Security

Like Passwords for Chocolate, coming soon to a security theater near you

Is your password worth more to you than a bar of chocolate? Why not?

The biggest problem with password security today is not that they are too long and too hard to remember. In fact, How to get people to use strong passwords explains how we can neatly defuse that little issue. It is not that password policies are often abysmally bad, as in the case described in How does bad password policy like this even happen?, though that definitely is a problem. It is not even the way bad security advice masquerades as common sense for people who lack an understanding of how to solve both of those issues, a growing epidemic identified in Don't be fooled by the argument against unique passwords.

The biggest problem with password security today is simple:

Nobody cares.

Do you know why your IT department personnel have to wander around the offices once a month or so and check for sticky notes on monitors or pencil marks under keyboards to ensure people aren't writing down their passwords? I do: it is because your employees are not invested in the security of their workstations enough to care.

Do you know why your friend insists on using the name of his cat as a password for everything he does online, including his bank? I do: it is because he does not feel the danger of a security compromise with enough immediacy to care.

A perfect example of how people feel about their passwords, especially when they have it drilled into their heads that the computers they use at work (and thus the passwords that unlock those machines each morning) are not theirs and neither is any of the data they process, is a BBC News article from 2004, Passwords revealed by sweet deal. It tells us:

More than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found.

Of course, any security expert worth his salt should immediately stumble onto the obvious question -- and Bruce Schneier did when he commented on it three years ago:

I haven't seen any indication they actually verified that the passwords are real. I would certainly give up a fake password for a bar of chocolate.

If I have to go with my gut, though, I would say that probably at least fifty percent of people would give up real passwords without even thinking of trading a fake password for the chocolate bar. If they thought of it, they would probably just dismiss the idea, afraid they would be caught giving up a fake password.

Consider that notion, for a moment. How chilling is your realization of the state of security when you consider the idea that people are so socially programmed to accede to others' wishes that they are afraid to get caught giving up a fake password in exchange for a bar of chocolate? The entire situation is turned on its head. If anything, the person asking should be afraid of raising someone's ire for offering a paltry bar of chocolate in exchange for a password. Sadly, people just do not care about security, except in the voting booth when pondering the matter of "national security" -- or at least the appearance of "national security".

A big part of the problem is that the people in charge in various corporations do not actually care about whether you keep your password safe. They care about whether they can be sued, in the case of your bank, if someone else gets your password; they care about whether you will slack off at work, in the case of your employer; they care about whether you will trust them, in the case of antivirus vendors and their ilk. They do not really care about the security of your passwords at all.

Much of what masquerades as security in both public and private sectors is just an attempt by petty bureaucrats to avoid getting in trouble. As a result, the entire matter of password security is relegated to an exercise in playacting. It is widely distributed security theater, a nickel or a dime at a time. You cannot have an avalanche without the individual pebbles, and these pebbles add up in a hurry.

A little thinking about security -- just enough to account for the difference between people who do care about it and those who do not -- would protect against more than just a chocolate bar trade. It would also protect against cases where someone asks for your password at work, or to verify your identity over the telephone when calling tech support for your Internet service provider. It would protect against use of passwords that are incredibly short and easy to guess. It would protect against the stupidities of software developers who disallow all special characters and spaces and demand that no two letters or numbers are adjacent (requiring alternating letters and numbers) for login authentication systems.

All it really takes to get things rolling is to get people to care. Getting people to care is even pretty simple, in theory: Give them a sense of ownership, both of what must be protected and the consequences. If they have a sense of ownership of the data they are protecting, and of the harmful consequences of letting the security of that data get compromised, they will care about things like password security.

Sadly, the closest most employers get to instilling such a sense of ownership of the data and the consequences of a compromise looks something like this:

  1. The data is owned by the employer, as is the employee.
  2. The blame, if something goes wrong, is owned by the employee.

Consider the negative security effects of alienating your employees or customers from the data they generate. As people are desensitized to the value of the data they create or share by the ubiquitous claims of ownership over that data by the services they patronize or the employers for whom they work, they cease caring about its security. If people do not ever get to see any personal benefit from the value of what they produce or distribute, and only get to look forward to blame if something bad happens to it, their focus turns from caring about the data to caring about whether they get caught trying to do as little as possible.

In short, the real reason people will trade away their passwords for chocolate bars is that they have been given no reason to value the data those passwords protect as much as the measly dollar it would cost to buy their own chocolate bars. If you want people to exercise a little bit of good security practice in how they manage their passwords, first give them a reason to care about what those passwords protect.

