And Your Password Is…N4z!.

Often I hear people complain about the complication involved with security measures. Also, when something happens such that information is leaked or a security breech happens I hear people complain about how there is not enough focus on security. Security is not meant to be user friendly. It is supposed to be a responsibility.

Today I read a post over at the Influential Marketing Blog about passwords called “Don’t be a Password Nazi“. And, at first when I read it I thought, “You know, he’s right…why do we make it so damn complicated on users.” I even got to the point where I started to comment on the post. I was a couple lines in and thought, “Wait a second…security should come first!” Thus, I’m going to list the points and retort.

“Let users choose an appropriate level of security. I understand that to access your online banking, you need to have a really secure password. The problem is that many sites take a one size fits all approach to passwords. Do we really need the same security to log in to read my subscription of the NY Times? Of course not. More sites need to consider how secure their site really needs to be, and give users more flexibility to choose any kind of password instead of doing things like requiring capital letters, numbers or changes every 3 months.”

User information is generally _very_ telling about the passwords that s/he uses. Thus, if I manage to crack a password to someones Times account, I can find all sorts of information about them which is going to be generally useful in figuring out who they are. Beyond that, I get information such as email address, local address, phone number, and so forth. This kind of information is incredibly useful when doing social engineering. I can now call you up acting as someone from the times or some other account that I think you may have access to and ask for passwords and other information. Most people would be skeptical at first, but the art of social engineering is the ability to convince that person that you mean no harm. And, I don’t need everyone’s information, I only need a couple people to “volunteer” this information. Thus letting users pick their level of security is a bad idea. Most people would pick weak and then throw in a password like “pickles”. Bad idea.

“Use password hints instead of just resetting. Many times, a user will know their password, they just need a hint in order to get it. For this reason, password hints can be very effective, because they are immediate and let a user get their password without submitting a form, waiting for an email, clicking a link and going through a long process to access your site.”

Normally I would say this is alright, most companies do it. However, most of the time these “hints” are ridiculous. Asking me something like “What is your mothers maiden name?” is easy to crack. Most systems do not build in a “three strikes and your out” security feature. This means, I can run a dictionary attack over the most common last names for people until I find a match. It’s easy, it’s effective, _and_ it can be distributed. That means that I can fire the attacks from multiple machines around the world. This makes it infinitely more complicated to track down and stop. Also, it means that I can perform the attack faster. It’s unfortunate, but it is one of those things that you need to be mindful of.

“Share your syntax rules. I have one type of password I use if a site requires me to use a capital letter. I have another if a site tells me I need to do that along with a number. Sometimes, if I knew the syntax rules that a particular site used, that would be enough of a prompt for me to “remember” my password and get into the site. The most frustrating thing as a user is to go through the whole process to reset your password only to realize that you had it correct all the time, you were just forgetting to capitalize a letter.”

While sharing may be caring, in this case it hinders. Sharing password syntax greatly reduces the number of possible choices a cracker is required to go through making a system extremely insecure. I have an example, there is some math involved but for my own sake I’ve tried to keep it simple.
Think of it this way, if I have a password that is only one letter long and it can be alpha-numeric with the special characters along the top of the number row on a keyboard how many possible passwords can I have? 26 letters doubled for capitalization, 10 digits, and 10 special characters. That is a total combination of 72 possible passwords I can have.

Now, lets assume that I have a password that is two characters long with the same password constraints. That would be 72 squared equaling 5184 choices. Lets assume that we say tell our users that they are required to use a special character (the row along the top of the numbers for our example). I’ve now taken the set of possibilities down a huge peg. I’ve now said that the password is only a set of 72 * 10 which is 720 possible choices.

You can see that having to cycle through a fraction of the set of possible passwords is considerably easier than the whole thing. Thus, sharing syntax rules probably isn’t a great approach. Obviously if you don’t match the syntax rules then a system will yell at you about it. But, stating the rules would purely be a courtesy to the cracker and nothing more.

“Think outside the “password.” One thing that I have always loved about Priceline is after entering my email address on the site, it never asks me for my password. Instead, based on the email, the site asks my response to a personal question that I set when I first registered. As a result, I have never forgotten or had to look up my password for the site. It also makes me FAR more likely to visit that site first and return over and over - because they make it easy for me to login.”

Ease of logging in should never be a determining factor in whether someone decides to use a site or not. In fact, the easier it is, the less likely I am to use it. I find myself being very critical of sites that are too easy to login to. With the advent of social networking sites wrangling data from other sites using your account information, wouldn’t you like it better if you knew your information was secured?
I really have a hard time with insecure behavior and arguments because I know that we should all be looking for something better. Why is it that security only takes a back seat until something goes wrong? Why is it that backing up data takes a back seat until something goes wrong? Why not spend the time to do something right instead of taking the easy way out? I am guilty of thinking all the same things posted above, but we need to change the way we think about these issues. We need to spend time and money on data backups and security. It does cost money and time to do both, but when we don’t we set ourselves up for failure.

If we look again at the social networking sites, think about the plethora of information that is available. If I am connected to 200 people and someone nabs my password, they now have access to those 200 people and their information.

This is the way I look at it. Being a user and developer of systems, I want to build something that I may actually use. I want to feel secure with the tools that I’m using, there is a reason I am using the tool. I feel a great deal more loyalty towards a company/brand if I know that they put the chips in when it counted and didn’t take shortcuts so that it was easier on me. I prefer that my house be stable and be forced to walk up stairs rather than put an elevator in which could cause the house to collapse at any point. Lock down my passwords like Fort Knox for all I care. Shouldn’t this be what we all want?

** UPDATE **

I realized this morning that all I did was shoot down the ideas mentioned above without providing any sort of solution. So, there are a couple of things here. First, private/public keys are great for this sort of thing. You can authenticate that you are who you say you are with matching keys. Sites that built in a system for this would be far better off. Then someone only needs to dump the public key into the site.

Along with this, we should be using “https” more often. This allows encrypted page viewing such that a person can’t sit between you and your website and watch your data. Think of the issues with wireless communication here. We were all concerned that people were going to see information on our wireless network. Agreeing that would be bad pushed steps toward encrypting wireless data and now we have WEP and WPA among others.

Lastly, I would say that using OpenID is the best way to go. If you can’t remember information, then you store your password once, remember one password, and use one password. But, I do not think this should be taken lightly. A single password is a single point of entry for any site you visit. Not only that but other services can be registered in your name. However, used with the other two suggestions I’ve made and you have a fairly well locked down authentication system that could lend itself to being the most user friendly approach while not skimping on security.

SQL Injection Scanners

With the work I’ve been doing now-a-days I have no real need to use a SQL injection scanner, but I’m certain that these are useful. Security is usually not scheduled into development, but it should be. And, if you are in the position where SQL injection is possible, you may want to consider checking out the following link.
http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners