I’ve written here before several times about the flaws of passwords as a security measure in today’s environment, and also about why they are still used, despite their obvious drawbacks. This weekend, an article in the New York Times looks at the question of passwords from a different perspective.
Some computer security experts are advancing the heretical thought that passwords might not need to be “strong,” or changed constantly. They say onerous requirements for passwords have given us a false sense of protection against potential attacks. In fact, they say, we aren’t paying enough attention to more potent threats.
As the article correctly points out, it doesn’t matter how strong your password is, if an attacker has surreptitiously installed a key-logging program on your PC. It also doesn’t matter if you are persuaded to give your password to someone in a “social engineering” attack, or if you are tricked into entering it on a bogus Web page.
Nonetheless, it is fairly common for Web sites and other systems to have elaborate rules about the construction of acceptable passwords. This tends to provoke user resistance, and results in practices that decrease security, such as the “Password on a PostIt” phenomenon. If security measures become too much trouble, users will just circumvent them, as Don Norman, co-founder of the Nielsen-Norman Group design firm, has pointed out, in an article at ACM Interactions ; he describes attending a meeting of security professionals held at Google’s headquarters (the “Googleplex”), where security is taken seriously.
Our meetings were held in a public auditorium that did not require authorization for entrance. But the room was in a secure building, and the toilets were within the secure space. How did the world’s security experts handle the situation? The side door of the auditorium that led to the secure part of the building and the toilets was propped open with a brick. So much for key access, badges, and security guards.
One often observes this same kind of reaction to security warning messages. Microsoft’s Windows Vista introduced a facility called “User Account Control”, under which even users with administrative privileges are required to confirm any potentially dangerous action (e.g., installing software) before the system proceeds. As many of us have noticed, it doesn’t take very long before these pop-up messages are treated as if they said, “Click OK to get your work done.” Cormac Herley, from Microsoft Research, has argued in a paper [PDF] presented at the New Security Paradigms Workshop, that users react in an economically rational way to these warnings: the amount of effort required is not justified by the expected benefit to the user, a point also made by Mr. Norman:
Locks on houses, cars, and private records get in the way of easy access, but we tolerate them because they seem necessary and the amount of effort they demand usually seems reasonable. Note the two different components: the understanding of the necessity for protection and the reasonableness of the effort required.
In the context of technology, users frequently have no clear idea of what the security trade-offs are in a particular situation.
Furthermore, the advice that users are given sometimes borders on nonsense. Mr. Herley and one of his colleagues from Microsoft Research, Dinei Florêncio, surveyed the password policies [PDF] of 75 different Web sites. Although one might expect that sites dedicated to e-commerce and those of financial institutions would have the strictest policies on password strength, that is not what they found. The sites with the most stringent restrictions tended to be government and university sites. Commercial sites, like Amazon and PayPal, were much more flexible. The explanation seems clear: commercial sites stand to lose if their policies are so cumbersome that users are driven away. On the other hand, as the authors surmise, in the absence of anyone advocating for usability, the other sites can construct more and more baroque rules that are justified because they “improve security”.
As the Times article points out, many people are tired of being told to use strong passwords “because I said so”, like a six-year old being told to eat his broccoli. We can do better than this.