Shostack + Friends Blog Archive

 

The Questions Not Asked on Passwords

So there’s a pair of stories on choosing good passwords on the New York Times. The first is (as I write this) the most emailed story on the site, “How to Devise Passwords That Drive Hackers Away.” It quotes both Paul Kocher and Jeremiah Grossman, both of whom I respect. There’s also a follow-on story, “Readers Respond: Password Hygiene and Headaches.” The latter quotes AgileBits somewhat extensively, and perhaps even ironically, given that I had to publicly disagree with them about how securely they store passwords.

These are solid stories. That people email them around is evidence that people want to do better at this. That goes against the common belief of security folks that people choose to be insecure and will choose dancing pigs over security.

But I think, for all that, there’s an important question that’s not being asked. How much help are these?

If I follow all nine elements of advice from Paul and Jeremiah, how much more secure will I be? If I’m only going to follow one, which should it be? If I take different advice, how does that compare? And are users rationally rejecting all of this as too hard?

First, we need to get a bit more specific about the problem. Is it account compromise? Is it password failings leading to account compromise? Does it include backup authentication mechanisms? I’ll assume it’s unauthorized people being able to spoof the real account holder, and think of this as ‘shared secret’ authentication, thus including secret question backup auth systems, in large part because they’re vulnerable to exactly the same threats as passwords (although the probability and effectiveness of the attacks probably differ).

There are a number of threats to shared secret authentication schemes . I think we can categorize them as:

  • Finding (the post it attack or divorcing spouses)
  • Online Attacks
  • Offline Attacks (including password leaks)
  • Phishing

Password leaks are a common problem these days, and they’re a problem because they enable offline attacks, ranging from lookups to rainbow tables to more complex cracking. But how common are they? How do they compare relative to the other classes of attacks?

So to break down the important question a bit: At what frequency do these threats lead to compromised accounts? How effective is each piece of advice at mitigating that threat? What’s the effort involved in each? Without knowing those things, how should we assess the efficacy of the advice we’re giving?

My stock answer to all questions (more breach data!) does’t really work as well here. Unlike breach disclosures, where we’re talking about IT departments, some of these questions are informed by fairly private information.

I’d be interested in hearing your thoughts, especially on how we can get data to evaluate these questions.