Next, teach them that password management does not have to be difficult. For that purpose, you might try directing them to Five features of a good password manager.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

38 comments
jdriggers
jdriggers

I got tired of fighting the ones that always write their password down by simply doing this. I ask them if they enjoy their job or would they rather get fired when the following happens. Someone finds your password, and they remember you did something, or at least they think you did something that they want to teach you a leason. So they login to your email account, send the CEO a very descriptive letter of what he can do to himself. It is your mail, you can't point the finger at anyone else, so you can bet your job is in deep doodoo. That has opened the eys of those that could not grasp the importance of protecting their password.

lshanahan
lshanahan

Look up the famous Milgram experiments on authority and conformity. You can bet money that roughly 65% of the time, someone will divulge a password just because a perceived authority figure told them to do it - no chocolate necessary.

VirtualPro
VirtualPro

I consider myself very security aware and it is extremely difficult to practice best policies. I must have 40 to 50 ids and passwords between work and personal. I do not set up accounts the same way for every web site. For example, I do not know what kind of security TechRepublic has in place (no offence, this would just be an example). My bank should have better controls and safeguards in place if for no other reason than there are mandated regulations and controls... so I will not use the same id and password for both of these. This is based on the assumption that if TechRepublic does not have appropriate safeguards the user id and password will not work for my bank. So I have different levels of security and some of the multiple ids is self-imposed. But every time you need to create an account there is also a different set of rules for both Id and password. There is the eMail account id... again I have a work eMail and a couple personal. One personal for my use and a second that it kind of a garbage account. Let???s face it, if you ???must??? provide and eMail address before getting onto some sites they just put you on their spam list. Now others want you to use account number, or you create a name or they give you a user id and then there are the passwords or pin or even both! Must start with letter, must be numeric, must have special characters, cannot support special characters, limited to 8 characters, must be more than eight. How about select a picture so that you are sure it is the authentic site? Or better yet I have 4 accounts that you must get back to and change your password every 60 days or it expires. One of these must be more than 10 characters, include at least one numeric, special and uppercase without more than 2 repeating characters! And of course the passwords cannot be reused. And one of the other 4 that change all the time is limited to 8 characters so I can???t even use the same password for all four every 60 days. The industry is a mess.

mckinnej
mckinnej

The problem many/most/(all?) security professionals seem to ignore is basic human nature. People are lazy...period. Like gravity, human laziness is a fundamental and unavoidable force of nature. The more you try to lock down systems, which usually equates to making it more complex/harder to use, you exponentially increase the chances your security measures will be circumvented or ignored. Like water or electricity, humans will find the path of least resistance. If your security system isn't easy, (ideally invisible), they WILL seek ways around it. Here's a real-world example. Someone in the hierarchy decides you need to increase computer security. The easy fix is to increase the password length requirement, so they bump minimum password length from 8 characters to 15. Did this help security? NO! What they did is guarantee every user now has a yellow sticky stuck somewhere in their workspace to remember their password. This is just one example from a security world rife with fundamental fails such as this. What is needed is a change of approach in the design of security systems. Rather than attempt to force users into a box (from which they will invariably escape), make the box fit the user. Ideally the user will not even be aware of the box so they will not know there is something to escape from. Until systems designed and built from this approach are implemented, we should expect the current security problems to continue.

sullivanjc
sullivanjc

It is not primarily an issue of not caring, though certainly some don't care. Some accounts *aren't* important (as much as those running the sites might like them to be). Also, the study you cited was old and had no way of determining how many passwords traded for chocolate were even genuine. There are too many passwords that have to be too obscure and changed too often. Password managers help (and I use one) but even the best ones are not that easy to use and do not necessarily work everywhere. I have over one hundred id/password combinations in my password manager and that is an incomplete list. That is why people use the same passwords and/or try to keep them simple and/or leave them on post-it notes.

heyyoucraig
heyyoucraig

While I agree that Password security is important, I am sure that many people would take umbrage with the comment: "The data is owned by the employer, as is the employee." I am also sure you meant that the employee's time and work and owned by the employer and therefore they rightfully expect it to be protected. Cheers

sweetings
sweetings

The problem with passwords and their secuity is not with the user it is with the IT industry. Everybody demands a password and you all require something different; minimum number of characters, must include at least one upper case and/or one lower and be both alpha numeric. Also, we are going to require you to change it every 60, 90 days. We are also required to have passwords for access to online sites such as TechRepublic - why? The articles are written by people who want them to be read by the widest of audiences, so let all people be able to access and read. Company and financial, perhaps another matter and maybe the answer is to create a series of passwords, easy to remember, but secure. Bottom line, three sets or series of passwords for; bussiness, financial and social use. All following a common set of indusrty guidelines.

