Patrick Lambert considers the recent decision by Blizzard to ignore case-sensitivity in user passwords from the perspective of the security vs. convenience debate.
Last week, the Internet was abuzz with news several users of the popular game World of Warcraft discovered while attempting to log in. Reports were made that all passwords were not case sensitive. That meant any extra security coming from using lower and upper case letters was completely lost. Of course this wasn't a new revelation, with others having found the same thing in other Blizzard games like Diablo 3 and even earlier ones as well. Several discussions went on with hundreds of comments as to whether this was a bug or a feature, and why one of the most popular online games, one that's consistently been the target of hackers, scammers and attacks of all types, is using a lesser security model. People quickly came to the conclusion that this wasn't a bug, but simply a feature that allowed people to log in regardless of whether or not they had their caps lock key on, or if they forgot the exact capitalization of their passwords. It was a clear example of convenience versus security, and is just the latest in a very long debate that has been going on for many years.
Most security experts will tell you that convenience and security are usually at odds. As an administrator, when you add security, you usually remove convenience for your users. It's true for online games, for developers, and also for any IT pro that has to manage any number of users. Take a simple example. When you install an Active Directory server for users to log into a network, you actually have a lot of control over how the passwords are going to be composed. If you go into the Group Policy options, you can see that you have control over the minimum length required, how often people have to change their passwords, how often they can repeat the same password, and what type of lock out the system will impose if they make a mistake. It's possible to be very harsh here, and require all your users to have a 16 character-password, containing letters, numbers and symbols, and to have them change that password every week. Of course, while this adds security, it's also a huge inconvenience for users.
Most people have their own system when it comes to passwords or even security in general. Some will simply try to keep it as simple as possible, so they will reuse the same password everywhere. Others will iterate on a basic password and add numbers at the end, while more sophisticated users will have a password manager. But if you force users to have non-standard passwords, then they have to go outside of their comfort zones. And then one of two things will happen. Either they will write the password down, which adds a big security risk, or they will forget it, which adds more work for your support crew. So while you were initially trying to increase security, you end up decreasing it in some cases, and increasing the load on your support staff in other cases. In the World of Warcraft situation, there's no doubt that by not enforcing case sensitive passwords, their intention was to reduce the number of support calls they had to deal with.
So the idea is to try and balance security and convenience to come to a good middle ground, because you will never be able to maximize both. Are case sensitive passwords adding a really big security layer? Not really. If someone tries to brute force a password, and that password is of sufficient length, then whether or not it's case sensitive will change very little. The actual length of the password is much more important. So here, it's likely that Blizzard made the right choice. In fact, they were one of the first games to introduce the use of an authenticator, which provides a second authentication factor on top of the user name and password. This is a huge security bonus, and helps prevent many common hacks like key loggers, malware, and password guessing. The benefit gained from using an offline authenticator is so much greater than whether or not you allow case sensitive passwords.
This is an exercise you can do at work, if you have to manage any kind of user logins. Think about what settings you control, and how they affect security and convenience. Check with the support department, and find out what most of the calls they get are related to. It can be amazing what some companies do without even realizing it. A simple option change, such as no longer requiring constant password changes, may reduce support calls dramatically. Or, maybe you're in a situation where you've experienced several user accounts being hacked, and you need to increase security. Think of which measure you can add that will truly increase your authentication strength, without impacting convenience too much. For example, second factor authentication using an iPhone or Android app is becoming a very popular feature on various sites, because it's fairly easy for a user to download an app and use it to login, and this simple addition greatly enhances security.
In your opinion, which password security measures are just inconveniences, versus those that truly add some value? Does your support staff still spend a lot of time on password changes and lock-outs? Have you tried any different authentication methods?