Make your password strong, with a unique jumble of letters, numbers and punctuation marks, but memorize it — never write it down and, oh yes, change it every few months.
These instructions are supposed to protect us, but they don’t.
Some computer security experts are advancing the heretical thought that passwords might not need to be “strong,” or changed constantly. They say onerous requirements for passwords have given us a false sense of protection against potential attacks. In fact, they say, we aren’t paying enough attention to more potent threats.
Here’s one threat to keep you awake at night — keylogging software. It is deposited on a PC by a virus, records all the keystrokes — including the strongest passwords you can concoct — and then sends the data surreptitiously to a remote location.
“Keeping a keylogger off your machine is about a trillion times more important than the strength of any one of your passwords,” says Cormac Herley, a principal researcher at Microsoft Research who specializes in security-related topics.
He said antivirus software could detect and block many kinds of keyloggers, but “there’s no guarantee that it gets everything.”
After investigating password requirements in a variety of settings, Herley is critical not of users, but of system administrators who aren’t paying enough attention to the inconvenience of making people comply with arcane rules.
“It is not users who need to be better educated on the risks of various attacks, but the security community,” he said at a meeting of security professionals, the New Security Paradigms Workshop, at Queen’s College in Oxford, England. “Security advice simply offers a bad cost-benefit trade-off to users.”
One might guess that heavily trafficked Web sites — especially those that provide access to users’ financial information — would have requirements for strong passwords, but it turns out that password policies of many such sites are among the most relaxed.
These sites don’t publicly discuss security breaches, but Herley said it “isn’t plausible” that these sites would use such policies if their users weren’t adequately protected from attacks by those who do not know the password.
Herley, working with Dinei Florencio, also at Microsoft Research, looked at the password policies of 75 Web sites. At the Symposium on Usable Privacy and Security, held in July in Redmond, Washington, they reported that the sites that allowed relatively weak passwords were busy commercial destinations, including PayPal, Amazon.com and Fidelity Investments. The sites that insisted on very complex passwords were mostly government and university sites.
What accounts for the difference?
They suggest that “when the voices that advocate for usability are absent or weak, security measures become needlessly restrictive.”
Donald Norman, one of the cofounders of the Nielsen Norman Group, a design consulting firm in Fremont, California, makes a similar case.
In “When Security Gets in the Way”, an essay published last year in Interactions, he noted the password rules of Northwestern University, where he then taught. It was a daunting list of 15 requirements. He said unreasonable rules can end up rendering a system less secure — users end up writing down passwords and storing them in places that can be readily discovered.
“These requirements keep out the good guys without deterring the bad guys,” he said.
Northwestern has reduced its password requirements to eight, but they still constitute a challenging maze. For example, the password can’t have more than four sequential characters from the previous seven passwords and a new password is required every 120 days.
By contrast, Amazon.com has only one requirement — that the password be at least six characters. That’s it, and you can hold on to it as long as you like.
A short password wouldn’t work well if an attacker could try every possible combination in quick succession, but as Herley and Florencio note, commercial sites can block “brute-force attacks” by locking an account after a given number of failed log-in attempts.
“If an account is locked for 24 hours after three unsuccessful attempts, a six-digit PIN can withstand 100 years of sustained attack,” they wrote.
Roger Safian, a senior data security analyst at Northwestern University, says that unlike Amazon, the university is unfortunately vulnerable to brute-force attacks in that it doesn’t lock out accounts after failed log-ins. The reason, he says, is that anyone could use a lockout policy to try logging in to a victim’s account, “knowing that you won’t succeed, but also knowing that the victim won’t be able to use the account, either.”
(Such thoughts may occur to a student facing an unwelcome exam, who could block a professor from preparations.)
Very short passwords, taken directly from the dictionary, would be permitted in a password system that Herley and Stuart Schechter at Microsoft Research developed with Michael Mitzenmacher at Harvard University.
At the Usenix Workshop on Hot Topics in Security conference, held last month in Washington, the three suggested that Web sites with tens or hundreds of millions of users could let users choose any password they liked —as long as only a tiny percentage selected the same one. That would render a list of most often used passwords useless by limiting a single password to, say, 100 users among 10 million, the odds of an attacker getting lucky on one attempt per account are astronomically long, Herley explained in a conversation last month.
Herley said the proposed system hadn’t been tested and that users might become frustrated in trying to select a password that was no longer available, but he said he believed an anything-is-permitted password system would be welcomed by users sick of being told: “Eat your broccoli, a strong password is good for security.”
Randall Stross is an author based in Silicon Valley, California, and a professor of business at San Jose State University.
Japanese Prime Minister Fumio Kishida on Thursday last week met with Chinese President Xi Jinping (習近平) at an APEC summit in Thailand. The meeting made front-page news in Japan the following day. Three years ago, when then-Japanese prime minister Shinzo Abe visited Beijing to meet with Xi, no one questioned Abe’s attitude toward China, as the conservative parties in Japan had been spearheaded by Abe. However, Kishida could easily be labeled as pro-China, as he hails from Hiroshima — a place known for its anti-war, anti-nuclear movements — and was once the director of the Japan-China Friendship Association of Hiroshima.
It is quite the irony when former British prime minister Boris Johnson — a buffoon who for far too long was taken seriously — is branded a buffoon for saying something deadly serious. Following Johnson’s withering criticism of China at a business forum in Singapore on Wednesday last week, the event’s organizer, Michael Bloomberg, apologized to attendees, saying that Johnson was “trying to be amusing rather than informative and serious.” However, Johnson’s characterization of China as a “coercive autocracy” that had showed “a candid disregard for the rule of international law” was spot-on. His comments evoked the wisdom of the Austrian-British philosopher
Although the share price of Taiwan Semiconductor Manufacturing Co (TSMC) has fallen significantly amid concerns over worldwide inflation, US billionaire investor Warren Buffett’s Berkshire Hathaway spent a massive US$4.1 billion on the chipmaker’s American depositary receipts. Reporting on Buffett’s investment in TSMC, some Chinese-language media outlets have said that it would give the Taiwanese economy a shot in the arm. Although TSMC has planted its flag in various countries around the world, Taiwan is still its most important base. The US invited TSMC to set up a plant in Arizona, because it was worried that its source of cutting-edge chips would
As campaign fever for tomorrow’s local elections turns white hot, supporters of the Democratic Progressive Party (DPP) and the Chinese Nationalist Party (KMT) have been going head to head on social media. The latest row was triggered by a Facebook post on Nov. 13 by songwriter and KMT supporter Liu Chia-chang (劉家昌), who rebuked United Microelectronics Corp founder Robert Tsao (曹興誠) for advocating independence. “Although you regained your ROC [Republic of China] citizenship after returning from Singapore, you continue to help the green independents by guarding their flank,” Liu wrote, adding that it was an “insult to the nation.” “When [KMT