Over the past few months there has been significant discussion about what makes a password secure (relevant xkcd comic that you’ve probably seen already). One factor that’s often overlooked is the fact that people tend to use the same password across different sites. This is perhaps a more a serious problem than the cryptographic strength of a password itself. Why?
Imagine that your passphrase is “steward fan catholic impersonator.” You feel confident that it would be hard to guess it through brute force. You use it for Paypal, Facebook, … and also for somecrappysite.com. Now, one fine day somecrappysite.com gets hacked. The next time you visit, the web page has malicious code that sends your password in plaintext to someone. There go your Paypal funds, your Facebook account, your online life.
It doesn’t matter how hard we try to educate people to not reuse passwords. It’s the path of least resistance for most people, so they (we) will continue doing it. How do we solve this problem?
One possibility would be to enforce it from the browser. Google could make Chrome remember one-way hashes of passwords you’ve used. When you try to use “steward fan catholic impersonator” for the second time, Chrome would recognize the hash and tell you “sorry Dave, I can’t let you do that. You’re already using that password somewhere else.”
Of course, we can’t wait for Google to implement this. On your own site, you could do the following:
- When a user is signing up, generate a random string.
- Tell the user: your password must contain the following word: “hzru”
Obviously this is not perfect: the user could start using this password (say it’s IHateHaving_hzru_InMyPassword) for other sites. But if enough sites had a similar policy, the risk of reuse would decrease.
This post was inspired by the fact that an acquaintance of mine woke up to an empty Paypal account today, and he has no idea how it happened. To be fair I don’t know if shared the password with other sites, but this must certainly happen every day to some people who do. Nobody should have to freak out because a password leak at a site they rarely use could cause them financial harm.
Do you have better ideas? Let’s hear them.
Edit: few people seem to be getting the point of this post. Of course you could use a password manager. However, most people won’t unless they are forced to. How to enforce something like that for the masses is the point of this post.
Better idea, upon registration generate a long key.
0..9, a..Z, some special characters, no spaces, no invisible chars, no unicode
about 1KiB long.
User copy pastes it or saves it as a binary file in his/her computer or the ‘cloud’.
Application saves hash of said key, let’s say SHA512.
Authentication is possible via sending the whole file via some encrypted end to end way. Preferably not copy pasting, too easy to eavesdrop.
And there you go, 1KiB of so many possible characters is more secure than any combination of username/email/password you can get. Problem solved. Next.
My password manager stores passwords for ~150 sites. Of these, only four are valuable enough to remember a password (gmail, github, amazon, facebook – my bank uses a physical keygen, no passwords there).
For the other 98% percent of sites it would be perfectly ok to have a password of 12345 or no password at all if only they’d let me. I don’t want these accounts, the site owners wanted me to make them.
In most of these sites I log in rarely, and if chrome doesn’t rememeber the password, then log in process consists of clicking the ‘forgot username’ link, then clicking on the ‘forgot password’ link in the email, and logging in from whatever they send.
Usability already sucks. What is needed is a simpler way to use them – requiring a different password is a step in the completely opposite direction.
More worryingly, it’s not just somecrappysite.com (well, arguably, it is from a security POV) – it can be trusted or at least very large brands such as LinkedIn, Gawker, Nintendo, etc.
I like this idea, but giving people 4 random characters for every single site they use will mean that even moderate internet users will need to remember, say, 25 websites * 4 characters = 100 characters, but not just the characters themselves but their order and which sites they relate to. This may be fine for the frequently used sites, but what about passwords for shopping websites you only use twice a year?
I see two further solutions that are easily implementable with todays technology (and in fact are in relatively common usage): password managers with random password generation (cons: all your eggs in one basket, synchronisation insecurity, logging in from untrusted places, etc) and Multi-Factor Authentication (cons: extra step to log in, need something physical with you, delay logging in, what if MFA is stolen -> can’t access anything?, etc).
This is a very challenging problem and there does not appear to be a “magic bullet.”
Even easier (for users): when you try to register, it takes your email/password and automatically tries to authenticate on Facebook, Twitter, Paypal, Ebay, and Google, and if any of those works, your registration is rejected.
That would probably ruffle a lot of feathers, though, even if your server don’t actually log in, and even though it only works because you’re giving away your own insecure password.
As developers I don’t think we can solve this problem. We have no control over any websites but those we build, so any system is limited by the number of sites that opt into it. A single password API like service won’t be popular either, it’s a single point of failure.
We have to expect more from users, and we have to educate them. Some won’t listen, and they will reap what they sow. I’m sorry, but it’s true.
The best solution I can think of is offering some advice and then offloading this problem onto the user. For example, have, above the password field, a big box saying:
Important Notice about your Password:
Your password should not be the same as a password you have used on any other site. We suggest as an example: some sort of system whereby you work 3 letters of the website domain name into each password, making it easy to remember and ensuring that passwords are different for different sites.
This is important because, if you use the same username/password combination on another site, and they get hacked, the hackers might try using that combination on this website, or your facebook account, or paypal.
Wishful Thinking?
I’m not hoping for miracles from users, but I like to think that the more people are born into a world of computers, the more comfortable they will be with it and that the current security problems are just the result of a generation of people who don’t get computers.
Oh man… no way do I want someone forcing me to use their random letters in my password. The disparity of symbol usage is bad enough. If people are stupid enough to not come up with there own algorithmic approach, I say feed ’em to the wolves.
I use a simple approach:
Example, to log in to Gmail: ilikecats*gmail.com
Edit:
I use a simple approach: password+special_char+domain
Example, to log in to Gmail: ilikecats*gmail.com
Forcing a user to use a fixed string is about as smart as trying to limit password length. How about having automatically generated passwords instead of a user set password. Generate a password that the user can print, and then use that. You could use a program like LastPass to remember the password, as well. Remember, most users do not want to use long complicated passwords, so trying to enforce such a policy may, also, kill any hope of registration. Also, for anyone posting how they make their passwords, change your passwords, you just gave away any security you had.