09 October 2009

A heretical thought experiment: do strong passwords still matter?

Phishing is growing as an important mechanism for stealing passwords. Is phishing the leading way that criminals are gathering credentials? If so, does this mean using ever-stronger passwords doesn't confer the protection that it once did?

Acutenix performed a great statistical analysis of a small number (9843) of passwords that were phished and released on the Internet. Some reports about this analysis, such as this one from Elinor Mills's InSecurity Complex at cnet [edit: I had the wrong name for her column initially] have focused on how weak many of the passwords were -- one-character passwords, all lower-case dictionary words, etc. Weak passwords are easy to guess through automated mechanisms, which can rapidly focus in on the correct password if it's not well constructed.

What I noticed was at the other end of the strength curve. There were some relatively strong passwords on the list -- 565 (6%) passwords were composed of alpha + numeric + other characters, and there was even one 30-character password. Here's what struck me: strong passwords did not protect these users from having their passwords stolen. These passwords were successfully phished and released, even though they followed standard security guidance on construction.

Consider that strong passwords carry their own risks based in psychology. Strong passwords can be hard to remember -- resulting in password re-use; forgotten passwords requiring intervention (creating a weak link in the security process); and writing passwords on sticky-notes for anyone walking by to see.

I'm not suggesting that we abandon the teaching of creating strong passwords. Strong passwords are still an element of layered security or defense-in-depth. If you're going to use a password, make it strong. But if strong passwords don't provide any protection against an important new vector, what do we do about that vector? Is this just another piece of evidence that we need to be (finally) moving beyond passwords?

Think of it this way: in a world where everyone uses keys to lock doors, criminals will get better and better at picking locks. Correspondingly, locksmiths will make locks that are more complex and harder to pick. This will continue to escalate in arms-race fashion. But if a rash of criminals find they can just bust the doors down and do so in ever-increasing numbers, isn't it time to consider if we need something else in addition to the locks?

The answer to these questions might be found empirically. Thought experiment: an we numerically calculate the relative risks of weak passwords vs. phishing, based on actual evidence from the field.  Work for another day.