May 7th of this week was declared “Password Day”. In an attempt to increase awareness of password security, Intel and McAfee released a few infographics and online tools. As a security educator, it’s hard to find fault in efforts such as this. However-at the risk of sounding pedantic- with the focus on password strength, some other aspects of a holistic approach to security were overlooked.

Hard to Remember!= Hard to Crack

A popular online webcomic once covered the topic very analytically and calculated bits of entropy for passwords with different approaches to security.

  • On the one hand, very complex passwords prove hard for humans to remember and yet still relatively easy for computers to guess.
  • On the other hand, there are still passwords that are much easier for humans remember and much harder for computers to guess.

It seems like an easy choice when you look at the two statements above, but password complexity is a… complex issue for some. However, the math doesn’t lie- and a password composed of four separated, all lowercase, random regular words beats out an 11 character, mixed-case password incorporating multiple numerals using common replacements (such as zero for “o”), and at least one special character.

Test Your Security

There are several sites out there that offer to test the strength of a password. Most attempt to address security concerns by posting a warning for users not to enter their actual password or by proclaiming that the site is for educational use only (so much for an audit right?). The “best” sites don’t actually send your password across the network at all, and instead do the evaluation in the browser so that it never actually leaves the machine. But, a glaring omission in most of the sites is that without SSL- even though the password is not sent across the network- the user has no way to validate that the site is legitimate. In other words, a determined attacker has multiple avenues to replace the site with any content that they want and when the user enters their password (because let’s face it, most do… including the journalists writing about their passwords), it will indeed send it to the attacker. And keep in mind, “attacker” in this sense can mean the traditional Russian or Chinese attacker looking for monetary gain, but may also include an ISP that can inject content into webpages as they travel through their network, or a government agency of an authoritarian regime.

User Revolt

At least one comment on a Password Day article echoes the frustration that many users feel about password security:

  • Each website seems to have differing password requirements to achieve “complexity”- one website may require special characters while another doesn’t allow them
  • Password safes that generate and store passwords can help, but mean that logging in from somewhere without the safe at hand is impossible and initiating logins from a different device can be complicated even with the safe in hand
  • Password compromises force a user to change their password and begin anew with creating a password that matches the site’s password complexity requirements and then remembering it

It’s difficult on us as security educators, too. There are still people that just don’t get it. Reaching those people invariably preaches to some that are already in the choir and annoys them even more. We try to make enlightening comparisons to get the point across, use interesting graphics to back it up and then convey a dose of sensationalism to scare the sense into those that still don’t get it. And then- just when we think we have a rhythm down after a decade of the mantra at least eight characters, upper and lower case letters, numerals, and special characters”- someone does the math and it turns out that simple and long passwords blow all that out of the water.

A few things to keep in mind:

  • Be aware of the individual parts that contribute to security: such as password security
  • Be aware that the whole is greater than the sum of the parts: password security includes avoiding entering your password anywhere but where you need the password
  • Be aware of the holistic solution: SSL serves a purpose more than just encrypting the content as it provides a means to verify authenticity of the place you are entering your password