Virgin passwords
A couple of weeks ago, I tried to set up online access to a bank account. User ID must be nine to 20 characters, and if it's only nine characters, it can't be all numbers. Password must be at least eight characters, one must be a number, it must be different from the user ID, it cannot contain three or more of the same characters next to each other, and it's case sensitive. I don't know how you react to instructions like that, but instantly my mind's a blank. Which is why I have a personal algorithm for generating passwords. I think websites with directions as complex as this should provide a sample that shows, rather than tells, people what they mean. Isn't that the first rule of storytelling?
If you're going to have that many rules, I think you might as well just post a password generator on your site that spits out, say, ten conforming passwords and let people pick one. In this case, the site then asked me to answer five secondary security challenge questions...which are likely to be the weakest point for attackers to exploit because no one ever insists that the question - or the answers - should be unique to the site or imposes complexity rules on the replies. These answers notoriously can be leveraged by attackers.
The BBC a few weeks ago, when it offensively started requiring logins wanted: at least eight characters, at least one letter, at least one number or symbol. My house number and postcode perfectly fits that template. Is that secure? Do I care if it is? What is the worst thing an attacker will do with that account? Watch a TV show I disapprove of?
The WELL (you can see I've been taking notes) also has rules, but in an unusual bit of friendliness offers a tradeoff: longer but simpler, or shorter but more complex. That's about the most "empowered" I've ever felt about a password. Bonus question: which is harder to type on a mobile phone? Typing that prompts a thought: smart phones could make this easier by implementing a password keyboard that expands to fill most of the screen and includes numbers and special characters. My guess: something like that will never happen. And it will be blamed on us.
I was planning to write about this...sometime, but then this week Charles Arthur's The Overspill sent me to Troy Hunt's discussion of the evolution of password guidance. Much of what he says there is sensible advice that if adopted will make life easier for users; he draws on recent guidance offered by the US National Institute for Standards and Technologies, the UK's National Cyber Security Centre, and Microsoft. Of the three, I'm most familiar with the NCSC guidance because it was based on research from the Research institute for the Science of Cyber Security, where I'm the in-house writer. Angela Sasse, who leads RISCS, has been writing about the problems with the usability of passwords since 1999, when she published Users Are Not the Enemy. Eighteen years later, many people are still asking users to do cognitively impossible things and then blaming them when they can't. That governments are adopting a saner approach is a big step forward.
For that sort of reason, one section of Hunt's discussion strikes me as unworkable and user-unfriendly: his proposed restriction on using any password that has *ever* been captured in a data breach. Commenters point out the processing overheads involved in comparing all those passwords, and the article doesn't remind sysadmins to hash and salt stored passwords securely. But the issue that occurred to me is: *in what context*?
It matters greatly if my banking password is in all the hacker dictionaries; it matters much less if the password I have to create in order to read articles on a random publication's website has been captured. Surveillance capitalists seeking to monetize tracking the articles I read don't need my password to do it. There's a real argument that sites should stop insisting on superfluous password protection.
What I'd like to see is context-sensitive password requirements. If they insist, a user ID should be sufficient for just reading articles. When the stakes associated with your account rise - say you want to post comments - then you create a password. If you store sensitive personal or financial details, only then are you reminded to create something stronger. Save the effort for where it's needed, just as you wouldn't post a cheap metal dinner fork in as many layers of protective wrapping as a 1984 Taylor guitar. Some online banks do this: logging in with just a user ID and password lets you see your account, but if you want to perform financial transactions you have to use their two-factor authentication.
Returning to Hunt, the other problem with his proposal is that it will soon hit the limits of available resources. The universe of password strings is finite; the universe of passwords people can remember or type accurately is vastly smaller. Smaller still is the reservoir of user patience. Only someone who followed all of Hunt's other recommendations - especially the one about allowing pasting and password managers - could realistically implement the virgin passwords rule.
Illustrations: Lorrie Cranor's bad password fabric; Angela Sasse.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.