Security Awareness Blog

Stop Blaming People And Start Blaming Ourselves - Starting With Passwords

Okay, this one is for the security community. I'm amazed and stunned how often our community arrogantly blames people for security risks, when it is ourselves that are only to blame. Let's pick on everyone's favorite flogging topic when it comes to people, passwords. You know, the topic where we blame users for being 'stupid' for constantly using such simple and basic passwords. We go through the trouble of teaching people to use long passwords, passphrases when possible, and then wonder why people don't follow our sage advice. We have even created cartoons on this.

Okay, lets say people learn and follow these steps. Now what happens? They can't login anywhere because the vast majority of websites will not support passphrases, or if they do they warn they are insecure. Seriously.

  • Many banks and financial institutions allow only 6-8 characters with no symbols because they are still using and limited by mainframes. Don't believe me? Start with Charles Schwab and work you way from there.
  • Many websites do not allow more than 16 characters, including security focused ones. Its actually hard to create a passphrase with multiple words that is under 16 characters. For example try creating a long passphrase at StrongVPN, a company that provides VPN services. Or try out PayPal that does not allow spaces.
  • Organizations that do allow long passphrases will report it as insecure because it is not complex (lacking symbols, numbers, etc). See the attached image for an example. The password I entered was 22 characters long but only letters, so it was reported as weak.

I think it would be great if we as a community could stop blaming the 'stupid' user and get our own act together first. Or better yet bypass the whole password mess and go straight to two-step verification.




Posted April 24, 2013 at 2:58 PM | Permalink | Reply

Ron trunk

The problem, dear Lance, is not with poor passwords. Charles Schwab does just fine with a 6 character password because they lock you out after a few failed attempts. Yes, you could try every possible 6 character password in a fraction of a second, but only if you had unlimited login attempts. If you can correctly guess the right password out of 36^6 combinations (about 2.1 billion) in only three tries, I suggest you stop hacking into websites and start buying lottery tickets.

Posted April 25, 2013 at 2:56 PM | Permalink | Reply


The issue of strong passwords is one not so much of brute forcing at websites, but the cracking of hashes.

Posted April 24, 2013 at 4:31 PM | Permalink | Reply

Bruce Marshall

Ron, there are problems with a 6 character password even if you can't brute force guesses very effectively. Because of the limited length there are both fewer total and fewer _likely_ choices of passwords. With only 6 characters to make use of people will still try to construct a memorable password within that space, often resulting in simple patterns, names, and words.
An attacker can focus their attack on more likely guesses like 123456, secret, sophia, etc. and exhaust their word list faster than if they were trying to do the same with an 8 character, 10 character, or longer password. Even if they can only make 3 guesses before locking out an account they can work through their list faster with a shorter password length because their list is also shorter.
As Lance correctly points out if our security education only teaches people how to make secure long passwords then the user is less prepared to construct a secure short password when forced to do so. We need to continue to encourage organizations to get rid of arbitrary password length/character restrictions.

Posted April 24, 2013 at 5:02 PM | Permalink | Reply


But what happens when Charles Schwab gets hit with an injection attack or something similar because their developers have never read any of the OWASP guidance (or can't be bothered) and someone makes off with their database for an offline attack? If they are doing what a lot of sites are doing, not only are they limiting password length, they are storing the passwords as SHA1 hashes or something similar that is extremely vulnerable to GPU-based cracking.
Personally, I'm not a fan of passphrases. Too much typing and if you use random words, which you need to do, they aren't that easy to remember. (Lengthy passphrases were recovered from the LinkedIn database because they were tiles, or sayings, or some such.) I prefer the mnemonic approach.
I also think the XKCD cartoon makes a wildly unrealistic assumptions. The assumption of 1000 guesses/sec is based on the assumption that stolen hashes aren't what the average user should worry about. But lots of website passwords are compromised this way because lots of websites have common vulnerabilities and store passwords improperly. The rate could easily be in the billions of guesses/sec (as in the LinkedIn case). If that's the case, the four word example they give probably wouldn't last anything like 500 years.

Posted April 24, 2013 at 6:00 PM | Permalink | Reply

Ron Trunk

Bruce,Your criticisms apply equally to longer passwords. After you try

Posted April 24, 2013 at 6:08 PM | Permalink | Reply

Bill Kyrouz

Another benefit''" if the site is compromised and hashes are acquired, you've got more opportunity to be notified and change your password if you have a 18 character passphrase than a 5 character password that's cracked in a fraction of a second.

Posted April 24, 2013 at 6:10 PM | Permalink | Reply

Ron Trunk

Bruce, your criticism applies equally to longer passwords. After you try 12345678, password and asdfghjk, you're locked out. You have to try the same words on the next account. It doesn't matter that your word list is shorter with six characters. It is still much, much larger than 3.
As Alan points out, once the hashes are stolen, it's pretty much game over. Given current and future cracking speeds, no password will stand for long.
The point is we shouldn't be wasting user's time and compliance goodwill on making them use one upper case letter, one digit, one symbol, etc. We would be better off improving our ability to detect attacks and limiting their effectiveness when they occur (notice I didn't say prevent ''" a fool's errand).

Posted April 24, 2013 at 7:53 PM | Permalink | Reply

Bruce Marshall

Ron, statistically there is a difference between the number of likely passwords at 6 or 8 characters. The longer the password the greater number of likely password choices there are (again, not just possible choices, but likely ones).
I understand what you mean about 3 guesses still only being 3 guesses regardless of password length, but what I'm saying is that those 3 guesses are more likely to produce matches when users are required to select shorter passwords.
As far as attackers getting more than 3 guesses that will depend on the application. Some apps reset the bad password attempt counter after a set period (like 30 minutes), while others reset it after a successful login. Attackers can schedule their password guesses with knowledge of these controls in an attempt to evade account lockout and get through more of the potential passwords in their lists.
I certainly agree that there can be improvements made in detecting password attacks (like risk-based authentication), but I don't think we should ignore the benefit of removing artificial handicaps imposed by password choice restrictions.

Posted April 25, 2013 at 11:48 AM | Permalink | Reply

Geordie Stewart

Great post Lance
We're always talking about ''rasing security awareness' and we rarely stop to think about how our authentication design problems and conflicting advice might be lowering it''What's your thoughts on people being asked to disable their AV for software installs?

Posted April 25, 2013 at 2:55 PM | Permalink | Reply


That is a very interesting idea. One problem organizations run into is people think that if they have security technology (firewalls, AV, etc) then they don't need to worry about security, feeling AV will do all the protecting for them. Perhaps if they were ''stripped' of their AV they would have more secure behaviors?