Intelligent Machines

Passwords that are Simple--and Safe

A new approach does away with the need for long strings of letters and numbers.

Researchers at Microsoft have come up with a way to create easy-to-remember passwords without making a system more vulnerable to hackers.

Instead of enforcing complex passwords, as many organizations do, the new scheme makes sure than no more than a few users can have the same password, which has a similar overall effect on security. Further research from Microsoft also reveals why only some organizations insist on very complex passwords.

This story is part of our July/August 2010 Issue
See the rest of the issue
Subscribe

Increasingly complex password requirements–rules like “passwords must be 14 characters long and contain at least two uppercase letters, two lowercase letters, and three symbols”–make it difficult for attackers to guess passwords using a so-called “dictionary attack,” which involves trying many possible passwords in succession.

Without such restrictions, people tend to pick passwords that are easy to remember, easy to type–and easy to guess. For example, when 32 million passwords from the social media website RockYou were inadvertently released last December, nearly half were found to be “trivial passwords” such as consecutive digits, dictionary words, or common names, according to an analysis last January by the Web security firm Imperva.

Requiring that passwords include numbers, symbols, and mixed cases significantly increases the number of possible passwords. With such rules, a dictionary attack becomes infeasible, but passwords also become harder to remember.

One way that system designers try to defeat dictionary attacks is by temporarily disabling an account when a wrong password is submitted more than a few times. This is called account lock-out, and not surprisingly, attackers have discovered a simple way to defeat the approach. Instead of guessing thousands or millions of passwords for a single account, attackers simply guess the most commonly used passwords for thousands, or even millions, of different accounts.

The new scheme from Microsoft Research does away with complexity requirements entirely while protecting against both dictionary attacks and statistical guessing. The service simply counts how many times any user on the service chooses a given password. When more than a small number of users pick a password, the password is banned and no one else is allowed to choose it. The scheme can only be used by organizations with millions of users–websites like Microsoft’s Hotmail, for instance.

The approach is described in a paper written by Microsoft researchers Stuart Schechter and Cormac Herley, due to be published at the Hot Topics in Security conference in Washington, DC, in August. Michael Mitzenmacher at Harvard University is also a coauthor of the paper.

“Replacing password creation rules with popularity limitations has the potential to increase both security and usability,” the authors write. “Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant faction of accounts using online guessing.

However, Herley says, there are no plans to implement the new scheme in any Microsoft products yet. “We can’t speculate on Microsoft product plans,” he says. “Right now we’re just putting it out there to get feedback from the security research community.”

Over the past few years, researchers in the emerging field of “usable security” have taken a hard look at many information security practices and found many of them lacking. For example, many computer systems will lock-out accounts if a user mistypes his password three times in a row. But seven years ago, Sascha Brostoff and Angela Sasse, two researchers from University College London in the United Kingdom, showed that increasing that number from three to 10 dramatically reduces the number of legitimate users that are locked out while having only negligible impact on a system’s overall security.

Last week, more than 200 computer security researchers from around the world met in Redmond, WA, at the annual Symposium on Usable Privacy and Security to discuss approaches for making computers simultaneously more secure and more usable.

Another study by Microsoft researchers, presented at the symposium, explains why only some organizations have overly complicated passwords. The study examined password policies at 75 different websites, including the 20 top-ranked sites on the Internet, and websites belonging to banks, large universities, and U.S. government agencies. Microsoft researchers Dinei Florencio and Cormac Herley found no correlation between the value of a consumer’s account, the amount of attacks that the website suffered, and the complexity of the passwords that the website operators forced on their users.

According to the study, websites where users have a choice between multiple providers–sites for banks and investment firms, for example–generally have relatively simple password requirements. These sites protect their users’ assets through anti-fraud techniques, and the companies don’t want to make it too difficult for their customers to log in.

Florencio and Herley found that the sites that had the most stringent password requirements were those where the users generally had no ability to shop around–sites like the U.S. Social Security Administration, the National Weather Service, and the webmail systems for several large universities. For these systems, the organizations have no monetary incentive to balance usability with security, or to find some other way of protecting user accounts.

“Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back,” the authors add. “When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive.”

Simson Garfinkel served on the program committee of the 2010 Symposium on Usable Security and Privacy.

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium

$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.

  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Join in and ask questions as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.