Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Passwords
Passwords

Does a Strong Password Mean You Are Secure?

Does a strong password secure a user online? Can companies with strict or complex password requirements sit back and relax?

For a comprehensive view of how many popular sites compare to each other in terms of password/policy security, click here. Dashlane has given us an overview of how password policies on these sites compare to each other, which is important information to have when creating and using accounts online. However, once a password - no matter how complex it is - is compromised, users and sites are in danger again. Responding to CNBC in an article discussing these results, a spokesperson from Orbitz says: "We have always taken the security of our website and customer's personal information very seriously, and certainly long before this list was released...Password security does not necessarily guarantee website security, so we implement a series of industry standard security measures to keep our customer's information safe."

Orbitz's spokesperson is correct - a password policy alone isn't enough to assure a secure experience on a site, no matter how good it is or how well it stacks up against peers. To secure these interactions, additional methods are required. This can come in the form of two or multi-factor authentication, risk based analysis within a session, or any of a host of security strategies designed to secure an interaction without compromising user experience (for the legitimate user). No one factor can be relied on to "save the day".

 

A New Kind of Secure Password Policy?

An article this week on arstechnica.com highlighted an innovative new approach to password security at Stanford University. The policy is aimed at dynamically imposing requirements for password complexity based on the length the user chooses for their password, so that "short passwords must pass additional checks designed to flag common or weak passcodes (presumably choices such as "P@ssw0rd1", which can usually be cracked in a matter of seconds). The standards gradually reduce the character complexity requirements when lengths reach 12, 16, or 20 characters. At the other end of the spectrum, passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case."

This is an encouraging development on top of being a novel approach - passwords are so common that they won't be going away any time soon, and most password policies leave users extremely vulnerable and/or frustrated. Acknowledging that passwords will be part of a security strategy, but leaving a "one size fits all" set of requirements behind, this kind of policy both encourages users to create easy to remember, but more secure passwords, and applies rules based on choices made by the user. This is the kind of policy other organizations should look at to extend the value and lifespan of password requirements for their users. In closing, the author states "The elegance of Stanford's policy is that it eschews the one-size-fits-all approach most websites and networks take when attempting to ensure their users choose strong passwords. By offering increased flexibility, there's a better likelihood that people connecting to University services will remain secure. In an age when passwords have never been weaker and crackers have never been stronger, that's enlightenment indeed."

 

Popular Passwords - Time for a New Strategy?

Periodically, lists of the "most popular" passwords are released, and inevitably cause discussion around the need for stronger passwords and requirements for users.

 Slate's Will Oremus published the list with some interesting context, notably that "the report only tells us the popularity of the top 25 passwords relative to one another, not their absolute popularity. It’s conceivable, then, that both “password” and “123456” are less common across the Internet than they were a year ago. In fact, SplashData CEO Morgan Slain confirmed to me via email that the weakest passwords have declined in popularity in recent years—but only slightly. "We keep hoping for steeper declines as people get more educated about the risks of simple passwords (hence the annual list) and as websites start to enforce stronger password policies," he said."

 

Will's take on what the most popular passwords (if you use one of them) "say about you" is below...Will this influence some users to change their passwords?

  1. 123456
    I can’t be bothered to take even the most basic step to protect my personal information. Seriously, just go ahead and take it.
  2. password
    I failed to understand the question.
  3. 12345678
    I tried “123456,” but the computer said I had to use at least eight characters.
  4. qwerty
    Aren’t I clever? My password is written right there on the keyboard.
  5. abc123
    I'm a fan of the Jackson Five.
  6. 123456789
    I’m a positive-integer maximalist.
  7. 111111
    I managed to find one of the few passwords that’s both easy to crack and hard to remember. (How many 1s was it, again?)
  8. 1234567
    Seven is my lucky number!
  9. iloveyou
    I’m Theodore Twombly.
  10. adobe123
    You may have cracked my Adobe password, hacker, but you’ll never guess my password for Microsoft!
  11. 123123
    Aha! You were expecting 123456, weren’t you.
  12. admin
    I should be fired immediately.
  13. 1234567890
    I have mastered the base-10 numeral system.
  14. letmein
    Might as well let everyone else in, too.
  15. photoshop
    They told me not to use the same password for every program, so...
  16. 1234
    I can’t be bothered to take even the most basic step to protect my personal information, and neither can the people who run this site.
  17. monkey
    I am an actual monkey.
  18. shadow
    I fancy myself quite sneaky.
  19. sunshine
    I cry myself to sleep at night.
  20. 12345
    I cannot be bothered to take even the most basic etc.
  21. password1
    My last password was compromised, so I added a “1” this time for extra security.
  22. princess
    I’m waiting to be swept off my feet by a Nigerian prince.
  23. azerty
    Hey, at least it's better than qwerty.
  24. trustno1
    It's not paranoia if they really do keep guessing my password.
  25. 000000
    My day job is coming up with nuclear launch codes

 

 

Stolen Passwords and Comfort Over Security

This week a large scale password theft was exposed and widely discussed. The majority of these passwords came from very heavily used sites like Google and Facebook. The LA Times discussed the findings around the passwords themselves and highlighted that "...as expected, many of the login credentials are no more complex than "1234.'" The article goes on to say:

"Users are creating easy-to-crack passwords, but SpiderLabs blames companies, not users, for this problem.

"If our hypothesis is true, then the inevitable conclusion is that people still choose comfort over security," the team said in a blog post. "If you don’t enforce a password policy, don’t expect your users to do it for you."

So how can you create a better password? Here's a few tips:

  • Use capital and lowercase letters
  • Use letters and numbers
  • Use words not found in the dictionary. For example, instead of "apple" go with "aapl"
  • Replace letters like "O" and "E" with numbers like "0" and "3"
  • Use long passwords

If you apply all of those techniques you can take a simple password like "thisismypassword" and turn it into something a little more complex like "th1ss1smYypa4sSsw0rdD.""

Asking users to create, remember and use passwords like "th1ss1smYypa4sSsw0rdD" is not a scalable security strategy, but the point the article makes regarding users choosing comfort and convenience is a very real challenge. This story speaks to the absolute requirement for transparent, noninvasive authentication that is still strong, and involves more that a direct match or mismatch of input. This has to happen without creating complexity that will deter end users. 

 

Study Finds Consumers Are Open to Biometric Authentication

A study sponsored by PayPal and the National Security Alliance found that 53 percent of Americans are “comfortable” replacing passwords with a biometric (in this case, fingerprints). This article goes on to describe additional results of the study which indicate a growing acceptance in the consumer populations of moving beyond the traditional username and password for security. "Other responses to the survey sketches a picture of Americans that suggests we’re more reliant than ever on our smartphones but still very unsure about the proper security measure we should be taking on our mobile devices."

Increasing awareness of the need to take security measures that keep pace with the mobile technology being rapidly adopted by users is a good sign. Awareness that transactions like payments, transfers and accessing critical data on the part of the end users is the first step toward more secure behavior across the board. The article mentioned above goes on to say "One thing that does appear to be clear from the survey is that consumers want companies to do the bulk of heavy lifting when it comes to securing financial data. While those surveyed said that they’re comfortable with giving companies access to their biometric data to replace passwords, it turns out not that many of them actually use them for their phones."

As the conversation around new technologies continues, user awareness of the need to secure their devices will increase as well. 

 


Page 2 of 5