Researchers at Microsoft and Harvard University warn that popular passwords pose a bigger risk to online security than weak ones and suggest that many tools to enforce strong passwords actually steer users to choices that are easy to guess.
Forcing users to choose passwords that are rare and “unpopular,” rather than “strong,” as it has traditionally been defined, provides a better defense against one type of attack, known as “statistical guessing,” according to a paper by researchers Cormac Herley and Stuart Schechter of Microsoft Research and Michael Mitzenmacher, a professor of Computer Science at Harvard University. The researchers will present their paper, “Popularity is Everything: A new approach to protecting passwords from statistical-guessing attacks” at the USENIX HotSec ’10 Workshop in Washington, D.C. on August 10.
The dispiriting lack of originality that many online users display in choosing passwords has been on display in recent months. In January, researchers at Web security firm Imperva announced the results of an analysis of a trove of 32 million passwords belonging to customers of RockYou, a developer of social networking software, that had been hacked. The most popular password, they found, was “123456” – the choice of almost 300,000 RockYou users. The second most popular password was “12345.” “Password” was the fourth most popular choice.
Twitter, also, has blocked 370 “obvious” passwords from being used to secure its users’ accounts, while others have studied and written about the illusory security of the all-too-common challenge questions used by many financial and e-commerce Web sites.
Herley and his colleagues found that such easy-to-guess passwords are vulnerable to statistical guessing attacks, in which dictionaries of common or popular passwords are used in automated attempts to break into an account. Limiting the number of log in attempts users are granted is the easiest way to block such attacks, but getting users to pick unusual passwords is also part of the solution.
But ensuring that users actually choose secure passwords is harder than it sounds, the researchers wrote in their paper, which is available on Microsoft Research’s Web site. Features that are common on many Web sites to enforce password security may be having the opposite effect, the researchers argue. For example, features that measure password strength or enforce strong password policies (such as length of password, use of non-standard characters) are indirect means to produce secure passwords that often merely force users into a different set of predictable choices that can also be easily guessed.
“The rules around password length and composition are an attempt to get users to choose passwords that withstand brute-forcing and guessing. But users appear to hate them, and we don’t have good ways of measuring whether and by how much they help withstand attack,” Herley wrote in an e-mail response to questions from ThreatPost about the paper. “The less direct approach almost certainly forbids users from things that might be perfectly good password choices, just because they don’t conform to a certain policy. For example, `fkwgshqum’ is probably a far better password than `P@ssw0rd’ even though many policies would reject it while allowing the latter,” he wrote.
Herley, Schechter and Mitzenmacher recommend replacing password creation rules with policies that are attuned to the popularity of different passwords and keep any set of passwords from becoming too common. Their paper proposes creating an “oracle” that would weigh the uniqueness of new password submissions.
Such an approach would raise the stakes for attackers using dictionary-style attacks: reducing the number of accounts that will be compromised in any single attack. Such an approach will also free users to pick passwords of any length or makeup – so long as they aren’t used by too many other people, Herley wrote.
But limiting passwords by popularity isn’t without its shortcomings. The password oracle, itself, could become a target of attack, as hackers look to crack the list of the most popular passwords. Herley and his colleagues propose seeding the oracle with non-popular password choices that will (falsely) be reported as popular to throw off such attacks.
Finally, the researchers admit that their popularity system, while promising in theory, may end up being deeply annoying to users in practice.
“To be clear, we
need to perform a user study to determine if users find our oracle better than
the existing system of length and composition requirements. Our reason for
being hopeful is that ours is a very direct way of accomplishing the design
goal (make sure that no passwords become too common) while length and
composition policies are a very indirect way,” Herley wrote.