Security

Security vs. convenience: The case of case-insensitive passwords

Patrick Lambert considers the recent decision by Blizzard to ignore case-sensitivity in user passwords from the perspective of the security vs. convenience debate.

Last week, the Internet was abuzz with news several users of the popular game World of Warcraft discovered while attempting to log in. Reports were made that all passwords were not case sensitive. That meant any extra security coming from using lower and upper case letters was completely lost. Of course this wasn't a new revelation, with others having found the same thing in other Blizzard games like Diablo 3 and even earlier ones as well. Several discussions went on with hundreds of comments as to whether this was a bug or a feature, and why one of the most popular online games, one that's consistently been the target of hackers, scammers and attacks of all types, is using a lesser security model. People quickly came to the conclusion that this wasn't a bug, but simply a feature that allowed people to log in regardless of whether or not they had their caps lock key on, or if they forgot the exact capitalization of their passwords. It was a clear example of convenience versus security, and is just the latest in a very long debate that has been going on for many years.

Most security experts will tell you that convenience and security are usually at odds. As an administrator, when you add security, you usually remove convenience for your users. It's true for online games, for developers, and also for any IT pro that has to manage any number of users. Take a simple example. When you install an Active Directory server for users to log into a network, you actually have a lot of control over how the passwords are going to be composed. If you go into the Group Policy options, you can see that you have control over the minimum length required, how often people have to change their passwords, how often they can repeat the same password, and what type of lock out the system will impose if they make a mistake. It's possible to be very harsh here, and require all your users to have a 16 character-password, containing letters, numbers and symbols, and to have them change that password every week. Of course, while this adds security, it's also a huge inconvenience for users.

Most people have their own system when it comes to passwords or even security in general. Some will simply try to keep it as simple as possible, so they will reuse the same password everywhere. Others will iterate on a basic password and add numbers at the end, while more sophisticated users will have a password manager. But if you force users to have non-standard passwords, then they have to go outside of their comfort zones. And then one of two things will happen. Either they will write the password down, which adds a big security risk, or they will forget it, which adds more work for your support crew. So while you were initially trying to increase security, you end up decreasing it in some cases, and increasing the load on your support staff in other cases. In the World of Warcraft situation, there's no doubt that by not enforcing case sensitive passwords, their intention was to reduce the number of support calls they had to deal with.

So the idea is to try and balance security and convenience to come to a good middle ground, because you will never be able to maximize both. Are case sensitive passwords adding a really big security layer? Not really. If someone tries to brute force a password, and that password is of sufficient length, then whether or not it's case sensitive will change very little. The actual length of the password is much more important. So here, it's likely that Blizzard made the right choice. In fact, they were one of the first games to introduce the use of an authenticator, which provides a second authentication factor on top of the user name and password. This is a huge security bonus, and helps prevent many common hacks like key loggers, malware, and password guessing. The benefit gained from using an offline authenticator is so much greater than whether or not you allow case sensitive passwords.

This is an exercise you can do at work, if you have to manage any kind of user logins. Think about what settings you control, and how they affect security and convenience. Check with the support department, and find out what most of the calls they get are related to. It can be amazing what some companies do without even realizing it. A simple option change, such as no longer requiring constant password changes, may reduce support calls dramatically. Or, maybe you're in a situation where you've experienced several user accounts being hacked, and you need to increase security. Think of which measure you can add that will truly increase your authentication strength, without impacting convenience too much. For example, second factor authentication using an iPhone or Android app is becoming a very popular feature on various sites, because it's fairly easy for a user to download an app and use it to login, and this simple addition greatly enhances security.

In your opinion, which password security measures are just inconveniences, versus those that truly add some value? Does your support staff still spend a lot of time on password changes and lock-outs? Have you tried any different authentication methods?

