Report Offensive Message
Credentials
For a while I've been wondering how long it would take for you guys to get around to analyzing not only the use (whether futility) of passwords, but also the function of user identification (AKA user name). 
Perhaps the original frame of reference was "account + userID" or "account + password", before it became "user-name + password". Note that in the first two, the userID and the password have the same role, and for "user name + password", the user-name is ordinarily employed, whether directly or indirectly, to identify an "account" record(s).
In the "account + userID" case, which persons can access the account data and which are authorized to effect and/or to record transactions for that account might well be known, but their userIDs are secret. Since access and activity to the account can be logged by userID, each user has an incentive to keep their ID secret.
In the "account + password" case, the account name or number is probably shared or even public information, but the password is secret. Accounts can have multiple passwords, with one unique password for each person qua "user" who is authorized to access the data of, and perhaps to effect and/or record transactions for, the account. Ordinarily, each time that a user accesses the account, a log is kept of their activity. Accordingly, each user has an incentive to keep their password secret, whether also to accept that it should be "strong".
Which is to say, account names or numbers, userIDs, and passwords predate their use in the context of the Internet. They were adopted for internal security, as part of a system of control to prevent and/or to detect malfeasance and embezzlement, among other possibilities, by employees and agents of businesses or of other organizations.
Succinctly, they have been, and still are, used in the mitigation of insider risk. Perhaps that context is the one in which they are the most effective. It is also the context in which the rules for creating, securing, and changing, passwords have been created. In particular, changing a password often is desirable because an "insider" who has acquired it and found a use for it is likely to use it repeatedly, whether often, unless and until they are caught (which could be over the course of a long period of time).
We know that adopting "user-name + password" to deter unauthorized access by "outside" intruders can be effective, but it also has weaknesses. The vulnerability of passwords to phishing depends upon the vulnerability of the user, and their vulnerability to illicit keystroke-logging depends upon the vulnerability of the system to malware installation. Of course, both phishing and keystroke-logging typically obtain user-names as well as passwords.
In both contexts in which passwords have been adopted, users often consider "strong" passwords inconvenient and/or simply infeasible. That lessens their incentive to keep them secure, and to create them when they are allowed to create their own password(s).
Mr. Herley is correct in asserting that a 6-digit PIN is adequate for a password, if and only if the system in which it is used does not permit enough unsuccessful attempts for a brute force attack to eventually succeed, whether by "locking out" access to the system when such an attack is detected. Geometrically increasing the amount of time before another attempt is permitted after each invalid password has been entered is a particularly elegant solution. Although, an actual customer who cannot recall their password correctly will probably not appreciate that approach.
Mr. Herley also presents a sound argument for a bank (or other organization) to keep the list of its actual user-names very secure. However, I do not agree that a user-name should be regarded as something which the user can publicize, disclose, or otherwise treat in an unsecure manner, because it should become another barrier to unauthorized access to the account. As already noted, the user-name either directly or indirectly identifies the "account" for which the password must be entered.
Although Mr. Herley mentions "over the shoulder" spying he does not discuss "ATM skimmers". The thieves install a counterfeit front to the actual front of an ATM, and it intercepts and reads the data from the user's ATM card, and records the PIN and any other data which they enter via the keypad. (I haven't heard of one which will steal deposits of cash and/or checks, though that might have been done.)
The web sites at which I've "registered" or "opened an account" either (1) require that a valid e-mail address, for an account to which the user has access, be employed as the user-ID, or (2) permit the user to compose and adopt whatever "user-name" that the user chooses. In the first case, an e-mail address is implicitly unique among all others. Many web sites send an e-mail message to the e-mail address specified by the user, who must respond to it in a designated way to "authenticate" their registration or creation of the account. In the second case, the user might be limited to letters and digits for the user-name, whether also for the password.
Regardless, simply keeping track of all "user-name + password" combinations that I've adopted has been a chore! (Currently, I am implementing LastPass to manage them.)
The bank(s) to which Mr. Herley refers in his article either (1) assign a unique user-name for each customer, (2) assign a unique number that corresponds to each specific bank account instead of a user-name, or (3) adopt a unique "universal identifier" such as the US Social Security Number for each person who is authorized to access the account.
Since the bank with which I do business does not assign a user-name for access to the account via the Internet, I have chosen to adopt one which consists of both upper-case and lower-case letters, digits and special characters. In other words, the user-name is a "strong password" and I treat it as such. The "password" itself is relatively strong, and I also use two-factor authentication. If the bank doesn't "recognize" the IP address that I am currently using (it changes every day), then they require me to answer a "security question". That challenge is made after I have entered the user-name, of course.
Unfortunately, none of this defeats the use of the ZeuS banking spyware "trojan", but I'm such a small fish in such a large pond that I cannot imagine that they would waste a money mule to steal my money. I'm much more concerned about "insider risk", though.
