Password Strength Testers Work For Important Accounts 129
msm1267 writes "Many popular online services have started to deploy password strength meters, visual gauges that are often color-coded and indicate whether the password you've chosen is weak or strong based on the website's policy. The effectiveness of these meters in influencing users to choose stronger passwords had not been measured until recently. A paper released this week by researchers at the University of California Berkeley, University of British Columbia, and Microsoft provides details on the results of a couple of experiments examining how these meters influence computer users when they're creating passwords for sensitive accounts and for unimportant accounts."
So? (Score:5, Interesting)
Now tell us what percent of breakins are due to guessing passwords. Maybe 2%. The rest are social engineering, default accounts, keyloggers, vulnerabilities, malware, misconfigured networks and people leaving their phones in bars.
Re:What's really needed... (Score:5, Interesting)
The FIDO stuff sounds like a whole lot of expensive extra technology with no real benefit over a password. A finger swipe is a replayable event just as much as a password or PIN.
The Google Authenticator is conceptually okay in theory, but in practice, AFAIK, it too becomes a gaping security hole as soon as your mobile device gets compromised.
If you want something stronger than passwords, it must have the following criteria:
None of these schemes I've seen so far address #3, and as a result, none of them are significantly more secure than typing letters at random and pasting the resulting password into a text file on your Desktop. They try to address problems that don't actually exist, while failing to address the root of the problem, which is that computers, mobile devices, etc. are not inherently secure.
For example, Google Authenticator uses a time-based token. This tries to avoid replay attacks by limiting the period during which an attack is possible. That doesn't work very well, though, unless you can delay an attacker's ability to sniff that token. This means that you have to prevent a MITM attack. As soon as the device is compromised, SSL and TLS are no longer capable of preventing a MITM attack, so the entire scheme falls apart.
Anything short of a non-networked device communicating with your computer over a very simple protocol (think "formal verification" here) is not a major win, IMO. And it can't be something silly like touching a smart card to an RFID reader, either, because the reader could perform more than one transaction, and you would have no way of knowing that you just bought some farmer in Iowa a new tractor alongside that DVD from Amazon. No, you really need a physical screen and a button on the device saying, "Do you agree to transfer $258,000 to Bank of Nigeria?" in order to significantly improve things. Anything short of that is just wasting a lot of time and expense without addressing the real problem—that if you can't trust the endpoint, you can't trust the message. Start by developing a truly trusted endpoint. After that, the entire problem becomes fairly trivial.
Re:Speaking of "meters" (Score:2, Interesting)
...and very difficult to remember making the use of such a system insanity.
A thought.. (Score:5, Interesting)
Has anyone worked on a time based password system..such as.. the timing between the entry of the characters? So 11 then isnt the same as 1 1
I find that I have a few passwords that I use that I end up with a typing rhythm for certain character sets. I could logically break and wait on some.. or speed some up and slow some down consciously.. the intent of course being to add another completely random variable into the password thing..
You could have different timing resolutions for different levels of security. Imagine the difficulty of a password with only 2 characters exactly 1.756 seconds apart
And then the same scheme with a 1.5 second resolution for not so strict security. (again..random specs..but you get the picture)
Of course you would have words or phrases with timings in between so that...
"the l a z y dog" isnt the same as
"t h e lazy do g"
simply by the timing between the characters.
You would need to add or change passwords by typing them a few times until you can get the timing right for the resolution..and I would think a test or two before setting the password with timing..somthing like the voice recognition training...
and theres my brainfart for the day..enjoi.
Re:LastPass (Score:2, Interesting)
> Of late I've been using LastPass.
That's great! Except... you know that LastPass had their entire database compromised [techcrunch.com], right? Fool me once...
Re:Minor difference at best (Score:5, Interesting)
90% of accounts I have created were so I could read some support documentation, or download an updated driver from a vendor etc. The only reason for putting password protection on such things is so the vendor can spam me in future. I really don't care if such accounts are compromised, in fact, I actively use obvious username and password combinations along with fake, or if they require confirmation before activating the account, throwaway email addresses. Another 9% are sites like slashdot, where the account gives some convenience, but nothing of value is stored there (a bit of reputation is at stake if someone hacks the account and uses it to troll, but the damage is minimal and easy to explain away). For the other 1%, I'll care enough to create unique passwords that are difficult to crack.
Yes (Score:4, Interesting)