28 December 2011
Yesterday, I posted a deliberately provocative idea, one I called "evil": disclosing old passwords when the password is changed. The objections were predictable; I agree with many of them. The idea, the problems with it, and what they say about passwords are worth a deeper analysis.
The most trenchant objection was from people who reuse the same passwords on multiple sites. Precisely: this, in my opinion, is the single biggest security flaw with passwords as they're used today. Never mind the old bugaboo about guessable passwords; while they're sometimes an issue (see below), today's attackers are generally more likely to use keystroke loggers to collect passwords as they're typed, launch phishing attacks, or hack web sites and collect them en masse, especially from poorly-designed servers that store them in the clear. In the latter case, you're in serious trouble if you've reused a login/password pair, because the attacker now knows your credentials for many other sites.
The defense is simple: don't do that. Don't reuse passwords.
I can hear the objections to this, too: people have too many passwords to remember, especially if they're all "strong". I agree; I have over 100 passwords for web sites alone. The solution I suggest is obvious, if you're willing to ignore religious doctrine: use a pseudo-random generator to produce as many "strong" passwords as you need, and store them somewhere safe and convenient. That's what I do; for me, "safe and convenient" is encrypted cloud storage, so I can get at them from the three computers and two iToys I regularly use. For other people, it might be on an encrypted flash drive, or a piece of paper, or even the proverbial yellow sticky attached to the monitor.
Yes, it's heretical; we've been told for decades that we shouldn't do that. But security isn't a matter of being in a state of grace, nor is insecurity equivalent to sin. Rather, it's a question of cost-effective defenses against particular threats. For most passwords — repeat, most — the threat is not someone who has wandered into your home office, nor is someone likely to mug you for the flash drive on your keychain in order to learn the password to your Twitter account. Rather, they'll plant keystroke loggers and hack servers. They may resort to guessing attacks, but almost always that's done for targeted attacks, where they're trying to get you in particular. Against ordinary, large-scale attacks, that isn't done as much; there's not nearly as much benefit to the attacker. But if you follow my suggestion, you can make your random passwords as strong as you wish, at no extra cost; software can remember R@s1o+=/)ket` as easily as it can 123456.
Now — there are passwords one perhaps shouldn't treat that way. Important passwords for access within your organization, where physical access to your monitor becomes a concern, shouldn't get the yellow sticky treatment. The same might hold true for bank account passwords, even on home monitors. Again, though, you have to analyze the threat model: who would benefit from your passwords, and how would they be able to get them?
Let's turn back to my evil idea. The second most common objection (other than "I can't remember that many strong passwords") had to do with patterns of passwords. Again, yes; that's precisely the weakness (and it is a weakness; people have written programs to guess new passwords based on old ones) the idea was intended to combat. A more interesting question is what threat model you're trying to guard against if you bar similar successor passwords. The only possible answer is that you think an adversary (a) has a given old password, (b) hasn't yet extracted all necessary value from it; and (c) values it (as opposed to an arbitrary one on that site) enough to launch a similarity attack against against precisely that user. I suspect that such cases are quite rare. Ordinary passwords are available in bulk; useful financial passwords are often employed quickly to loot an account; login passwords are used quickly to plant back doors.
So — why was my original idea "evil", if it it defended against a serious problem or didn't really affect user security in any real sense? The problem with it is that it encounters extremely strong user resistance. I can't think of any countermeasures, but there's rarely much benefit to annoying your users that much. If you have that much of a problem with bad passwords, the proper solution is to use a better authentication mechanism, not to make people very unhappy.
One more thing: when analyzing security behavior, look at the threat model and ignore religion. The classic Morris and Thompson paper on password security taught us an attack — password-guessing — but it does not tell us when this is a threat. Treating it as holy writ divorced from the surrounding reality does no one any good.