The Secret Question Is: Why Do IT Systems Use Insecure Passwords?

By Bruce Schneier
The Guardian
February 19, 2009

Since January, the Conficker.B worm has been spreading like wildfire across the internet, infecting the French navy, hospitals in Sheffield, the court system in Houston, Texas, and millions of computers worldwide. One of the ways it spreads is by cracking administrator passwords on networks. Which leads to the important question: why are IT administrators still using easy-to-guess passwords?

Computer authentication systems have two basic requirements. They need to keep the bad guys from accessing your account, and they need to allow you to access your account. Both are important, and every system is a balancing act between the two. Too little security, and the bad guys will get in too easily. But if the authentication system is too complicated, restrictive, or hard to use, you won't be able, or won't bother, to use it.

Passwords are the most common authentication system. They're easy to implement and use, which is why they're so popular. But, as computers have become faster, password-guessing has become easier. Most people don't choose complicated enough passwords to remain secure against modern password-guessing attacks. Conficker.B is even less clever - it just tries a list of about 200 common passwords.

To combat password-guessing, many systems force users to choose harder-to-guess passwords - requiring minimum lengths, non-alpha-numeric characters, etc - and change their passwords more frequently. The first makes guessing harder, and the second makes a guessed password less valuable. This, of course, makes the system more annoying, so users respond by writing their passwords down and taping them to their monitors, or simply forgetting them more often. Smarter users use a secure password database such as Password Safe.

Users forgetting their passwords can be expensive - customer service reps have to field phone calls and reset passwords - so some systems include a backup authentication system: a secret question. If you forget your password, you can authenticate yourself with some personal information that only you know, such as your mother's maiden name, your favourite schoolteacher, the street you grew up on, the name of your first pet and so on. This may make the system more usable, but it also makes it much less secure: answers can be easily guessed, and are often known by people close to you.

A common enhancement is a one-time password generator, such as a SecurID token. This is a small device with a screen that displays a password that changes every time the button is pressed. This is called two-factor authentication, and is much more secure, because this token - "something you have" - is combined with a password - "something you know". But it's less usable, because the tokens have to be purchased and distributed to all users, and far too often it's "something you lost or forgot". And it costs money. Tokens are more frequently used in corporate environments, but banks and some online gaming worlds have taken to using them, although sometimes only as an option, because people don't like them.

In most cases, how an authentication system works when a legitimate user tries to log on is much more important than how it works when an impostor tries to log on. No security system is perfect, and there is some level of fraud associated with any of these authentication methods. But the instances of fraud are rare compared to the number of times someone tries to log on legitimately. If a given authentication system lets the bad guys in one in a 100 times, a bank could decide to live with the problem, or try to solve it in some other way. But if the same authentication system prevented legitimate customers from logging on even one in 1,000 times, the number of complaints would be enormous and the system wouldn't survive one week.

Balancing security and usability is hard, and many organisations get it wrong. But it's also evolving; organisations need to tighten their security and continue to push more involved authentication methods; and more savvy internet users will then be willing to accept them. And IT administrators need to be leading that evolutionary change.

earlier essay: Thwarting an Internal Hacker
later essay: How Perverse Incentives Drive Bad Security Decisions
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..