Sending Mixed Messages With Passwords

The biggest security headache that consumers face on a regular basis may well be… the password. You need one to do just about anything online nowadays. This makes them very valuable targets of theft – as the news that “1.2 billion” passwords were stolen highlights. Unfortunately, remembering passwords for all the sites that people use every day can be a challenge.

With that in mind, I was interested when I heard about a paper that discussed how users manage multiple passwords. Unfortunately, this paper from Microsoft and Canadian researchers doesn’t actually provide very good advice, and may in fact promote dangerous practices.

Let me summarize the paper for those who haven’t read it: they suggest that users are incapable of following both of the key tenets of password security: that passwords must be secure (i.e., not easily found with a dictionary-based search), and that they must not be shared. The researchers suggest that users decide which accounts need to be protected with secure passwords; the other accounts can be protected with ordinary passwords that don’t have to be unique or secure.

This idea only works if you accept as a fact that the user is incapable of remembering secure passwords. However, that’s why password managers exist. This idea that a user must rely on their unaided memory is simply wrong. The computer – whether it’s a PC, tablet, or smartphone – is an extraordinarily powerful tool. Why not use it?

Yes, these managers are not perfect. Just last month, another group of researchers found vulnerabilities in several online password managers. However, they’re still a significant improvement over trying to remember passwords by rote memory, and it’s a gigantic improvement over using poor passwords. The perfect should not be the enemy of the good.

I try to make the advice I give as clear as possible. Whether or not that was their intention, studies like this muddle the water and send the message that bad passwords are okay. It depends on the user discriminating between what needs to be secure and what isn’t. However, many users are likely to trade convenience for security and choose weak passwords instead. It’s human nature to do so. Sadly enough, the users most likely to choose weak passwords are also the ones who are likely to fall victim to various online threats.

Let’s say, however, that someone really doesn’t want to use a password manager. That doesn’t mean you need to use a bad, recycled password. Consider this procedure:

Choose a simple password you already use. Let’s take “Snoopy2″ as an example.
Create an algorithm in your mind that uses the full domain name of the website you’re protecting. So, for example, it can be: “two first letters, two last letters and the number of letters it has, first letter in uppercase”. “twitter.com” becomes “Twer7″. It can be any algorithm you want, so long as you remember it.
Choose a number has means something to you. Your birthday, the age at which you met your husband, whatever. Let’s say I use the number “32″.
Put it all together. My password for twitter would be “Twer7snoopy232″. My next password for “awesomecyclingforum.com” would be “Awum19Snoopy232″. If I ever need to change it, just add one to the last number… or 7. It’s up to you.

The bottom line is: one day we won’t have to use passwords to log into sites anymore. That day, however, is not today. We’re still stuck with passwords, and we need to provide the best advice to users on how to create good passwords. A mixed message – like the one promoted by these researchers – is unhelpful at best, and wrong-headed at worst.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Sending Mixed Messages With Passwords