Economic Considerations of Website Password Policies
Two interesting research papers on website password policies.
“Where Do Security Policies Come From?“:
Abstract: We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics are correlated with stronger policies. Our results are surprising: greater security demands do not appear to be a factor. The size of the site, the number of users, the value of the assets protected and the frequency of attacks show no correlation with strength. In fact we find the reverse: some of the largest, most attacked sites with greatest assets allow relatively weak passwords. Instead, we find that those sites that accept advertising, purchase sponsored links and where the user has a choice show strong inverse correlation with strength.
We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement.
The Password Thicket: Technical and Market Failures in Human Authentication on the Web:
Abstract: We report the results of the first large-scale empirical analysis of password implementations deployed on the Internet. Our study included 150 websites which offer free user accounts for a variety of purposes, including the most popular destinations on the web and a random sample of e-commerce, news, and communication websites. Although all sites evaluated relied on user-chosen textual passwords for authentication, we found many subtle but important technical variations in implementation with important security implications. Many poor practices were commonplace, such as a lack of encryption to protect transmitted passwords, storage of cleartext passwords in server databases, and little protection of passwords from brute force attacks. While a spectrum of implementation quality exists with a general correlation between implementation choices within more-secure and less-secure websites, we find a surprising number of inconsistent choices within individual sites, suggesting that the lack of a standards is harming security. We observe numerous ways in which the technical failures of lower-security sites can compromise higher-security sites due to the well-established tendency of users to re-use passwords. Our data confirms that the worst security practices are indeed found at sites with few security incentives, such as newspaper websites, while sites storing more sensitive information such as payment details or user communication implement more password security. From an economic viewpoint, password insecurity is a negative externality that the market has been unable to correct, undermining the viability of password-based authentication. We also speculate that some sites deploying passwords do so primarily for psychological reasons, both as a justification for collecting marketing data and as a way to build trusted relationships with customers. This theory suggests that efforts to replace passwords with more secure protocols or federated identity systems may fail because they don’t recreate the entrenched ritual of password authentication.
EDITED TO ADD (8/7): Four blog posts by the authors of the second paper.
HJohn • July 20, 2010 2:26 PM
@”We also speculate that some sites deploying passwords do so primarily for psychological reasons, both as a justification for collecting marketing data and as a way to build trusted relationships with customers. This theory suggests that efforts to replace passwords with more secure protocols or federated identity systems may fail because they don’t recreate the entrenched ritual of password authentication.”
I wrote about passwords and eCommerce in my master’s thesis. I think this excerpt is half right. Part of it is psychology, but I don’t know if it is primary. A large part of it is ecomonics and marketing (as they acknowdge). When it is employees you are authenticating, you can make them do as you want.
However, when it is customers, you have to balance between security and usuability, as they can take their business elsewhere. if books.by.adam.com requires a secure authentication mechanism they don’t have or don’t understand, they may very well log onto books.by.eve.com set up a password and get their darn book.
Sometimes, one has to sacrifice some security for usability.
At other times, they have to sacrifice some risky customers in order to implement more secure practices.
Both extremes present risk of incidents (at the side of too easy) and dissatisfaction (at the side of failure). Being the most secure site in the world is useless if no one uses you, and being the easiest to use doesn’t help if no one trusts you. It’s all about balance.