In the December issue of Computer Fraud & Security, an article by Prof Steven Furnell – ‘Assessing password guidance and enforcement on leading websites‘ – presents some fascinating original research into the password practices of various leading websites – and also paints a somewhat worrying picture.
In the article, Prof Furnell, of the University of Plymouth, follows up on earlier research looking at how well (or otherwise) websites guide their users when picking passwords. Do they provide decent advice on what constitutes a strong password? And just how clever are those password strength meters?
It’s not pretty.
It’s not just that many of these websites continue to allow the selection of very weak passwords: there’s also the problem of inconsistency. One of the things I took away from this article is that password meters – those little graphic devices that purportedly show you how strong or how weak your chosen password is – are pretty meaningless. Every site uses different criteria for rating the password strength, so a word deemed ‘weak’ on one site might be hailed as ‘strong’ on another.
Even within a single website, the strength criteria seem inconsistent and weird. Passwords we, as infosecurity specialists, know to be weak are deemed acceptable. For example, WordPress rates ‘qw12’ as ‘Good’. Oh really? And even when sites deem a password as feeble, some of them will still let you use it – Furnell discovered that Twitter, Windows Live and Yahoo fall into this camp.
There are widely accepted criteria for determining the strength of a password – a mix of upper- and lowercase, the inclusion of numbers and special characters, the avoidance of dictionary words and length (because size does matter). But it seems that some websites will allow users to go against their own best interests by selecting weak passwords. Why?
One useful thing that hacktivist group LulzSec did for us is make available a number of databases containing real-world user login credentials. Trawling through these databases is enough to make an infosecurity specialist weep. Yes, ‘password’ really is still used as a password – a lot. The same goes for ‘qwerty’, ‘123456’ and all the other classics.
Organisations such as SANS have formulated password policies that provide useful guidance. In fact, you can find any number of policies online, developed by organisations for their own use and offered to others as a template. But is it time to collate password best practices into a formal standard that website operators might actually accept and implement – and perhaps even mandate its use on any website that holds personal data?
Of course, there is a danger inherent in standards – that they become outdated too quickly. Remember when we used to think that six-character passwords were acceptable? (According to Furnell’s research, some websites still think this.) Now that hackers can buy multiple GPUs in the cloud to run password crackers, an eight-character password is now too feeble. The other problem with standards is that, during their formulation, they are beaten to a pulp by committees and self-interested parties until they represent only a lowest common denominator.
But a standard accepted across the industry would at least be a starting point. And it should address not just what is an acceptable password (or, better, passphrase), but also what advice is given to users when choosing passwords. Again, Furnell’s research found that this is highly inconsistent and usually inadequate.
There have been too many breaches for us to regard website security a trivial matter. For example, we’ve witnessed a long litany of hijacked accounts on Twitter, whose primary advice on password choice seems to be limited to ‘make it tricky’, whatever that’s supposed to mean. Those strength meters may help give you a feeling of confidence, but because they give no clue as to why a password is considered strong, they don’t actually help users understand the principles at work. Smarter registration procedures would explain why dictionary words are bad, why you should a mix of character types. And sites should also encourage periodical password changes – not a single site I’m registered with does that.