pgit
pgit

what if my cat has a long name including special characters and alphanumeric substitutions? I have no problem remembering what probably amounts to an uncrackable pass phrase. All one needs to know is a set of rules applied and what the 'untranslated' pass phrase is. You can write down the rules, and maybe some kind of reminder as to what your phrase is in plain English, and that data can safely be placed on the monitor on a post-it note. The only problem I've seen is someone saying their phrase out loud while typing it. I've been guilty of some of that myself, because some of my admin passes are just so fun to say. http://www.youtube.com/watch?v=-gwXJsWHupg

horngary
horngary

...but how do you positively incent enterprise workers to care?

Sterling chip Camden
Sterling chip Camden

Yep, this is primarily a social rather than a technical problem. Back in the late 70s, we had a sysadmin who was so socially inept that he always answered every question immediately, like a computer. Sometimes, we'd ask him the superuser password just to watch him spit it out -- then he'd say, "Oh, I wasn't supposed to tell you that. I'll go change it now."

santeewelding
santeewelding

Sounds as though holding your breath for as long as you could when, at length turning purple and before an internal burst, you let loose -- this -- a sudden exhalation spreading and thinning all at once to no good purpose except environmental offense.

Spitfire_Sysop
Spitfire_Sysop

I used to work for a company that valued useability over security ad absurdum. They would not stand for any inconvenience at all. After having the CEO personally tell me to remove the password complexity and auto-locking screen savers from user terminals I tried to get to the bottom of the company attitude. Eventually someone who had been with the company for a long time broke it down for me. If anyone had physical access to the building all would be lost. This is because they had a 24 hour operation that depended on a legacy application running on Windows NT. This application requires an Admin account to be logged in at all times or the whole business comes screeching to a halt. This application is ran on multiple terminals that are used by multiple users simultaniously. They need to work fast. They can't stop the presses to switch users or even unlock a terminal because they need to look at the screen and move on. These terminals also contained the only data that you would want to protect and were used for filing said data on the network. This means that anyone on that terminal is a local admin with full control of network shares holding the company gold. The various users' login credentials have no more access than this so there is really no need to protect them. All you can do is control physcial access to the terminals. The new version of the legacy application is expensive requires a large physical hardware investment. To bring the whole shop up to a new version would approach half a million dollars. What would you do for these people? (It would be cheaper to give every employee a gun than fix the computer system)

apotheon
apotheon

What would you do for a Klondike bar? How about a gold bar? What is your price for the most valuable password you use at work?

apotheon
apotheon

Scare tactics like that can certainly help get the point across. Of course, it would be better to somehow get them on your side -- but failing that, appealing to their desire to look out for their own side can be a passable fall-back.

apotheon
apotheon

The chocolate example shows that people don't value the security of their passwords above the cost of getting a bar of chocolate. The Milgram experiments show that assuming a mantle of authority can also get you passwords -- but if people care about the security of their passwords, they can be trained to resist false claims of authority, even if only by setting a more verifiable claim of authority up as a shield against such claims. In short, defending against false claims of authority for passwords is more likely to succeed if approached intelligently than defending against someone not caring enough about you to resist an immediate impulse for chocolate.

apotheon
apotheon

> I do not know what kind of security TechRepublic has in place (no offence, this would just be an example). I'm not privy to what TR has going on the back end, but I know that it does not use SSL/TLS encryption for user login, even though it does for those of us who log in to the article editing interface to submit stories to our editors. I actually have four different logins related to TR -- one for discussion, and three for submitting articles to three different topic areas. I might have another one for submitting articles to another topic area, but I haven't been contributing there for quite some time, so I'm not really sure; I'd have to check my old, old records. So, yeah, I'd recommend keeping your logins for TR and your bank separate, not just for the usual reasons of ensuring that a compromise of one won't lead to a compromise of the other, but also because (for instance) your username and password for TR could be sniffed off a wireless network or skimmed by a man in the middle attack much more easily due to the lack of transport layer encryption for your logins. > Lets face it, if you must provide and eMail address before getting onto some sites they just put you on their spam list. To be fair, that's not always the case, though it is the case fairly often. Many sites just want to make sure that you'll actually have a place they can send password reminders, and that there's a real human being behind a particular account before granting site access that might be used for spamming if it's just a script signing up for accounts. > Now others want you to Your complaints about differing password policies are exactly the sorts of problems that password managers are meant to address.

