Tuesday, February 11, 2014

Bad Policies = Bad Passwords

   It seems that passwords are in the news again.  In the past I've discussed a number of aspects of the password dilemma.  Among the key issues are:
  • good passwords are hard to remember, and;
  • passwords you can remember are easy for attackers to guess.
   Adding to this mess is that many organizations do a poor job of protecting their storage of your password.  And now we have some new information...
Many organizations allow you to pick poor passwords on their websites by enforcing few or weak password construction requirements.
   We call these password policies, and these specify things like: how long the password can be; the minimum length it must be; what kinds of characters can or must be used; if the password needs to change, and; if there are some passwords that can't be chosen.

   There are a few specific online password policies that have never made sense to me:
  1. short maximum password length.  As I've written about many times before, when it comes to passwords... size matters!  I've seen so many websites that require the max length of a password to 12, or even fewer, characters.  This makes no sense.  If I want a 32 character password then I should be able to choose that.
  2. Passwords stored in the clear.  A website owner should never know what your password is.  These should be encrypted at selection or login time.  If a website can give you your password, that is a problem.
  3. no retry lockout.  After a certain number of incorrect password tries, your account needs to be locked.  If that number is too small, like 3, then too many people get locked out.  A number like 8 or 10 or 12 will stop an attacker from "brute-forcing" (guessing) your password.  But some sites allow as many retries as you (or an attacker) would like.
  4. "starring out" passwords.  I'm sure you've noticed that when you type in your password, all you see is ********.  But who are we worried about?  If I'm at a public ATM then I want my PIN blanked out.  If I'm on my computer, or worse, on my smartphone, I don't need that "protection".  And frankly it's tough enough to enter a password on a smartphone, even if I could see what I'm typing!
   The folks at Dashlane did a fantastic study covering the password policies of the top 100 e-commerce websites.  You can see their blog post here.
   Dashlane is a password vault/manager.  I've heard good things about it, but it's more expensive than my favorite, LastPass.  (actually Dashlane, like LastPass, is free if you only want to use it on a computer.  But if you want synching across devices, or mobile access, then you pay (LastPass provides free web access and synching, and a more reasonable price for mobile)
   Steve Gibson did a great job of covering this on his Security Now podcast episode 441.  I've mentioned before that Security Now is one of my favorite security podcasts.  Steve also created a shortcut to the full spreadsheet with all the data that Dashlane put together at bit.ly/sn441sheet.
   Here are a few interesting observations from Dashlane:
  • 55% allow weak passwords including “123456” or “password”
  • 51% make no attempt to block entry after 10 incorrect password entries (including Amazon, Dell, Best Buy, Macy’s and Williams-Sonoma)
  • 64% have highly questionable password practices (receiving a negative total score in the roundup)
  • 61% do not provide any advice on how to create a strong password during signup, and  93% do not provide an on-screen password strength assessment
  • 8 sites, including Toys “R” Us, J.Crew and 1-800-Flowers.com, send passwords in plain text via email
   So, think about that when you are creating passwords on these sites.  As we've discussed before, don't reuse passwords!

   What other poor password practices have you seen?  What tips can you suggest to make your own, or your organization's, site more protective of people's passwords?

No comments:

Post a Comment