Aral Balkan: Historical Archive — Do prescribed secure passwords really result in better security?

Do prescribed secure passwords really result in better security?

I was excited to hear that Buzzword is in public beta so I tried to sign up this morning only to be greeted with an error message: "A password must be at least 6 characters, with at least one alphabetic and one non-alphabetic character."

It's not as bad a policy as some applications have (my favorite is "Your password must be between 6 and 8 characters long and must contain at least one number and at least one non-number, non-alphabetical character). Or, even worse still, I've actually seen an application that generated a password for me and then didn't give me the option of changing it (thankfully, I've only run into that train-wreck once).

These policies are bad because, whether we like it or not, most people use the same password (or several different ones) for different services. Yes, it's not ideal for security but it is the reality we are faced with. Given this, you can either let people use their existing passwords or dictate that they create a new one for your application. Whenever an application forces me to do this, I guarantee that I will forget this password. And what do most people do when they know they'll forget a password? That's right: they write it down somewhere. And how are most successful hack attacks carried out? You guessed it: through social engineering and by rummaging through offices and/or garbage bags for little pieces of paper with passwords on them.

That little yellow post-it that you just wrote your new eight character super strong Buzzword password on and stuck to your monitor at work is more of a security risk than the six character password you usually use for stuff that you have locked away safely in your head.

Update: I also just noticed that the Buzzword login page is being served over HTTP. Of course, they may be making an HTTPS call in the application but, if they're not, it means that your lovely strong password is open to everyone else on the network to see as it travels in clear text over the Internet.

Comments

Hey Aral, and thanks for the very thoughtful writeup. A couple of responses: 1) We argued long and hard about how strong a password to require. We came down where we did understanding the risks you describe. We felt that since more and more sites are starting to require more complex passwords, it's increasingly likely that people don't have to write down a special Buzzword password on a sticky note any more. Every site that requires a stronger password is making that more likely, anyway. 2) We do use SSL when sending user credentials to the server. Thanks again for writing about Buzzword!
by David Coletta on 2007-11-11 11:47:56
Hi David, Regarding point 2, I really feel that we need a security feature in Flash that alerts the user when an application is doing HTTPS versus HTTP calls. This is going to be important in building the same sort of trust in RIAs that regular applications enjoy in the browser via the lock icon when served over HTTPS. (Of course, you could just serve the whole application over HTTPS but, for most things, that would mean way too much useless overhead.) (And, even if the app itself is being served over HTTPS, it could easily do an HTTP call to the server and the user would be none the wiser.) All that aside, I'm looking forward to playing with Buzzword -- it looks awesome... is there any way to rotate an image in it, btw?
by Aral on 2007-11-11 13:14:08
[...] Writing about secure passwords in Buzzword got me thinking about the state of security and user trust in Flash (and Flex)-based Rich Internet Applications in general. After giving it some thought, I concluded that we have a little more work to do if users are to be expected to have the same sort of trust in Flash-based RIAs as they do for JavaScript and HTML-based applications and web sites. [...]
by Building trust in Flash-based RIAs: a security feature request at Aral Balkan on 2007-11-11 14:41:23
Hi Aral, I can only speak to what happens when really weak passwords are allowed. I've seen too many accounts and systems compromised because the people who set them up didn't require strong passwords. The resulting clean up process is painfully expensive. Over the years I've had to deal with law enforcement officials and extremely upsest users. Just because - for example - someone chose their home town as a password. As soon as we implemented stronger password requirements on all our University systems most of these problems started to go away. So I think the buzzword password policy is a reasonable compromise. On another level managing multiple accounts is a reason why it is harder and harder for small startups to succeed unless they are aquired and woven into larger service offerings by companies like Yahoo, Google, or Microsoft. Yours truly, -Brian
by Brian Lesser on 2007-11-11 14:00:49
Password rules like these prevent me using my favourite password - "this is my very secret password". Okay, that's not really my password - I wouldn't be foolish enough to tell the whole world. But the point is that I use phrases rather than words because they're easy to remember and hard to crack due to their length. If sites force capitals, numbers and/or punctuation into the password they prevent this simple route to stronger memorable passwords and instead make me write the password down in order to remember it.
by Richard Lord on 2007-11-11 16:50:18
I have always hated sites that require the user to have a super complex password. My primary reason for this is that people write it down in an obvious place and then don't change there password once they remember it. Checking for dictionary attacks is good, but forcing upper, lower, number, etc is just bad IMO. Another thing that concerns me is the lack of escaping when using passwords on many beta sites. I have a technique for generating passwords and a quirk of this is they often have control chars in. I would not mind as much if the site checked for these and said no, but the number of sites I have broken by doing this is scary.
by Alistair MacDonald on 2007-11-12 11:29:27
[...] that as a collaborative tool Buzzword is heading to rival Google. Aral Balkan raises some great questions about RIA security. And Buzzword’s own blog announces that Buzzword will always be [...]
by The Joy of Flex » Blog Archive » Buzzword in the Blogosphere, 17 Nov 07 on 2007-11-17 11:08:50
Don't ever try the Reset Password option if you happen to forget it. Instead of displaying at least a meaningful error message like "A password must be at least 6 characters, with at least one alphabetic and one non-alphabetic character", it actually says Unexpected Error, Code: PasswordNeedsMoreNonAlphaChars. http://duncan99.wordpress.com/2008/08/01/how-not-to-do-error-messages/
by duncan on 2008-08-01 08:49:16
My friend was talking about passwords recently, too, and I wrote a partly amusing, partly serious, and 100% geeky post about one way to deal with passwords. I came up with the idea a couple years back and it has definitely helped the "password problem". Might be along the same lines as the "technique for generating passwords" that Alistair was talking about.
by Daniel McLaren on 2007-11-13 19:17:24