Wednesday, November 29, 2017

Should we disallow common passwords like "password" and "12345"?


Studies show that people can use some really "insecure" passwords. Here's Mashables worst 25 passwords of 2011 for example. To protect security on our sites (and the overall experience of less-hacked site), can we reasonably disallow common passwords such as appear on this list? Or, would users who want to use "qwerty" as their password be inconvenienced enough that it's not worth it?


Consider these two case studies and answer for both:





  1. personal security— the site retains personal information such as name, birthdate, and email (enough to spam, phish, and mess with users' credit)




  2. financial security— the site retains financial information such as credit card number (enough to rob users and completely discredit the website)




Any studies on password requirements, usability, and user experience would be great.



Answer



I don't think there is anything wrong with disallowing those common passwords, I just wouldn't advertise that you do so if it's a web-app as then a potential cracker would take those rules into account when trying to crack accounts.



What you'll find is that no matter the rules you try to put into place, users who don't care about the information their password is protecting will attempt to find the easiest way around those rules. If you make it so they can't use p@ssword, they'll use p@ssword1. Consider this paper by Dr. Rick Smith entitled "The Password Dilemma". The main sections to read there for this question would be the first three: "Strong Password Policies", "Passwords and Usability", and "Dictionary Attacks and Password Strength".


My opinion is that most people will consider financial information needing to be more secure and the user will therefore be more invested in making a strong password. However, attempting to help a user make their password stronger by providing the appropriate nudge/pressure to make it more secure is not a bad consideration either.


I think the most common practice to help promote stronger passwords is to provide a weak - medium - strong indicator for password "strength". This will allow you to educate your users as opposed to enforcing strict rules which may then be able to be learned by crackers to narrow their search. This meter concept is an arbitrary measure intended to make the user think for a moment longer about their choice of password. A sample methodology for implementing a password-strength meter is provided in this paper "Adaptive Password-Strength Meters from Markov Models".


There's some great information on the usability of passwords on baekdal.com, specifically on how they're most typically cracked.


There are a lot of studies, articles, posts, et cetera on the matter of password strength and usability. With all the above considered, I haven't personally found anything on specifically discriminating on a list of common passwords.


No comments:

Post a Comment

technique - How credible is wikipedia?

I understand that this question relates more to wikipedia than it does writing but... If I was going to use wikipedia for a source for a res...