Is it time to think differently about web-site login credentials? Three researchers believe so and provide thought-provoking reasons why. Michael Kassner considers their results.
Is it time to think differently about web-site login credentials? Three researchers believe so and provide thought-provoking reasons why.
A few months ago, I met Dr. Cormac Herley, principal researcher at Microsoft. After a few interesting conversations, I penned an article: "Are users right in rejecting security advice." My goal was to present Dr. Herley's arguments as to why users should reject security practices that are costly and ineffective.
I stumbled on another paper that Dr. Herley co-authored with Dr. Dinei Florencio a fellow Microsoft researcher and Dr. Baris Coskun, a research assistant at Polytechnic University. I was hoping this paper would be as provocative as the previous one, and it was.
"Do Strong Web Passwords Accomplish Anything?" attempts to explain what is wrong with current methodology regarding web-site user IDs and passwords. I'd like to present their case. See if it resonates with you.
First and foremost, outright theft of web-site login credentials, especially those for financial institutions is serious. To that end, the paper considers the following to be the principal methods of stealing web-site access information:
- Special knowledge or access attacks (employ known information about user, shoulder surfing, or gain access to computer)
- Brute-force attack on an individual account
- Bulk-guessing attack on all accounts at the site
Current best practices
Then to make sure everyone is on the same page, the paper mentions what is currently considered appropriate password administration:
- Choose strong passwords
- Change passwords frequently
- Never write passwords down
The researchers feel this advice is out-of-date. Password "best practices" will not protect your login credentials from phishing, keylogging, or special-knowledge attacks. I suspect most would agree, but what about brute-force and bulk-guessing attacks?
The authors feel guessing and brute-force attacks are ineffective. That's because system administrators block access after a specific number of failed-login attempts. They offer the following example as proof of how well it works:
"If a bank allows only six-digits PINs (a relatively weak password) and locks an account for 24 hours after three attempts, an attacker could search 3 x 365 x 10=1e6 or 1% of the key-space in 10 years. Further, the ratio of unsuccessful to successful logins would be huge and easily detected."
That's probably true, but what about web sites without a lock-out policy?
I must confess, bulk-guessing attacks were never on my radar. They should have been, as they work. The following example from the paper explains the concept behind bulk-guessing attacks:
"Suppose a bank has 10 million online user accounts. If the bank allows six-digit PINs, each PIN will on average be used by 10 different users. Instead of searching all possible passwords for a given user ID, an attacker can search all possible user ID's for a given password. 10 million attempts will yield 10 successful logins using this strategy."
The authors also suggest that this approach is a lot stealthier:
"When attacking the password space of a single user ID it is very difficult for the attacker to conceal the attempts among the user's actual logins. In dispersing the attack across the whole user-ID space however the picture changes: the 10 million trials will amount to only one unsuccessful login per account."
To some, ten successful attacks seem trivial when there are 10 million members. That is unless you are one of the ten.
Next, the researchers wanted to determine how much digital information is required for each user ID/password combination. It could become a significant amount if multiplied by 10 million as in the above example:
"The bank in the example has 10 million online users, and each uses a 20-bit password (a six-digit PIN). The bank has simple user ID's. Customers are assigned consecutive seven-digit numbers. This is approximately 23 bits. To gain entry to a member's account, the attacker must enter 43 bits. We'll call the 43-bit user-ID password pair the bank's credential.
So the credential search space that the bulk-guessing attacker lives in is 243. There are approximately 223 valid accounts, so the attacker can expect to break in to one account per 220 attempts."
The researchers found increasing the number of bits used to create individual credentials to be an effective deterrent against bulk-guessing attacks. The research team offers the following mathematical relationships as proof.
- Bu: Is the size of the user ID in bits
- Bp: Is the size of the password in bits
- N: Variable representing the number of members
The following expression represents the total credential space that a bulk-guessing attacker would have to search:2Bu+Bp
The next equation represents the number of attempts required per successful break-in:(2Bu+Bp)/N
From the second expression, one can see that increasing the size of the user ID or password exponentially increases the number of attempts required to get a match.
Increase the amount of user ID bits
Increasing the number of password bits is not recommended. The researchers have already explained how increasing password size does not reduce the risk from phishing, keylogging, or special-knowledge attacks. Besides, users have enough trouble remembering simple passwords. So why not increase the size of the user ID instead? Doing so will obtain the same results.
Messing with the number of bits in the user ID instead of the password has another huge advantage. Ready for this, user ID's do not need to be kept secret. The user ID can be displayed for everyone to see. A cybercriminal would be hard pressed to gather everyone's user ID from sticky notes stuck to monitors.
The research team does have one concern: that of attackers being able to get complete lists from the institution's database. The researchers make the assumption (a logical one, but still an assumption) that user ID lists are heavily guarded. If a list ever became public, that establishment could be held hostage under the threat of a Denial of Service attack using the list of user IDs and bad passwords.
In conclusion, the research team offers two solutions, one for large institutions and one for small institutions:
- Large institutions: Use short, simple passwords with longer user IDs. Doing so reduces the chance of a successful login-credential attack, and makes it easier for the user.
- Small institutions: Cybercriminals would not want to go through all the effort of a bulk-guessing attack with so few users. That said, the paper concludes simple, short passwords will work as long as there is an unsuccessful-login lockout policy in place.
I now have a different viewpoint about user-login credentials, having read both papers. The concept is interesting, yet some will find the research controversial. Also, it seems Dr. Herley isn't done yet. In a recent email he mentioned another paper that he coauthored:
"The new paper explains a way to figure out which passwords are too popular across a large population. We think forbidding the ones that become too popular is a better approach than forcing users to comply with password-complexity requirements."
So, please stay in touch.