Password validation security issue

Steven D'Aprano steve+comp.lang.python at pearwood.info
Sun Mar 2 20:16:47 EST 2014 

On Sun, 02 Mar 2014 15:01:09 -0500, Roy Smith wrote:

> Security is as much about cryptography as it is about human factors and
> business drivers.  You can make things resistant to brute-force attacks
> by using longer keys, but people are still going to pick bad passwords.

Yes. But:

> You can force them to pick "good" passwords by rejecting their first 37
> choices, but all that does is encourage them to write the passwords down
> on sticky notes.

There is nothing wrong with writing passwords down on sticky notes. 
(Well, figuratively speaking. Perhaps not *literal* sticky notes, since 
they are too easy to lose.) You have to ask, what is the threat you are 
trying to defend against?

If your threat is that the Secret Police will break your door down at 
3am, and smash your fingers one at a time until you give them your 
passwords, then strong passwords that only you remember will not save you.

If the threat is that your little brother will log into your hotmail 
account and send rude messages to your school friends, then writing your 
password down on a Postit and sticking it on the computer is insecure, 
but keeping it in your wallet or purse may be secure enough.

Today, one of the biggest (but not the only) threats most people face is 
the mass theft of passwords from idiot organisations that store them in 
insecure databases as plain text. There's not much we, the users, can do 
about that, except complain complain complain when it happens. Possibly 
sue, on the basis that storing passwords as plain text is not within a 
million miles of best practice or even standard practice.

Another threat comes from black-hat hackers breaking your password. 
Whether they want *your* password specifically, or just picked your 
account randomly, this is where strong passwords can have a good effect. 
Until such time as an attacker can reach through the Internet to read the 
password on your Postit Note, writing down your strong password and 
keeping it by your computer is an effective way to counter this threat.


> And, yes, you can make things more secure with 2FA, but there's a cost
> there.  You have to purchase and manage the infrastructure.  More than
> that, there's lost business if potential customers prefer a competitor's
> product because it's easier to access.  Many of the known insecure
> systems we use today are not that way because the people who run them
> are stupid; they're that way because the people who run them have worked
> the numbers and decided the cost to implement more secure systems would
> exceed the risk exposure.

While in principle you are right, in practice I think that most of these 
people and organisations start from number of dodgy assumptions, starting 
with "Meh, it'll never happen...". They underestimate the risk, 
underestimate the consequences, ignore costs that don't apply solely to 
them (e.g. the cost of spam sent from tens of millions of compromised PCs 
and gmail accounts), overestimate the strength of their half-baked 
solutions, and ignore the portion of their user-base who actually does 
want better security.

When they do make a half-hearted attempt at security, it's often security 
theatre, e.g. I have a bank account with one bank that doesn't let you 
type your password, instead you have to click keys on a simulated 
keyboard on screen. You're limited to *six* (SIX!!!) case-insensitive 
alphanumeric characters, letters and digits only.

And then, to add insult to injury, they have the fecking cheek to hassle 
you every few months to change your insecure password for another 
insecure password, thus increasing the chance that you'll forgot what it 
is and lock yourself out of the account. This encourages people to choose 
even weaker passwords, so they won't forget them.

Another bank I use eschews such ridiculous "security" and actually 
provides you with a real cryptographic key for which you have to provide 
a passphrase. A passphrase limited to *eight* alphanumeric characters. 
And I think it is case-insensitive, although I haven't actually tried it.

I expect that these idiots spent more time, effort and money *preventing* 
their users from putting in strong passwords than they would have spent 
to allow strong passwords.

 
> We recently got a frothing email from a user, which basically said, "You
> farking idiots, you emailed me my password in plain text!"  It turns
> out, his user name was the same as his password and what we had sent him
> (in response to an account recovery query) was his username.  In
> response to that, we altered our account generation process to forbid
> passwords which are too similar to your chosen username or email
> address.  Which, of course, means we've taken one more step down the
> road to forcing our users to write their passwords on sticky notes.

That's a good thing.

People have managed physical keys for *centuries*. Yes, there are a class 
of threats where you lose your key, or someone steals it, or makes a 
copy, but the risks are well-understood and can be managed even by your 
grandmother. We have good solutions for those problems that work well, 
and many of them apply just as well to sticky notes with secure passwords 
written on them.



-- 
Steven D'Aprano
http://import-that.dreamwidth.org/

More information about the Python-list mailing list