apotheon
apotheon

I take it you're another one of those who did not bother reading the article very closely and following a couple of links that the article specifically describes as addressing that sort of problem.

apotheon
apotheon

> Password managers help (and I use one) but even the best ones are not that easy to use and do not necessarily work everywhere. My password manager setup works great for everything except a couple of specific cases, such as remembering the password used to access the password manager. Of course, the situation is somewhat less conducive to easy use on MS Windows, and if that's the OS you have to use, I guess you're likely to think password managers are not as nice as I do -- but that's a separate problem. With a good password manager on a good OS, they're eminently usable. . . . and yes, much of the problem is that people don't care. If they did, they'd find a way to make it work, given all the tools that are available to them.

apotheon
apotheon

> I am also sure you meant that the employee's time and work and owned by the employer and therefore they rightfully expect it to be protected. What I meant was that the employee has no sense of ownership over the security of the data, so doesn't care about the security of the data. I furthermore meant that, as part of that situation, the employee often feels like the company essentially asserts ownership over the employee. The complete statement should look something like this: "Sadly, the closest most employers get to instilling such a sense of ownership of the data and the consequences of a compromise looks something like this: The data is owned by the employer, as is the employee." See . . . the idea is that the employing corporation instills a sense of being owned, along with the data, by the employer -- which in no way fosters an attitude in employees conducive to security. Yes, employees might take umbrage at the concept of being owned by their employers, and they should take umbrage at that, and in fact they do take umbrage at that to some extent, which is part of the reason they do not feel any particular sense of responsibility and positive regard for securing the employer's data.

dhays
dhays

Too many different formats, and we will be going to using our Smart Card ID, so id someone gets ahold of my ID, who needs a password, except for the 8 characters assigned to it by me? I just changed my password to a DOD library last week, no repeats for 24 times, at least 15 characters in length! Some systems require an 8 character password, no repeated, upper and lower, numbers in the middle, but the other one requires 8 characters, don't have to have upper and lower case. Our network requires U/L, special, numbers, some sites cannot have spaces, some can, Some can be any length up to 256 characters, others 8, 8-15, 15 or more... Some ar egood 90 days, some 180 days, some no time limits. How does one figure out passwords for these types of systems? Sites such as Tech Republic, TV stations, newspapers...do not have time limits on their access passwords. My password manager is an Ms Excel Spreadsheet, protected by a password. 6 pages of them, and that is after some sites have been removed. I have never used any other. Don't know how either. Really don't want to mess with one. It would be nice if all places requiring passwords, work and public, would have the same rules for fromats of passwords, whether one password is used for everything or not. We are required to take security training every year to remind us about not leaving things unsecured as I have done a couple of times today already.

apotheon
apotheon

> Everybody demands a password and you all require something different; minimum number of characters, must include at least one upper case and/or one lower and be both alpha numeric. Also, we are going to require you to change it every 60, 90 days. That's what password managers are for. There are links in the article relevant to this. > We are also required to have passwords for access to online sites such as TechRepublic - why? The articles are written by people who want them to be read by the widest of audiences, so let all people be able to access and read. I agree -- as one of those writers, I do want my articles read as widely as possible. On the other hand, I'm pretty sure you don't need a password to access any articles (outside of TechRepublic Pro, but that's another story). You just need to sign in if you want to participate in discussion.

Rayezilla
Rayezilla

as an uncrackable pass phrase. Ever made a 'forum' account on the internet? The administrators for the forum can click on your name and see your log in password, and your email address. If you use the same password for your email as you do for you forum........ you're compromised. It doesn't matter if your password is 'cat' or 'ChcaHaoHcaUio93408934789023849023x1000'

seanferd
seanferd

Allow employees a sense of data ownership and responsibility. Proper data stewardship, what. Getting corporate captains to care is another matter entirely.

Spitfire_Sysop
Spitfire_Sysop

That guy has a backdoor in his brain! Speech exploit. He needs a firewall on his mouth.

apotheon
apotheon

> What would you do for these people? (It would be cheaper to give every employee a gun than fix the computer system) Well . . . that's an option. In those circumstances, it sounds like keeping everything strictly segregated from the Internet or any wireless networks and maintaining physical security (which might be enhanced by giving everyone in the company a gun) adds up to about all that can be done unless and until someone replaces that atrocious system.

