Posted by Kevin on July 21, 2014.
A new research paper from Microsoft Research (Redmond) and Carleton University (Canada) takes a scientific look at the problem of maintaining multiple strong passwords. The issue is simple and well-known. Users now have so many online accounts that it is impossible to remember strong individual passwords for all of them. The result is that many users simply give up and use a single, often weak, password for all accounts. Even if it is a strong password, it only takes one hacked service provider to store its users’ passwords insecurely for all of that user’s accounts to be potentially compromised.
I’m not going to pretend that I can understand much if any of the mathematics; so I’ll skip straight to the conclusion. It is this: contrary to much expert opinion, it is not necessarily the best solution to use strong unique passwords all of the time. The researchers’ conclusion is that a smaller number of strong passwords should be used, possibly using the same password for similar accounts. If, for example, you are required to open an account for, say, a news service; and that news service takes no personal information from you, then it would be reasonable to use the same password for all similar accounts. The risk is equal and minimal; and not that much would be lost even if all accounts are potentially compromised..
The conclusion here is that ‘risk’ is the key factor. Where the risk is high, such as a bank account, then that account deserves a unique strong password.
The research goes further by pointing to dangers in the oft-recommended use of password managers (I use one myself). If the password manager stores the passwords in the cloud and the cloud server is breached then all passwords are potentially lost. If they are stored locally, and malware gets in, then all passwords are potentially lost.
Of course, you could argue that if you get breached by malware locally, then you are pretty much stuffed anyway – but the problem here is that both home users and companies frequently aren’t aware they have been breached, sometimes for months or even years. During that time, covert theft of passwords could lead to covert use on accounts the user believes to be secure.
Surprisingly, perhaps, the researchers conclude:
Our findings are consistent with certain user behaviors that contradict accepted advice, offering to justify the behavior and giving evidence for the model’s utility.
The user may, in fact, not be as naive as is frequently suggested. So might this be the time to consider another user-tendency: writing passwords down so that they do not need to be remembered? Is this as bad as is often portrayed?
Probably not. It has one immediate and overriding advantage – individual paper passwords cannot be lost en masse via an online attack. Of course, they can still be stolen by malware with a keylogger on the PC while they are used, or stolen by a service provider breach; but only one at a time. And if particularly sensitive accounts, such as bank accounts, are further protected by two-factor authentication, then the individual password becomes of even less value to the attacker.
The key to this approach is still storage of the passwords. They must be kept in a secure place and never left in view of others. A lockable drawer would be an example: the paper record would be retrieved, used, and returned to the drawer. It then becomes a physical security rather than a cyber security issue. Most homes and most companies already have better physical than cyber security – so this may be no bad thing.
One remaining problem for companies would be productivity. Staff are often required to have multiple passwords for different parts of the company network. Having to retrieve each password from a drawer and enter it manually, multiplied by hundreds or even thousands of users possibly a dozen or more times every day soon becomes enormously expensive. The standard solution for companies is to use some form of single sign-on for productivity gains.
However, the research suggests that it is perfectly reasonable to store passwords in a manner suitable to the risk. So the majority of low risk passwords could still utilise SSO, while the fewer number of high risk passwords could be stored offline in locked drawers. What the research paper suggests is that user coping mechanisms need to be taken into account during password storage – and the reality is, users’ standard coping methods may not be so silly after all.