BLOG@CACM Password Policies Are Getting Out of Control

Something I learned a long time ago is that one person's inefficiency is someone else's bottom line. This simple observation explains a lot of the big problems we're facing worldwide. Rather than getting into a discussion of those thorny political topics, however, I want to use this observation as a starting point for discussing something that plagues us all: password policies.

In fact, I think I have found the most difficult password policy in existence today. It was a US government web site, of course. Here were the password policies the site had in place:

Password Rules: Minimum 8 characters

Must contain at least 1 capital letter

Must contain at least 1 lower case letter

Must contain at least 1 number

Must contain at least 1 special character

Cannot contain consecutive characters (abc or cba)

Cannot contain repeating characters (aa, bb, etc)

Cannot contain the same character more than twice

Entered password must be different from last 10 passwords used

Cannot be changed within 24 hours

It actually took me about a dozen tries to create a password that covered all of the critera, plus was something I had a chance of remembering. Here are examples of passwords that failed:

My_P@$$w0rd (failed because of repeating characters)

!USg0v8 (failed because too short)

$tuPidP@55 (failed because repeating characters)

77pasS@77 (failed because same character more than twice)

I even tried a few randomly generated passwords, guaranteed to be strong passwords, which also failed some of the required criteria.

Of course, this password expires after 60 days (on a site that I only need to use every 90 days, no less). And when it did expire, it only took me an extra 15 minutes to figure out who to call to reset the password, plus a 13 minute hold, before my password was finally reset.

Makes one wonder how much real security is actually being offered with such measures, especially given the costs of staffing a help desk and the wasted time to end-users of having to get their passwords reset.

Why do web sites have such stringent password policies?

It all comes back to the opening statement: your inefficiency is someone else's bottom line. In a lot of organizations, there is an individual whose role is to keep computing systems secure. They are the people who get yelled at when things go wrong and whose job is on the line. In extreme cases, it becomes fully rational behavior to keep increasing security, no matter what the cost is for end-users, regardless of whether it is effective or not in practice. (Replace the words "computing systems" with "air travel" and we have a decent explanation for the challenges that TSA faces.)

In fact, a 2010 paper by Dinei Florencio and Cormac Herley, two researchers at Microsoft Research, presented an analysis of password policies of 75 different web sites . They found that, almost counterintuitively, "[s]ome of the largest, highest value and most attacked sites on the Internet such as Paypal, Amazon and Fidelity Investments allow relatively weak passwords," primarily because these web sites earn revenue by having people login.

In contrast, it was government and university sites that tended to have stricter (and less usable) policies. They explained these results by arguing that "[t]he reason lies not in greater security requirements, but in greater insulation from the consequences of poor

usability. Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back. When the voices that advocate for usability are absent or weak, security measures become needlessly

restrictive."

Unfortunately, there aren't a lot of ways forward here. Passwords are cheap and pervasive, and aren't going away anytime soon. Forcing all members of Congress and all Generals to personally experience the joy of using these web sites themselves also isn't realistic, even if highly desirable.

In the long-term, we need more ways of getting the incentives of all stakeholders better aligned. Putting helpdesk costs and information security costs under the same budget and under the same person is a good start, as it would force people to think more about the relative costs and benefits of a security policy. Having customer satisfaction be part of the performance metrics for information security folks would also help.

In the meanwhile, until usability thinking and holistic thinking become more pervasive in computer security, the rest of us will just have to keep suffering the pains of stricter password policies.

Comments

Anonymous

This is absolutely right, and paradoxically, I'm sure the more restrictive the password rules the more risk there is of it being hacked. Weird and wonderful rules dramtaically increase the necessity to write your password down somewhere, and of course, because every site has some different rule associated with it, often enough the password will have a helpful indication of what it's for alongside.

I refuse to ever write my password down, the result is that a number of sites, including one of my credit card sites, necessitates me requesting a password reset each time. That particular company can probably hear my screams of frustration everytime I need to do some on-line accounts.

Anonymous

Keepass (http://keepass.info/) will generate this password for you, but the non-repeating element marks it as less secure.

The rule is: ulds[ulds]{4} - the explanation is at: http://keepass.info/help/base/pwgenerator.html#pattern

Anonymous

Well put, just like CAPTHA's are perfectly computer readable.. but no sane person can read it .. so this comment will probably never be posted :)

Anonymous

The fun part is all the measures in that specific password policy make the password actually weaker than stronger, as they provide an series of rules all the passwords follow, reducing the search space for a password cracker. Oh joy.

Anonymous

Thanks Jason, for the interesting and true comments.

As you say: someone's inefficiency is someone else's bottomline.

Here we have the conflict of security versus ease-of -use for end-users; but also versus the productivity of the Service Desk.

Introducing a piece of technology and setting end-user processes in place then it is possible for organizations to achieve the security requirements formulated by IT-security and at the same time avoiding the troubles when users forget the password - which is the true cost of complex password policies.

Depending on your organization's requirements you can find different commercially available packages which will fit. We have developed the solution FastPass, which helps more than 500.000 users in large organizations to have advanced password policies without being a burden to users and the Service Desk.

Regards

Finn Jensen

FastPassCorp.com

Anonymous

A password policy that strict will result in passwords so difficult to remember the user will simply write it down and keep it near the keyboard. All security advantage is lost at that point.

Anonymous

The only restriction I would enforce in a password policy would be the minimum number of characters (no less than 12). This is all you need to do to ensure stronger passwords, while making it easier for the users to remember them. Think sentences.

Anonymous

If policy don't allow charters to repeat, it reduces number of possible combinations as

per well known formula n!/(n-k)!. How ever Number of combinations with repeating (and order matters for pwd) is n^k

n - number of different characters available

k - number of characters used for password

But that was probably compromises for simplification of password strength and policy check, and preventing passwords like aaaaaaaa :)

So that part is just lazy developers/admins vs lazy users.

Anonymous

Excellent Post. I do, however, have a query: If you were the person in charge of setting the passwords-policy, what all rules would you set?

Anonymous

I think rather than having such crazy complexity, perhaps security professionals should be more interested in setting retry limits/timed lockouts, rate-limiting their web services, and other measures to reduce the threat of automated attacks, rather than working so hard at devising 'clever' complexity requirements... If it's other humans you're worried about, well a human knows to look under your keyboard, in your desk, behind your monitor or anywhere else you are probably keeping your written-down complex password.

For the argument that your user database could be compromised directly, well, perhaps you need to be concerned with protecting that better at the outset too.

Passwords should be moderately complex, but not to the extent this site you describe is. That's crazy.

Anyhow, thanks for writing this article! -J

View More Comments