When Security is Insecure

I’ve noticed a growing trend recently towards services insisting on a specific ‘type’ of password in order to sign up for services. This normally involves a specific count of numbers, uppercase or lowercase letters.

I’m guessing I’m probably pretty much like most people in terms of password use. I tend to use the same password or password type for online services apart from those that I regard as special or of a certain risk type. I have about three that I regularly use and I am a good online citizen and regularly refresh and change them. It also means that I can remember them – my poor brain can just about cope with three combinations and remember where I have used each type.

Insisting on a certain password combination is normally cited as an improvement to security. I’m going to come out and say very firmly that it is not! The problem is that the combinations insisted on are always subtly different, which means you make subtle changes to existing password sets or create a new password….and promptly forget it.

A couple of examples that have frustrated me recently are Boris Bikes (they should just register that URL) and Mastercard Mastercode. Boris bikes wanted atleast an 8 digit password with atleast one uppercase and atleast one number. My standard 8 digit password has a number, but no uppercase. Mastercode requires atleast an 8 digit password but with one uppercase and TWO numbers. So I can’t even use the same patterns for these two services. Neither service emails you passwords (again, arguably a very good process in security terms) so there is no record of any changes you have made. In order to reset my password, the Mastercode process is actually bizarrely insecure – all I have to know is my birth date and they will reset the password on demand. The demands and the work arounds don’t seem to be adding up to a consistent experience.

The results? I’ve started writing passwords down – reverting to the good old days of passwords written on post-it notes, and have actually completely negated the intended security process by making my passwords extremely vulnerable.

If services are going to insist on instructing users on how to create passwords they should atleast use some standard – eight digits with atleast one number or character really should be enough. Better still, services that need security should leave it to the experts and make use of federated approaches such as the UK federation or OpenID. The alternative is a complete breakdown in security at the user end, and you are only as secure as your users behave.

2 thoughts on “When Security is Insecure

  1. Ingrid Melve

    This aligns with research from the Microsoft Research Labs http://research.microsoft.com/pubs/132859/popularityISeverything.pdf where Herley, Schechter and Mitzenmacher argue that the limitations posed upon users may result in poorer security.

    My personal vision for the work I have been doing in federations and security the past 10 years: being able to walk in to a university and see no sticky notes with passwords, even if I turn the keyboards over!

Comments are closed.