Friday, March 19, 2010

How to pick a strong password

There's a snarky saying among IT professionals, that users are an infinitely renewable source of security risk.

There's certainly a difference in motivations between users and IT security folks, which generates a lot of frustration in the latter group. IT needs to manage risk; users are supposed to get their jobs done (in other words, make money for the company). It's a truism that we say that security is everyone's job; users say security is IT's job. I mean, look who gets paid for it.

There's a quite interesting research paper out from Microsoft's Principle Security Researcher, that argues that this attitude on the part of users is rational:
We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot.
I work pretty hard to filter out irrelevant security news and advice here, because I think that there's something to that. The people who get jazzed about a daily dose of triple propeller head security news probably aren't regular readers here. The security industry in general does a poor job of filtering out the noise, which leads to the "boy who cried wolf" syndrome:
He offers the following as reasons why:
  • Users understand, there is no assurance that heeding advice will protect them from attacks.
  • Users also know that each additional security measure adds cost.
  • Users perceive attacks to be rare. Not so with security advice; it’s a constant burden, thus costs more than an actual attack.
I (mostly) agree with the perception, although I think that attacks via passive downloaded malware (say, from advertisements that exploit vulnerable browsers) shouldn't be considered "rare".

IT also offers complicated advice. For example, this is typical for how to pick a secure password:

Password rules place the entire burden on the user. So, they understand the cost from having to abide by the following rules:

  • Length
  • Composition (e.g. digits, special characters)
  • Non-dictionary words (in any language).
  • Don’t write it down
  • Don’t share it with anyone
  • Change it often
  • Don’t re-use passwords across sites
As a public service, here's how to pick a very strong password that is easy for you to remember. Think of a sentence or a phrase that describes something about you that you will remember. For example:
I used to live on Pond St. when I was 6.
Now take the first letter from each word, preserving capitalization and punctuation:
That's one heck of a password right there, and is something that is easy to remember for you, and very hard to guess for an attacker. And it takes care of the first 5 bullet points listed above. Well done, you! And this is hard to argue with:
We have argued that the cost-benefit trade off for most security advice is simply unfavorable: users are offered too little benefit for too much cost.

Better advice might produce a different outcome. This is better than the alternative hypothesis that users are irrational. This suggests that security advice that has compelling cost-benefit trade off has real chance of user adoption. However, the costs and benefits have to be those the user cares about, not those we think the user ought to care about.
Anyone in IT really needs to read this. Anyone interested in security should take a read, too.

UPDATE 19 March 2010 13:44: Dr. Boli offers some (ahem) excellent security advice.


Anonymous said...

Security is always a trade-off with useability.

The ultimate in Security is a system that absolutely no one can access.

The ultimate in useability is a system that anyone can access from anywhere, at any time and for any purpose.

Practical reality must, by necessity, fall somewhere in between.

Ultimate security is going to have to give a little to make the system useable and vice versa.

Your password advice is excellent and one that I picked up from the IT's at one of the many colleges I've attended over the years (ODU to be specific).

But I do have a problem with a couple of the security advice line items.

We're expected to use a complicated password like the method you outlined, but don't write it down and use a different password for each system you need one for.

I'll use myself as an example. In my work, I have access to no less than 6 different customer database servers, two e-mail accounts, the main company server, several HR related third party servers (I think three, but it may be four), a third party company sponsored travel system and a third party expense reporting system.

Now, my company is working on consolidating some of the HR and company related stuff into a single sign-on system, but that's been an ongoing effort for a while, and it's not ready for prime-time yet, and it doesn't alleviate the need to access the customer servers.

So, right now, I have approximately 14 different systems that I would need to have strong passwords for, be able to remember all of those different passwords, which system each password goes to...and not write any of them down.


That's not even counting my personal stuff like online banking (I know, you don't use that...I do), account passwords for all my utility providers, Google password for Gmail, blogger, etc; facebook, flikr, My personal web site management account, two other web site accounts that I either manage or contribute to, etc etc etc.

It simply becomes an impossible task.

Does the risk of attack outweigh the costs of executing perfect security procedures?

I'd spend my entire day trying to remember passwords and getting the ones that I can't remember reset over and over again.

So, I exercise all the caution that it is practical to exercise (and I've gotten some great advice from you from time to time...thank you), I minimize risk where possible, and otherwise, I take my chances just like everyone else.

I have several strong passwords that I utilize but I duplicate among similar applications so I can remember which ones I used where...and I have a password protected document with all of my usernames and passwords documented just in case I forget one.

As you said, the IT people have a job to do and I respect that...however, so do I and the IT people need understand that when my job performance is at loggerheads with theirs, our priorities are, by necessity, going to diverge.

That's life.

elmo iscariot said...

Plus one.

The biggest issue, from my point of view, is the "change frequently" rule, especially when a system enforces it.

My office requires a password with a minimum length and non-alphabetic characters, and I deliberately chose non-dictionary words. But it requires a password change every two months, and keeping track of which nonsense word with numbers is the current password is just unrealistic.

Early on, that system drove me to track my changes and figure out how old a password needed to be before it could be reused. The only way I can keep track is by rotating in the same pattern, and keeping a note to remind me of the current password (not the full password written down, but a reminder). And that's just for one password on one machine.

Cmplex passwords are more of a drain on the brain-meats than security folks seem to realize, and enforced rotation propably causes a hell of a lot of people to write down their passwords than otherwise would.

Ian Argent said...

Password complzity requirements lead to gaming the system.

Example - the password requirements of at least 8 chars, with at least: one cap, one lower, one number and one special seems to be the "standard". But it's easily games by starting on the bottom row of the KB, running up the column, move over one column, and run down that colums with shift held down. Nice, neat, easy to rotate (move one column over to start), etc. And the easiest thing in the world to shoulder-surf...

(I dont' use this method, but the help desk does it to generate temp passwords, at which it's not bad - I grant. But do they do it for their own passwords?)