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

4 comments
Kenton.R
Kenton.R

... since the "correct horse battery staple" comic was posted on xkcd.com. While I agree with the basic premise - a 25 character all-lowercase password is more ressistant to attack than an 8 character "fully complex" password - there is a flaw in the logic. As in the xkcd example, humans tend to choose whole words instead of just random alpha characters. That significantly reduces the complexity. There are about 600,000 English words, but the typical native English speaker only learns about 20,000 (there are a lot of words like syzygy and medical terms). We only use about 2,000 unique words in the typical week. So... 1. Assume attacker suspects an all lowercase password may be in use. 2. Assume attacker has access to unsalted hash of the password (such as recent breaches at LinkedIn, eHarmony, Last.FM, etc) for offline attack. 3. Assume user selected 4 words, all lowercase. 4. Number of likely passwords = 2,000^4 = 16,000,000,000,000. At first glance, that looks suitably complex. 5. A password cracker like oclHashcat-Plus can run through over 3,263,000,000 SHA1 hashes per second on a PC with a single AMD hd6990 videocard. 6. That single PC could calculate every possible 4-word combination (assuming 2k different words) in about an hour and 22 minutes. Even if the list is expanded out to 20,000 words instead of 2,000 and attack is still possible because of... 7. Distributed computing. An attacker can split that workload over something like an EC2 cloud (using stolen credit cards to pay for it, no doubt) or a botnet. Lets assume a botnet of 40,000 computers (fairly small by botnet standards) that are on only 6 hours/day and have GPUs that on average are only 1/4 as efficient at cracking as the hd6990 (it may be a year and a half old, but the hd6990 is still a high-end card). 8. Check my math, but I'm calculating the hypothetical botnet could smash a SHA1 hash created from 4 common lowercase words picked from a 20,000 word dictionary in about 5hrs 30min. [b]Those using just the most common 2k words would fall in under 2 seconds[/b] (not accounting for network latency, etc). What am I trying to get at? Users should definitely increase password length, but patterns - ANY PREDICTABLE PATTERN - significantly decreases password entropy. If you're going to have patterns in there, compensate by making it long as hell. I understand I'm a paranoid bastard, but my domain admin passphrase is 30+ characters with some unlikely capitalization and numbers/symbols. You can't Google for it, it isn't grammatically correct, and it changes to something completely unrelated on a regular basis. I will admit to using some full words in it; I fully understand that entropy isn't ideal due to various tendancies (in English a "t" has a high probability of being followed by an "h", nouns commonly come before verbs) but with 30+ characters plus "some" complexity insertion brute force is no longer a viable tactic. The passphrase is mostly-comprendable, so I can type it pretty quickly - definitely faster than an 8-character randomly generated password. An attacker is much more likely to gain access from a keystroke logger, software vulnerability... or just whacking me repeatedly with a $5 wrench until I tell them the password. http://xkcd.com/538/

a.portman
a.portman

Do I need a 16 character, upper, lower, number special character password to play a game? If my credit card number is attached, probably. If the biggest thing I would lose is my collection of weapons, probably not. I have dropped online services because the password requirements were, in my mind, excessive. Now, I really do have a problem with sites/services that have complex password requirements but don't tell you about them until the error message pops up. Some then pop a second one because the first error was "passwords must have at least one upper and one lower case letter" and the second error is "passwords must include a number." Dude, tell me ahead of time, your competitor does.

Rioch
Rioch

The other option for users when faced with a security overload on an application is that they will simply stop using it. If it's not necessary for work and it's too much hassle, forget it! I like the idea of using an app as a second authenticating factor if it is offered as an alternative to a token. Cheaper to administer and one less thing to carry around for the customer, a win-win if ever there was one. Give the choice of a seven-character case-sensitive or an eight-character case-less password (which I assume would be roughly the same security level), I would go for the eight-character every time. One character extra is no great hardship on a standard keyboard but the case-insensivity is a huge convenience on a smartphone touch screen.

Neon Samurai
Neon Samurai

All external password can be crazy long/complex. My steam account.. crazy long and complex while completely convenient once installed. I assume WoW's client also stores credentails locally (let's hope in a hashed form though). In my case, I've considered dropping services that imposed too weak a password. limited to eight or fewer characters, no symbols.. bah.. With a good password manager, you can have the best of both; convenience and security.