Password Strength Testers Work For Important Accounts 129
msm1267 writes "Many popular online services have started to deploy password strength meters, visual gauges that are often color-coded and indicate whether the password you've chosen is weak or strong based on the website's policy. The effectiveness of these meters in influencing users to choose stronger passwords had not been measured until recently. A paper released this week by researchers at the University of California Berkeley, University of British Columbia, and Microsoft provides details on the results of a couple of experiments examining how these meters influence computer users when they're creating passwords for sensitive accounts and for unimportant accounts."
What's really needed... (Score:4, Insightful)
I don't pretend to be a security expert, but why not ask for a public key instead, so I can authenticate with my private one, as with SSH? Or provide a pointer to some authentication server, so I can have a safely "shared" yet easily changed password for multiple sites? (and I am NOT talking about Facebook)
Minor difference at best (Score:5, Insightful)
The long and the short of it: Not Much!
Users, despite a barrage of news about stolen credentials, identity theft and data breaches, will re-use passwords over and over, especially at account creation, regardless of the presence of a meter. If the context changes, however, and users are asked to change existing passwords on sensitive accounts, the presence of a meter does make some difference.
They claim it was for "important accounts" but how important would the account be that was being used in a study?
Lots of people re-use passwords on "nothing accounts" simply to prevent having to remember a gazillion passwords.
That doesn't mean they reuse all passwords.
Its probably more important to not log in using the same user name on many different sites than it is to have passwords consisting of crazy strings of random characters that you can't even type consistently let alone remember. If someone guesses your re-used password in one site they have a much better chance of guessing your other logins.
The forced registrations on many sites drive reuse (Score:5, Insightful)
The growing number of places you need a password on just to access some content is a sure cause for increased password reuse.
Humans are simply not suited to remembering random enough password to cover all the sites on internet.
The save password option on the browser might help...
but more and more sites use the "no not save passwords" option.. forcing people back to reusing passwords.
Well, personally I just use fairly random passwords and "rememberpass" extension on firefox to force saving password even when the site does not want you to do that.. as the lesser of the evils.
Re:What's really needed... (Score:5, Insightful)
http://xkcd.com/936/ [xkcd.com]
How good are the meters? (Score:4, Insightful)
How good are the meters as an indication of password strength? If you've got a meter that calls "Password1" (nine characters, mixed upper and lower case with a number) strong, it doesn't matter if the meter has an effect or not.
Password strength is inherently impossible to measure (it's related to the password's Kolmogorov complexity [wikipedia.org], which is incomputable). A good heuristic meter would check the password against the output of a few password-cracking programs and assign a strength based on how long it takes the password to show up, but I doubt anyone's doing that.
Re: What's really needed... (Score:4, Insightful)
All well and good if the sites would stop implementing arbitrary password length limits.
Re:What's really needed... (Score:5, Insightful)
If you understood combinatorics, you'd know that the comic is right. The first row is a password made from known tricks, and is probably in a dictionary (the 28-bit strength represents the size of the smallest dictionary likely to contain it, or how far you need to go through the dictionary before running into it). The second row represents a password generated randomly from what is effectively a 2048-letter alphabet.
Get a password manager (Score:4, Insightful)
I use KeePass. I have 1 strong password stored in my brain. I have 1 crappy password for places like fark, /., and ars. My passwords for my 2 investment firms, my bank, ebay, paypal, email accounts, etc, are all different and I have no idea what they are as I let KeePass generate them. I just open up KeePass, copy the password to the clipboard, then paste.
To make it portable whenever I add a password to KeePass on my laptop I copy the database to my phone. As I never access my sensitive accounts from anywhere but my phone I'm good.
In short, it's simple, free, and as long as my 1 strong password is good I'm in good shape.
Re:What's really needed... (Score:2, Insightful)
What needs to be done, as a minimum, is something like Password Hasher (the firefox plugin) needs to be built into each browser. Each website has its own tag and when I type in my password the password that actually gets sent to the website by my browser is different from the password that I typed and it's different from site to site even if I choose to use the same or a similar password. That way if my password does get logged or compromised by one website they can't as easily discover the underlying password and use it to access information from other accounts I may have if I use the same password. The whole process should be built into each browser and oblivious to the user, I can go on another computer and type my password for the same site and it will go through the same hash process and send the same password.
Of course this isn't foolproof, someone could potentially back - crack the original password based on the sent password or try to create databases of cracked original passwords for each website (ie: for each hashtag) but at least this is an additional simple obstacle that will make it more difficult for those who get a hold of compromised passwords sent by the browser to benefit from them through using them for other websites. My browser should, ideally, never send the password that I type to the server exactly as I type it, it should be sent hashed.
No kidding (Score:5, Insightful)
I'd say I'm a pretty security aware individual, what with working in IT and all that. I do defense in depth on computer and physical security, I'm proactive about things, etc. Seems to have worked, I've never had a system owned.
So I never reuse passwords, right?
Wrong, I do all the time. Almost every forum online I have the same password for, and it is a weak one. Why? Because I don't care. Oh no, someone might hack my forum account and... I dunno, post something as me! Whatever would I do? I'm not going to bother to generate a great, unique, password for every site.
However my bank account? Random password (I don't seem to have trouble remembering them), long, and it requires two factor authentication. That protects my finances, and those matter. So security on that is pretty high.
The idea that everyone is going to have a high security password for every site and not reuse it is silly. There are plenty of things where if your account got compromised, you just don't care so much.
Also it can make sense to group systems. All my systems at home use a single password. There is no reason for them not to. They are all in the same security context, basically. It is no different than at work where my single account gets me access to any domain system.
Re:Get a password manager (Score:2, Insightful)
By that logic it's even more likely your OS or its keyboard driver are compromised, which would give the bad actor access to the same passwords (and then some). And what about sites integrating 3rd party scripts (like facebook/socialnetwork/googleanalytics stuff), they allow a 3rd party to run scripts on every page of their site (facebook/google could easily add a pre-submit event handler that reads the pw and submits it to them aswell).
Password managers are (at heart) very basic software, which makes source code evaluation relatively easy (assuming you pick an OSS variant, which you probably should). Aside from heavily investing brainpower in remembering a lot of passwords (or some in-your-head password "algorithm"), password managers are one of the safer methods available at the moment.
Important IT systems (such as banking/companyVPN/etc) are, or should, all be moving away from passwords.
Importance... (Score:3, Insightful)
Every website appears to have an over inflated sense of its own importance... Why shouldn't i use a "weak" password on a site I deem unimportant?
Many of the password strength checkers are also deeply flawed, as they allow common dictionary words to slip through with trivial changes, eg Password1! is considered strong by most such checkers.
Also, how can i be assured that a site i sign up to is going to store my details securely? What's the point in having a strong password if its going to be stored in plain text or using a weak hashing algorithm?
So people choose strong passwords... (Score:5, Insightful)
And then they write them down, stick them on sticky notes, and put them under their keyboards, or in their drawers, completely destroying the security, but maintaining the administrators' beliefs in it.
It's almost as good of an idea as making people change their password once a month, which also encourages people to write them down, re-use their weak passwords or choose passwords that are easy to guess.
And how about those password retrieval questions?
What's your favorite color or your mother's maiden name? No one can guess those.
Not really checking password strength (Score:5, Insightful)
To most of those password checks I've encountered, "P@ssw0rd" is very strong, but a thousand random digits is unpermissably weak.