Cormac Herley on the Cost of User Effort in Applying Security Policies

Excellent insight from Microsoft research Cormac Herley in his analysis of security advice So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF):

7.3 User Effort is not Free

In addition to overestimating benefits, advice almost always ignores the cost of user effort. The incremental cost of forcing users to choose an 8-character strong password, as opposed to allowing a 6-digit PIN, is hard to measure, but is certainly not zero. And ignoring it leads to a failure to understand the rational and predictable nature of user response.

There are about 180 million online adults in the US. At twice the US minimum wage one hour of user time is then worth $7.25×2×180e6 = $2.6 billion. A minute of user time per day is a $7.25 × 2 × 180e6 × 365/60 = $15.9 billion per year proposition. This places things in an entirely new light. We suggest that the main reason security advice is ignored is that it makes an enormous miscalculation: it treats as free a resource that is actually worth $2.6 billion an hour. It’s not uncommon to regard users as lazy or reluctant. A better understanding of the situation might ensue if we viewed the user as a professional who bills at $2.6 billion per hour, and whose time is far too valuable to be wasted on unnecessary detail. Echoing Adams and Sasse [21] we might say: the user is your boss’s boss’s boss. This would help ensure that we ask for a minute of user time (the boss’s) only when absolutely necessary.

Workshop on Security and Human Behavior 2014 Recordings

Security researcher Bruce Schneier calls the annual Workshop on Security and Behavior “the most intellectually stimulating two days of my years.” The format of the workshop involves three or four people giving short 7-9 minute presentations about a topic from different angles followed by an hour discussion of the issues raised by the presentations.

Full audio recordings of the presentations from the 2014 workshop are available online and it is fascinating stuff if you’re at all interested in physical/computer security issues.

Are Lame Password Limits A Problem?

ArsTechnical looked at why there are all of those stupid limits on password length and, sometimes, what characters cannot be used. There is some good information there, but both the author of the piece and some of the folks interviewed seem to misunderstand one of the bigger problems with these artificial limits.

For example, here’s Microsoft’s Eric Doerr on Microsoft’s 16 character limit,

Microsoft imposes a length limit on the passwords its customers create: passwords can include a mix of upper and lower case letters, numbers, and symbols, but they can be no longer than 16 and no shorter than eight characters. Microsoft says that most attacks on accounts cannot be defended by password length, and the company adds that password cracking is hardly its biggest problem.

“Criminals attempt to victimize our customers in various ways and we’ve found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords,” a Microsoft spokesperson told Ars.

Toward the end, ArsTechnica writer Casey Johnson adds, perhaps a bit whimsically,

If nothing else, the varying password restrictions keep us from being lazy and using the same password for everything, which is itself good practice.

I suspect it’s the opposite–to the extent these arbitrary limits have any effect on overall security, it is to drive people toward reusing the same short passwords on multiple sites.

If the lowest common denominator is 8 characters with no percentage sign allowed, then many people will just make a single password that most of the services they use daily will accept and reuse that.

I prefer to use 20+ character passphrases. For the sites I use on a daily basis, its fairly easy to remember the passphrase outright. For sites I don’t use regularly, I let LastPass keep track of them and then at least when I have to manually type them in they are things that human beings can easily type rather than 7a6waz(4.

But so many sites won’t allow me to use long passphrases and it is tempting to just recycle a number of 8 character passwords I’ve used over the years.

So Doerr is right that securing passwords is hardly on the top rung of security threats, but not allowing longer passwords encourages habits that make the other attacks he’s more worried about even more likely.

Password Cracking

Bruce Schneier looks at password cracking on his blog and he and his commenters have some interesting insights into password cracking and how to minimize the odds of getting cracked and hacked.

The post is in reference to an Ars Technica’s experiment where they gave three “cracking experts” a list of 16,449 passwords hashed using MD5. The least successful cracker was able to figure out 62 percent of the passwords and one of the crackers was able to obtain 90 percent of the passwords.

Essentially all three were doing sophisticated dictionary attacks to get at obvious passwords, but also to crack passwords that people think are secure for some reason, such as “k1araj0hns0n”. From my experience, the practice of sites requiring people to use at least one number or at least one special character, etc., is counterproductive in that it leads people to think that “Pass$1w0rd” becomes magically secure with the addition of the special characters, capitalization and numbers.

Schneier still endorses his scheme of using the first letters from uncommon sentences to create passwords that are secure but easy to remember,

So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.

That would certainly work, but I have about 90 accounts I access regularly which would mean remembering 90 sentences or variants therein. And at this point you really do want to ensure every account you use has a different password. Given the rash of hacks of prominent web sites, you just need to assume that at some point a) one of the sites you use regularly is going to get hacked, b) they’re not going to have implemented effective security to protect your password, and c) hackers are quickly going to distribute your password and attempt to use it to access other accounts you control.

I prefer the following method which I think strikes a nice balance of protecting my logins while at the same time recognizing I have a life to live and want to spend as little time as possible managing passwords:

1. Use a password manager. I use LastPass, but I’ve also used other password managers. Whatever password manager you use, do make sure to read reviews to ascertain that its security is acceptable. Personally, I’m satisfied that while LastPass’s security isn’t impregnable, it is good enough and effectively balances my security and usability concerns.

2. Generate passwords with DiceWare. It sounds a bit goofy, but essentially you’re using dice as random number generators to create a list of words that you string together into a longer passphrase. A DiceWare-generated passphrase might look like “cleftcamsynodlacyyr”.

There are two advantages to using DiceWare rather than using something like LastPass to autogenerate random passwords. First, the passwords generated with DiceWare have a great deal of entropy and are not going to fall to a dictionary attack even if the attacker knows you used DiceWare to create them. Second, DiceWare passwords are much easier to type or memorize than typical randomly generated passwords in those situations where you need to manually enter the password.

3. Generate a separate password per account. I generally create a few dozen DiceWare passwords at a time and securely store the list, then grab one of the passwords as I create a new account.

Limit Login Attempts for WordPress

For the most part, I think criticisms of WordPress security are largely overblown. When you look at some of the more prominent hacks against WordPress-powered blogs, they tend to be due to common security problems, such as poor security models on virtual hosting servers or people who do not keep their WordPress install and plugins updated.

But occasionally I do shake my head at some WordPress practices. Take, for example, the Limit Login Attempts plugin that I use on this site. The plugin is straightforward–if someone tries to login with an account and gets the password wrong four times in a row, that account will be locked for 20 minutes.

It is probably overkill for me because no one’s going to brute force my admin account password–it is far too long and random to guess even with days worth of trying. Still, it’s just a good idea if only to shoo away potential hackers.

What pisses me off, though, is that I have to go download a plugin in order to accomplish this. For the love of all that is nerdy, why the hell is rate limiting login attempts not a feature in the WordPress core already (and one that should be turned on by default IMO)? That is an elementary security tool and it is mind boggling that this something that a vanilla WordPress install lacks.