How Passwords Can Compromise Security

UPDATE: Since I originally wrote this piece, I've had a brush with password insecurity. A couple of my accounts were cracked. I haven't changed m basic thinking about passwordss, but my passwords are now more obscure and more varied.

Passwords are the first line of defense against crackers, identity thieves, and old-fashioned crooks. Tens of millions of users now have dozens of passwords each, but our thinking about what makes for good passwords hasn't changed since the early days of computing, when only a small number of people had passwords for a small number of accounts.

Too-Secure Systems that Compromise Security

Problems often stem from our attempts to make passwords more secure. There are sound reasons for preventing users from using simple passwords. All of the accounts on a system could be compromised if someone is able to apply an encrypted dictionary to the system's password file.

But how far does a site go to keep users from choosing passwords that are in even the largest dictionaries? Some sites require a minimum of six characters, others a minimum of eight. Some sites require numbers or punctuation embedded in the password; others forbid it. This variation in policy keeps users from using the same password on multiple accounts. But because so many users have dozens of accounts, trying to prevent repetition is clearly unworkable.

Some sites don't let users change their passwords. (For instance, I couldn't find a way to change my password on United Airlines' site.) Other sites go even further, with machine-set passwords that cannot be changed. Some Internet service providers (ISPs) use old- fashioned computer-generated passwords (e.g., 3Uide#3j) that are designed to be impossible to guess. They're also impossible to remember.

Another related problem is that some sites don't let users choose their user names. Wells Fargo Online requires a social security number for a user's name, but Chase does not; United, Delta, and American Airlines require frequent flyer numbers. Why not let a user choose his or her name the way that Chase does? (The answer: It is easier for the company to keep track of the user names it assigns.) Are user names and passwords two different issues or part of the same issue? Presumably, the user name should be easy to remember, and the password should be hard to guess.

The predictable result is that users wind up with many user names and passwords they can't remember.

Insecure Password Systems

In the world described above, thousands of users will forget their passwords daily. The systems built to help them have made the system even less secure.

Some passwords are visible to customer service representatives. Sprint PCS uses the same password for CSRs as it does for access to its online services. This gives the company's CSRs a good shot at cracking their users' accounts on other systems.

Passwords also can be delivered to insecure devices and email accounts. One of the worst examples again involves Sprint PCS. A user can ask Sprint PCS's Web site to send the password to his or her phone. If the phone is out of the user's control even briefly, anyone can get access to the password.

Users also need to keep in mind that because they don't know who on a system has access to a site's password file that they should be careful on which sites they use their "secure" passwords and on which they use for their insecure passwords.

Encouraging Bad User Behavior

Consumers are going to forget their passwords. But that's not the biggest threat. Hard-to-remember passwords will lead users to compromise online security in other ways.

Consumers will use Internet Explorer's AutoComplete or Netscape Navigator's Forms Manager to fill in passwords automatically. This not only makes their home and work computers inherently insecure, it also makes it difficult for users to access their accounts from other computers.

A number of ewallet and password storage companies have come and gone over the last few years. However, even if consumers adopted these technologies, which they have not done so far, it amounts to protecting all of those unique passwords with a single, master password. This adds no security.

Consumers will write down their passwords. Whether it's on a piece of paper, on a file on their computers, or somewhere else, if users believe they won't be able to remember a password, they will write it down. This is, of course, the classic password error.

Recommendations

What can site designers do to help their users keep their passwords more secure?

• Let users pick their own names. This is so fundamental, there is no reason for any site to use an account or social security number for a user name. Not only are social security numbers easy to find, pieces of them are often used (inappropriately) as part of some security systems.

• Help your users, but trust them to pick good passwords. Make some suggestions about how to pick a good password, and check passwords against a craker's dictionary, but don't require numbers and punctuation in a password.

• Don't let any employee see users' passwords. There is no excuse for this. If a password is needed to check a user's identity, obscure the password, check it, and tell the CSR whether it was correct.

• Don't deliver passwords to cell phones or other insecure devices.