Perhaps the original frame of reference was "account + userID" or "account + password", before it became "user-name + password". Note that in the first two, the userID and the password have the same role, and for "user name + password", the user-name is ordinarily employed, whether directly or indirectly, to identify an "account" record(s).
In the "account + userID" case, which persons can access the account data and which are authorized to effect and/or to record transactions for that account might well be known, but their userIDs are secret. Since access and activity to the account can be logged by userID, each user has an incentive to keep their ID secret.
In the "account + password" case, the account name or number is probably shared or even public information, but the password is secret. Accounts can have multiple passwords, with one unique password for each person qua "user" who is authorized to access the data of, and perhaps to effect and/or record transactions for, the account. Ordinarily, each time that a user accesses the account, a log is kept of their activity. Accordingly, each user has an incentive to keep their password secret, whether also to accept that it should be "strong".
Which is to say, account names or numbers, userIDs, and passwords predate their use in the context of the Internet. They were adopted for internal security, as part of a system of control to prevent and/or to detect malfeasance and embezzlement, among other possibilities, by employees and agents of businesses or of other organizations.
Succinctly, they have been, and still are, used in the mitigation of insider risk. Perhaps that context is the one in which they are the most effective. It is also the context in which the rules for creating, securing, and changing, passwords have been created. In particular, changing a password often is desirable because an "insider" who has acquired it and found a use for it is likely to use it repeatedly, whether often, unless and until they are caught (which could be over the course of a long period of time).
We know that adopting "user-name + password" to deter unauthorized access by "outside" intruders can be effective, but it also has weaknesses. The vulnerability of passwords to phishing depends upon the vulnerability of the user, and their vulnerability to illicit keystroke-logging depends upon the vulnerability of the system to malware installation. Of course, both phishing and keystroke-logging typically obtain user-names as well as passwords.
In both contexts in which passwords have been adopted, users often consider "strong" passwords inconvenient and/or simply infeasible. That lessens their incentive to keep them secure, and to create them when they are allowed to create their own password(s).
Mr. Herley is correct in asserting that a 6-digit PIN is adequate for a password, if and only if the system in which it is used does not permit enough unsuccessful attempts for a brute force attack to eventually succeed, whether by "locking out" access to the system when such an attack is detected. Geometrically increasing the amount of time before another attempt is permitted after each invalid password has been entered is a particularly elegant solution. Although, an actual customer who cannot recall their password correctly will probably not appreciate that approach.
Mr. Herley also presents a sound argument for a bank (or other organization) to keep the list of its actual user-names very secure. However, I do not agree that a user-name should be regarded as something which the user can publicize, disclose, or otherwise treat in an unsecure manner, because it should become another barrier to unauthorized access to the account. As already noted, the user-name either directly or indirectly identifies the "account" for which the password must be entered.
Although Mr. Herley mentions "over the shoulder" spying he does not discuss "ATM skimmers". The thieves install a counterfeit front to the actual front of an ATM, and it intercepts and reads the data from the user's ATM card, and records the PIN and any other data which they enter via the keypad. (I haven't heard of one which will steal deposits of cash and/or checks, though that might have been done.)
The web sites at which I've "registered" or "opened an account" either (1) require that a valid e-mail address, for an account to which the user has access, be employed as the user-ID, or (2) permit the user to compose and adopt whatever "user-name" that the user chooses. In the first case, an e-mail address is implicitly unique among all others. Many web sites send an e-mail message to the e-mail address specified by the user, who must respond to it in a designated way to "authenticate" their registration or creation of the account. In the second case, the user might be limited to letters and digits for the user-name, whether also for the password.
Regardless, simply keeping track of all "user-name + password" combinations that I've adopted has been a chore! (Currently, I am implementing LastPass to manage them.)
The bank(s) to which Mr. Herley refers in his article either (1) assign a unique user-name for each customer, (2) assign a unique number that corresponds to each specific bank account instead of a user-name, or (3) adopt a unique "universal identifier" such as the US Social Security Number for each person who is authorized to access the account.
Since the bank with which I do business does not assign a user-name for access to the account via the Internet, I have chosen to adopt one which consists of both upper-case and lower-case letters, digits and special characters. In other words, the user-name is a "strong password" and I treat it as such. The "password" itself is relatively strong, and I also use two-factor authentication. If the bank doesn't "recognize" the IP address that I am currently using (it changes every day), then they require me to answer a "security question". That challenge is made after I have entered the user-name, of course.
Unfortunately, none of this defeats the use of the ZeuS banking spyware "trojan", but I'm such a small fish in such a large pond that I cannot imagine that they would waste a money mule to steal my money. I'm much more concerned about "insider risk", though.
Posted by Ocie3
Updated - 21st Jul 2010
