an email address is registered by trying to reset the password. In an effort to increase security by confusing attackers, the vague error messages generally places a larger burden on ordinary users. Most people possess multiple email accounts: perhaps one for work, one for social media, and several that have been accumulated over the years. After all, we all have an address from our teenage MSN days like email@example.com that seemed like a great idea at the time. Although we also reuse passwords (even though we shouldn’t), we might go through different iterations over the years. This greats a quadratic problem, where we need to match the right address and the right password, greatly increasing the effort for a forgetful user. The rationale is clear from the website owner, but usability shouldn’t always be sacrificed for security.
Naked Security cleverly highlighted the weakness of password strength testers earlier this week. Rather than employing the pen-testing technique of a dictionary attack, or seeding the cracking software with information known about you, they generally analyse the length of the phrase and character set. It should be obvious that “password123456” is less secure than “qmgsdrtztj”, despite the fact that the latter is shorter and contains no numbers. This leads users to select passwords that appear secure but might actually be vulnerable to attack. However, these testers are still better than nothing if they encourage people to use passwords longer than 8 characters.
My final problem doesn’t have a clear solution. It is inadvisable to leave all your security eggs in one basket, but we frequently do this with password reset emails. When you sign up for an account, you provide your email address in case we forget our passwords. The result of this is an accumulation of different online accounts only as strong as the one email account. If that password is compromised, attackers can browse through your emails to understand your subscriptions, navigate to those sites, and make password reset requests. Within a couple of hours, you can find yourself locked out of your own online life, including that master email once its password has been changed. Two-Factor Authentication (2FA) improves this situation, requiring an SMS code in addition to a password to access important emails. Login alerts can also help warn a user that their account has been breached, hopefully limiting the damage an attacker can inflict. Whilst it would be prudent to register using a host of different email accounts, people generally don’t work like that. The reset system is certainly preferable to cleartext password reminders and unwise security questions; just make sure your master password is very difficult to crack!