Password Strength Testers Work For Important Accounts

msm1267 writes "Many popular online services have started to deploy password strength meters, visual gauges that are often color-coded and indicate whether the password you've chosen is weak or strong based on the website's policy. The effectiveness of these meters in influencing users to choose stronger passwords had not been measured until recently. A paper released this week by researchers at the University of California Berkeley, University of British Columbia, and Microsoft provides details on the results of a couple of experiments examining how these meters influence computer users when they're creating passwords for sensitive accounts and for unimportant accounts."

So?

[Smallpond]

Now tell us what percent of breakins are due to guessing passwords. Maybe 2%. The rest are social engineering, default accounts, keyloggers, vulnerabilities, malware, misconfigured networks and people leaving their phones in bars.

Re:What's really needed...

[dgatwood]

The FIDO stuff sounds like a whole lot of expensive extra technology with no real benefit over a password. A finger swipe is a replayable event just as much as a password or PIN.

The Google Authenticator is conceptually okay in theory, but in practice, AFAIK, it too becomes a gaping security hole as soon as your mobile device gets compromised.

If you want something stronger than passwords, it must have the following criteria:

1. Immune to replay attacks. Done correctly, this means that each authentication request must have a unique ID that must be signed or otherwise combined with some shared secret in a secure way.
2. Immune to man-in-the-middle attacks. Each request for authentication must be signed by the requestor so that the user can be certain that he/she is not agreeing to do something other than what is intended. Each response from the user must include at least a hash of the original request.
3. Immune to device compromise. The most common way that computer security is breached is through password sniffers or other compromise of the user's computer or mobile device. If you cannot trust the device that is performing the authentication, you cannot trust the action being performed, and all security goes out the window, including existing measures for preventing MITM and replay attacks, such as SSL/TLS.

None of these schemes I've seen so far address #3, and as a result, none of them are significantly more secure than typing letters at random and pasting the resulting password into a text file on your Desktop. They try to address problems that don't actually exist, while failing to address the root of the problem, which is that computers, mobile devices, etc. are not inherently secure.

For example, Google Authenticator uses a time-based token. This tries to avoid replay attacks by limiting the period during which an attack is possible. That doesn't work very well, though, unless you can delay an attacker's ability to sniff that token. This means that you have to prevent a MITM attack. As soon as the device is compromised, SSL and TLS are no longer capable of preventing a MITM attack, so the entire scheme falls apart.

Anything short of a non-networked device communicating with your computer over a very simple protocol (think "formal verification" here) is not a major win, IMO. And it can't be something silly like touching a smart card to an RFID reader, either, because the reader could perform more than one transaction, and you would have no way of knowing that you just bought some farmer in Iowa a new tractor alongside that DVD from Amazon. No, you really need a physical screen and a button on the device saying, "Do you agree to transfer $258,000 to Bank of Nigeria?" in order to significantly improve things. Anything short of that is just wasting a lot of time and expense without addressing the real problem—that if you can't trust the endpoint, you can't trust the message. Start by developing a truly trusted endpoint. After that, the entire problem becomes fairly trivial.

Re:Speaking of "meters"

[Anonymous Coward]

...and very difficult to remember making the use of such a system insanity.

A thought..

[SuperCharlie]

Maybe a brainfart..but here goes..

Has anyone worked on a time based password system..such as.. the timing between the entry of the characters? So 11 then isnt the same as 1 1

I find that I have a few passwords that I use that I end up with a typing rhythm for certain character sets. I could logically break and wait on some.. or speed some up and slow some down consciously.. the intent of course being to add another completely random variable into the password thing..

You could have different timing resolutions for different levels of security. Imagine the difficulty of a password with only 2 characters exactly 1.756 seconds apart .. with a resolution of .002 seconds..and someone who can flip a coin, catch it, and click the second character consistently because of muscle memory and repetition. (random specs..but you get the picture)

And then the same scheme with a 1.5 second resolution for not so strict security. (again..random specs..but you get the picture)

Of course you would have words or phrases with timings in between so that...

"the l a z y dog" isnt the same as

"t h e lazy do g"

simply by the timing between the characters.

You would need to add or change passwords by typing them a few times until you can get the timing right for the resolution..and I would think a test or two before setting the password with timing..somthing like the voice recognition training...

and theres my brainfart for the day..enjoi.

Re:LastPass

[Anonymous Coward]

> Of late I've been using LastPass.

That's great! Except... you know that LastPass had their entire database compromised [techcrunch.com], right? Fool me once...

Re:Minor difference at best

[jrumney]

90% of accounts I have created were so I could read some support documentation, or download an updated driver from a vendor etc. The only reason for putting password protection on such things is so the vendor can spam me in future. I really don't care if such accounts are compromised, in fact, I actively use obvious username and password combinations along with fake, or if they require confirmation before activating the account, throwaway email addresses. Another 9% are sites like slashdot, where the account gives some convenience, but nothing of value is stored there (a bit of reputation is at stake if someone hacks the account and uses it to troll, but the damage is minimal and easy to explain away). For the other 1%, I'll care enough to create unique passwords that are difficult to crack.

Yes

[dutchwhizzman]

Yes, they have. However, it requires client side applications and it is depending on the keyboard you are using. If you have to type your password on a different keyboard, your timing will differ because of the different placement and mechanics of the keyboard. It is only a reliable extra factor if you use a single type of hardware in very similar locations.