Jul
13
2009
Security: Not Quite Getting It
I got an iPhone 3GS yesterday (yes, it totally rules.) While setting up online account access for billing, AT&T had me enter a password.
There was one of those colored password-strength meters next to the text field, and it said the password I entered was “weak”. Alright, I changed it to add some commas and dashes.
Then I hit Submit, and was told that passwords can only contain letters and digits.
sigh.
July 13th, 2009 at 8:15 AM
When I worked at EarthLink I discovered there was a company policy to require users to have only letters and digits in their passwords. It was because they wanted call center agents to be able to spell out passwords over the phone to users when they forgot them, and the heavy accents of many of the agents working overseas made saying things like “asterisk” hard to understand. Heavy sigh.
July 13th, 2009 at 8:20 AM
At least, the policy had a reason to exist, even if a poor one. Ideally, no call centre agent should ever be required to spell out passwords over the phone, but then again, in an ideal world users would never forget their credentials.
As far as passwords containing only numbers and letters being weak, it is open to interpretation. Certainly, they will be weaker than random passwords containing all sorts of nasty ASCII goodness, but these will be weaker than passwords containing all UTF-8 characters, which will be weaker than…
In most cases, locking accounts after a certain number of unsuccessful attempts and requiring a modicum of difficulty will be ample enough. While the chances that a robot will try “apple1” as a password are extremely high, the chances it will get it in three tries or less (for example) are considerably lower.
July 13th, 2009 at 8:28 AM
Yeah, I coincidentally just saw this paper (via Bruce Schneier’s blog):
“Do Strong Web Passwords Accomplish Anything?”
ABSTRACT: We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a “three strikes” type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat…
It still seems that AT&T’s strength-o-meter was out of sync with their password standards, since a ten-character password consisting of a mix of letters and digits (with no words) still ranked as ‘weak’. I didn’t fool around with it enough to see what counted as ‘strong’ — if I had, maybe I’d have found that they require passwords to be less than 12 characters too :-)
August 2nd, 2009 at 9:16 AM
The “three strikes” rule can be very annoying for ordinary people. One is told to not use the same passwords for every site, but that makes it easy to forget which password goes with a given site. So you try a few of the passwords you remember thinking up, and now you’re frozen out of your account. If it’s your bank, that’s a serious problem.
Better is a scheme that limits the overall number of passwords that can be tried per unit time. However, you have to impose that limit system-wide, not just for password attempts coming from one particular place. Otherwise, a distributed attacker can defeat the limit by coming from many places. And if you do put in such a limit, the distributed attacker can deny service to everyone trying to log in.
I think brute-force attacks really do have to be worried about.
The easy thing is to let people use pass phrases. They’re plenty long so they have plenty of entropy, but they are far easier to remember and to type than mixing case and using non-alphabetics.
The last thing you said is the true killer: they require passwords to be twelve characters or fewer. Why are they doing that? Did they only have twelve columns available on their Hollerith card?
[Thank you’s to my friend Olin Sibert, from whom I learned all this.]