Saturday, August 7, 2010

Consumer Password Worst Practices

The dispiriting lack of originality that many online users display in choosing passwords has been on display in recent months.

In January, researchers at Web security firm Imperva announced the results of an in depth analysis (shown in the picture above - Click to view).

Imperva examined a trove of 32 million passwords belonging to customers of RockYou, a developer of social networking software, that had been hacked.

The most popular password, they found, was "123456" - the choice of almost 300,000 RockYou users. The second most popular password was "12345." "Password" was the fourth most popular choice.

Twitter, also, has blocked 370 "obvious" passwords from being used to secure its users' accounts, while others have studied and written about the illusory security of the all-too-common challenge questions used by many financial and e-commerce Web sites.

Herley and his colleagues found that such easy-to-guess passwords are vulnerable to statistical guessing attacks, in which dictionaries of common or popular passwords are used in automated attempts to break into an account.

Limiting the number of log in attempts users are granted is the easiest way to block such attacks, but getting users to pick unusual passwords is also part of the solution.

But ensuring that users actually choose secure passwords is harder than it sounds, the researchers wrote in their paper, which is available on Microsoft Research's Web site.

Features that are common on many Web sites to enforce password security may be having the opposite effect, the researchers argue. For example, features that measure password strength or enforce strong password policies (such as length of password, use of non-standard characters) are indirect means to produce secure passwords that often merely force users into a different set of predictable choices that can also be easily guessed.

No comments:

Post a Comment