JamesRL
JamesRL

Thats just painful. I had a deal worked out with a CIO and Head of IT security of one of the big employers I worked at. If any big executive wanted an exemption to the security policies, I invited them to make the request directly to the CIO or Head of IT security. If they provided me a letter or email approving it, I would be happy to make the exception. I never once got one of those emails. I know no one asked, though many told me they would. We had one guy who really hated the tool we were using. This was a Mac tool that encrypted the HD and locked up requiring a password after 5 minutes. We had some latitude to extend that (by agreement with the CIO) to 15 minutes for people who had offices and lockable doors. This one guy didn't like even 15 minutes, never suited him better. So he acquired a set of OS CDs (they used to be free from Apple), and he backed up once a week, formatted the drive, re installed the OS and apps and restored the data. We would check him about once a week, and reinstall the security app. Finally we got the Head of IT security to write the ultimatum - its our computer, our policy, live with it, or we go to HR and your Director. It did thankfully end.

Neon Samurai
Neon Samurai

"sure, gimme sweets. here's my current password.. been meaning to change that one anyhow." Now, if I didn't think I could change the password before the possibility of third party use.. nah.. you isn't getting the real one but can I still have the sweets? Chances are I wouldn't be able to give up the password off the top of my head anyhow; haven't had much luck remembering multiple 20 random character strings yet and my password manager credentials are off the table.

bboyd
bboyd

You can also worry about data ownership going too far the other way.

bboyd
bboyd

that anonymity in posting here would allow. Still won't trust my low grade password here to match any other PW elswhere.

apotheon
apotheon

If admins can see your passphrase because it's stored in plain text or they have decryption keys, they haven't cracked your password; they just have access to it, which is a completely different type of vulnerability than something easily cracked. Also . . . if those admins are trustworthy, and their servers are well secured, the complexity of your password still matters for others who might want to try to crack it.

bboyd
bboyd

If the man at the top says he wants people to care about security and is wiling to sacrifice convenience to gain it then the improvements will happen. The way to make the improvements though is entirely different. That is bottom up. Get the people dealing with the issue directly to put up solutions an assess them. Forcing "Best Practice" lists on them will not get any buy in.

dhays
dhays

I got one in 1971 or so, but went to work, to avoid getting in trouble. I was stationed at McConnel AFB in Wichita and had gone to Fall River Reservoir for a day or so and was in the water too long. The military is a little different than just a civilian employee of the Governement or a civilian company.

apotheon
apotheon

The sunburn example is a good demonstration of the principle I meant to describe. The trick is to give employees a sense of ownership over the value the data provides without encouraging employees to act in a manner inconsistent with the company's aims because of a jealously possessive attachment to the data.

apotheon
apotheon

I, for one, wouldn't give up others' passwords just for filthy lucre. I'm weird, though. On the other hand, don't trust me to hold up to torture. Instead, trust technology -- and you can trust me to prefer technology that keeps your password save so I don't have to. If I use a system that doesn't give me access to users' passwords, it doesn't matter whether I'm tortured or not; I still don't know anyone else's password.

apotheon
apotheon

When cracking something, you overcome technical hurdles -- measures meant to deny access. By way of analogy, one does not crack the combination for one's own bicycle lock; one just knows it to begin with. Someone cracking the combination might sit there with his or her ear pressed to the lock listening for the movements of tumblers. If someone puts a sticker on the lock with the combination written on it, though, the act of cracking the combination is not necessary. Cracking the lock, rather than its combination, is a way to get around the need for a combination by exploiting some weakness in the design of the lock itself. Having an administrative interface by which one can read passwords is like knowing the password in the first place; having to download a password file and run an offline brute force attack is cracking the password; exploiting a vulnerability in the application so you don't need the password at all to do whatever you like is cracking the application. Hmm. In some respects, I suppose this means that using MS Windows means nobody ever cracks your security. People just walk right in, because there aren't any prohibitive technical measures to speak of, just like someone leaving the bicycle lock unlocked all the time. (I kid -- sorta.)

pgit
pgit

Only a rogue sysadmin would compromise your password without having to crack it. (they "just have access to it") Anyone else would be cracking in the blind, starting with trying to find the hash in the first place.

pgit
pgit

What would it take to bribe a sysadmin into coughing up passwords? They'd have to cover tracks extremely well, but ultimately a car, tropical vacation or equivalent would probably do.

santeewelding
santeewelding

So, enlighten me. Please explain in more detail the difference between "cracking" a password and "just have access to it".