Agility Loop

President Skroob: [enters after the interrogation of King Roland] Well? Did it work? Where's the king? Dark Helmet: It worked, sir. We have the combination. President Skroob: Great. Now we can take every last breath of fresh air from planet Druidia. What's the combination? Dark Helmet: 1 2 3 4 5. President Skroob: 1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure! Dark Helmet: Yes, sir! President Skroob: And change the combination on my luggage!

It may seem like a juvenile comparison, but the above is actually not too far off when it comes to the passwords people use.  Almost a month ago, a security firm called iMPERVA analyzed the passwords of the 32 million accounts that were exposed in a recent hack of the RockYou service (full report in this pdf).  As Ars Technica highlights, the results were not pretty.

…about a third are less than six characters, and half are vulnerable to dictionary attacks. The most common password was 123456, and it was followed by 12345, 123456789, and Password. iMPERVA estimates that someone with a slow DSL connection could access one account a second using a dictionary attack.

To exacerbate the problem, it appeared that RockYou was pretty amateurish in their approach to security.  So not only were the passwords weak, it was just as easy to expose the entire password database.  In other words, many sites either don't care, or don't care to spend money, on making sure you are secure. So what constitutes a strong password?  There is plenty of guidance out there.  The report quotes NASA Recommendations, which are fairly consistent with other recommendations.  These are probably the same recommendations some of you deal with at work.

1. The password should be at least eight characters
2. It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*.
3. It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address.

The report goes further by recommending you use different strong passwords for each site you visit.  Although this sounds great from a security perspecitive, it is also unrealistic. Typically my approach is to use a similar password (with slightly different combinations of case and special characters) for sites that I consider throw away.  Yes, they may have some of privacy information, but nothing too damaging.  Think WashingtonPost.com or Slate.  HOWEVER, for important sites like banking and email, I do use a different unique password.  These sites are simply too important if they are compromised.  One technique is to use a sentence to create a password such as “This little piggy went to market” might become "tlpWENT2m".  That nine-character password won't be in anyone's dictionary.” And of course you need a strong password for Facebook to prevent Statusjacking. Of course then you have to remember all the different passwords.  There are some apps out there that actually do help with this.  I am going to take some time this week to take a look at solutions that will work on my PC and my Droid. The real solution is to get rid of passwords completely and adopt stronger forms of authentication.  I blogged about awhile ago, that will only really happen until it becomes prohibitively expensive and painful for banks, credit card companies, etc to support just passwords.

I actually used Wordpress's "Tag Surfer" feature for the first time today, and stumbled upon a post on Identity Blogger.   In his post, Jeff Bohren discusses the challenge of getting users to adopt passwords.  He also references a post by Mark Dixon on the same topic. I think both articles make good points...intellectually it makes a TON of sense to get rid of passwords.  Mark actually makes an interesting point that passwords are like seatbelts.

It was ease of use, not a technology-driven obsession with safety,  that led to wide adoption of the seat belt.

What I do not agree with is why seat belts were adopted.  I don't think it is just because seat belts are easy to use and they make us safer.  A lot of the reason that I think a lot of people started to use seat belts is it because it became law.  States started mandating seat belt use in 1984, and very quickly the states all fell in line and start adopting it.  So instead of choosing to use seat belts, people were required to use seat belts or they broke the law.  A fortunate side effect to making this a law is that now for generations that drive after this law was enacted (like my own), wearing seat belts is second nature. I believe that a similar kind of action is going to be needed for web applications and enterprises to get off passwords.  However, it may not be the Government that actually steps in to mandate this...at least not directly.  As it stands now, banks and credit card companies have the ability to write off fraud when accounts are stolen.  So the cost is really passed on...they aren't really paying the $40 billion plus in fraud every year.  But what would happen if banks and credit card companies were limited in how much fraud they could actually write off?  I think that all of a sudden you would see a HUGE uptake in the use of improved identity technologies and the discontinued use of passwords.  Users would be forced to stop using passwords b/c the banks and credit cards would be financially dis-incentivized to support them any longer.  Of course the financial institutions would still find a way to pass the costs onto the consumer or the government... A quick and dirty case study for you.  DoD has been issuing smart cards to their population of 4+ million for years.  The primary use for a long time was secure email.  It wasn't until it was mandated by DoD that the cards be used for log on to networks and applications that passwords finally started going away.  Sure it was painful, but the networks are now more secure b/c of it. In my experience, people don't necessarily change b/c it is good for them or b/c it is easy.  They do it b/c there is a dis-incentive to continue the status quo.

Today in GCN, there is an article entitled Industry group gives government a failing grade in e-mail authentication -- Government Computer News.  The main thrust of the article is detailing how most Government domains do not support any type of email domain authentication such as Sender ID or DomainKeys.

E-mail authentication technology, usually transparent to the end user, lets servers verify that e-mail traffic is indeed coming from the domain or sender that it purports to be from, and that the sender is authorized to use that domain. The OTA study showed that only 11 of 25 government domains examined use such authentication. A similar study of top commercial sites showed that the private sector is doing a little better, with 55 percent using some form of e-mail authentication.

To be fair, the private sector isn't doing so great either at 55%. What I find particularly ironic is that much of the government is ahead on PKI and other security technologies.  It seems like this would be a pretty easy solution to combat spam and phishing attacks.  I know in the past we have discuss using simple SMTP over SSL.  This would at least buy security of SMTP mail transfer, and authentication of domains (although it would be difficult to use with external email domains).  However, technology like DomainKeys (which Yahoo uses) is a more versatile solution than SMTP over SSL.  Hell it's even open source, so costs COULD be minimal.