I'm bored with the brute force attack prevention argument. Why not just help your users out by throttling requests after N attempts?
With throttling, "strong" password requirements (non-alpha, etc.) serve only to force users not to pick passwords obvious to someone who might know them (wife's name, etc.). That and avoiding the "letmein" cases, I guess.
I was thinking about limiting the number of password attempts per time interval by user -- not the total number of attempts at any user's password per interval. Does that fix the DOS concern?
In the RockYou case, a botnet could try 32M * # allowed/day given that it had a user list.
With a large user list, some people will have really terrible passwords. So my guess would be by trying random week passwords to random accounts you could compromise a few hundred accounts in the first day. With diminishing returns over time.
So, the user list would have to be available/harvestable? I guess this is an argument for having separate login Ids and published usernames. So, one couldn't just spider a site to create a user list.
Even if it doesn't solve the problem, seems like it would help. In this case, a user would need to have a "very weak" password to be compromised. "Somewhat weak" passwords would be fine.
Also, after 100 or so attempts to login, I would thinking locking the user out would be fine (at least in many systems).
As long as there's a reasonable way to unlock a user. For a free consumer site, it can't require human interaction. "Email me a new password" seems reasonable for most cases.
I have a common four character name as login with Apple’s developer connection.
I regularly get locked out (and have to request a new password) presumably because other users try to login to my account (not remembering their real login).
This scheme sucks! Perhaps a better scheme would be to ban the IP for 10 minutes after half a dozen failed logins.
It makes it easy for someone to launch a denial-of-login attack, just set a script to log in with n random passwords, then the user won't be able to log in. With a rate limit, once the attack is over or blocked, the user can log in. With a ban after n, they would have to manually reset their password after each attack, which could be set to happen eg once an hour.
Not that I've ever knowingly heard of someone getting attacked in such a way.
A recent NY Times article[1] talked about just this. On auction sites like ebay, competitors can lock that accounts of those they're bidding against in order to win auctions.
Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords
I think we're approaching this the wrong way. Expecting people to have a large number of passwords is unrealistic, especially if they have accounts they don't log into frequently (e.g. bank accounts).
I'm not sure what the right solution is, but constantly telling users to have different passwords isn't going to work. We need another way to identify people online.
I try to encourage people to have at a minimum a strong password for applications that need security (like online banking) and a second throwaway password for garden variety site registration.
One way to marginally improve the common password strength is to at least add the name or the URL of site to it. So if the password is 123456 then the hackernews password might be 123456news.ycombinator.com.
While I am sure many people have weak passwords, I am not convinced that the RockYou passwords are exactly a microcosm of the current state of password strength.
RockYou always seemed somewhat scammy, so I would say it's possible many people merely used generic passwords out of fear of RockYou someday exploiting them.
If you use Firefox to store your passwords, and would like to analyze how often you reuse passwords, I encourage you to join the Test Pilot program [0]. The current study is looking at reuse of passwords. It doesn't collect your passwords, just counts how many sites you use your top few passwords on. The plugin lets you see all the data before sending it to Mozilla, so you can just look at the analysis without sending it if you want. (but it would be very helpful if you would send your data in.)
I think we also need to rethink password rules, especially restrictive ones:
- Cannot use special characters
- Cannot use character, other than number (may only use numbers)
- 5th character must be a !
- 5th character cannot be a !
This kind of crap makes me immediately not want to use a service / look for another job.
21 comments
[ 4.7 ms ] story [ 54.7 ms ] threadWith throttling, "strong" password requirements (non-alpha, etc.) serve only to force users not to pick passwords obvious to someone who might know them (wife's name, etc.). That and avoiding the "letmein" cases, I guess.
In the RockYou case, a botnet could try 32M * # allowed/day given that it had a user list.
Also, after 100 or so attempts to login, I would thinking locking the user out would be fine (at least in many systems).
Edit: However, a useful option is to force people to use a captia after a few bad atempts.
I regularly get locked out (and have to request a new password) presumably because other users try to login to my account (not remembering their real login).
This scheme sucks! Perhaps a better scheme would be to ban the IP for 10 minutes after half a dozen failed logins.
Not that I've ever knowingly heard of someone getting attacked in such a way.
1. http://www.nytimes.com/2010/01/21/technology/21password.html
I think we're approaching this the wrong way. Expecting people to have a large number of passwords is unrealistic, especially if they have accounts they don't log into frequently (e.g. bank accounts).
I'm not sure what the right solution is, but constantly telling users to have different passwords isn't going to work. We need another way to identify people online.
For passwords I use less often I've written them on a piece of paper somewhere in my house, which I feel is pretty safe.
RockYou always seemed somewhat scammy, so I would say it's possible many people merely used generic passwords out of fear of RockYou someday exploiting them.
[0] https://mozillalabs.com/testpilot/
- Cannot use special characters - Cannot use character, other than number (may only use numbers) - 5th character must be a ! - 5th character cannot be a !
This kind of crap makes me immediately not want to use a service / look for another job.