In November 2019, it was revealed that Italian bank Fineco Bank had suggested that to test the strength of your password, try entering it into a search engine and “if it returns less than 10 results, it means it’s a good password.”
According to Vice, Fineco Bank customer support confirmed that the bank suggests customers Google their password in order to make the password “as secure as possible.” A comment request by the publication later found that the policy had been scrapped, with a spokesperson saying “we understand the criticism and we decided not to suggest…our clients do so anymore.” This was not before widespread criticism of the practice on social media though, with one person suggesting it could be an early April Fool’s joke.
Are You Confused?
This led Infosecurity to question what the best practice for building a decent standard of password is. Research on password security is plentiful: a survey of 1000 adults in the UK by PCIPal found that 26% use the same password for multiple websites. Research by HYPR of 200 people found that 72% of users reused the same passwords in their work and personal life, and 49% admitted that when forced to update their passwords in the workplace, they reused the same one with a minor change.
Also consider that on average, 12.6 minutes each week - or 10.9 hours per year – is spent entering and/or resetting passwords. Research by the Ponemon Institute and Yubico found that for a company with a headcount of 15,000, the annual cost of productivity and labor loss per company averages $5.2m annually.
People and employees will look for the easiest option around a problem, that’s well known, but with evidence showing that they will find a way around password security, are we confusing the public by insisting they need to be more secure online, but providing very unclear advice on how to do so?
Inconsistencies and Incompetence
In October 2019, Infosecurity was invited to participate in the Secure South West conference, held at Plymouth University, where Steven Furnell, associate dean for International and Postgraduate Faculty of Science and Engineering, presented new research around the problems of creating a secure password.
His research involved running the most commonly used passwords against password meters, to see which would determine the password to be good, acceptable or bad. Furnell says that the research found the meters to often be “totally misleading,” as the method for determining how good a password is was based on lower and upper characters and symbols. “However, that doesn’t reflect how you choose a password,” Furnell warns.
“It really doesn’t do you any good if you have a long and difficult-to-crack password but are reusing it everywhere”
The experiment involved 16 password meters, which included 10 dedicated meter sites, five that were in popular online services and one from a standard operating system. The passwords tested included 10 that were explicitly weak and ranked in ‘common password’ lists, two that were theoretically OK, but practically not – as they fit the standards of a mixture of upper and lower case characters and special characters – and four passwords that ought to be regarded as sound choices.
The research showed that the main 10 weak passwords were mostly rated as ‘poor’ or ‘weak’, however because of the combination of letters, special characters and numbers, the infamous ‘Password1!’ was actually classified as ‘reasonable’ and ‘good’ by two of the meters.
There were inconsistencies and conflicting results amongst the research. A classically perceived stronger password, in this case the combination of three random words, ‘donkeykansasburger’ was rated as weak by three of the tests, but also ‘strong’, ‘excellent’ and ‘good’ by three others.
Furnell explains that the reason for choosing ‘donkeykansasburger’ is because the three words in isolation would appear in a list of typical worst passwords, but put together as one string, they appear to be a stronger password. However in another experiment, three other random words ‘wretchgravelgeese’ was consistently rated as strong.
Furnell says that of the 10 explicitly weak passwords, only five were consistently scored as weak by all 16 meters.
In addition to finding that a bad password could be deemed good, Furnell also discovered that four of the 16 meters that he tested provided upfront guidance when making a selection, and only five provided feedback on how to improve it.
With regard to the meters offering guidance and feedback, Furnell says that if you are providing a password meter, you need to provide guidance of what ‘good’ looks like. “The guidance may be as simple as a list of common passwords, or [a suggestion] to pick three random words.”
If a password is determined to be ‘poor’, Furnell questions what the person is supposed to do about it. “The websites should consider that they are dealing with people, and surely the role of the password meter is to help them do it well. If you provide them with guidance and still let them use [the meter] blindly, it is not going to lead them out of the problem.”
With ‘Password1!’ rated as moderate by three meters and ‘good’ by three further meters, what does this tell us about the effectiveness or accuracy of password meters? Furnell says that the whole point of the technology is to encourage users to do things “right or better, but if they are all behaving in a significantly inconsistent manner, then it ultimately comes down to which meter you choose as to whether you may or may not end up with a good password as a result.”
The issue is that they all seem to play by different rules, he says, and while some of them are created by commercial companies who can sell a product related to authentication, the best test of a meter’s worth is to have a baseline password test. “Try something like ‘Password1!’ and if the meter gives you anything but weak, walk away,” he says. “All of the other weak passwords didn’t get anywhere near the level of acceptance that one did. If it gets rejected, the meter is probably baseline sensible.”
To Insist or Not to Insist?
All of this raises the question of how the industry can enable the public to create and use stronger passwords. Furnell says that we can “chastise and complain about user actions as much as we like, but if we are not doing the baseline stuff to actually help them, what do we expect?”
Is it actually possible to insist on ‘strong’ passwords being used? Ed Tucker, co-founder of Human Firewall and Email Auth, says that doing such a reset with a demand for ‘strong’ passwords whilst rejecting anything deemed to be weak is very hard, and it is easy to annoy people. “It can encourage bad habits like ‘Winter2019!’” he says. “It only really works with helpful guidance that explains why it is a good thing for their home life as well as work life, and advice on how to make it simple.”
Tucker also says that engagement is key. “If you speak in a language that the user understands, rather than some prejudiced security verbiage, you bring together an understanding of why password strength is important in users’ personal lives,” and this can help them develop a culture that they can employ outside of work to better protect themselves.
He recommends a strategy of “making complex simple” by engaging with the user, and by helping them understand common pitfalls like capitalizing the first letter “and how to overcome this without bamboozling them.”
On an Infosecurity webinar held in December, a poll question asked: ‘Is it possible to insist on a policy of ‘strong’ passwords?’ The results showed that of those who voted, 92% said that it was possible. Sarb Sembhi, CISO of Virtually Informed and co-founder of Security2Live, who participated in the webinar, says that it is only possible to insist on this policy if you provide the tools, “because most people have around 50 passwords and if you expect people to have a strong password, you need to provide a tool to enable them.”
He says: “The bottom line is that in some respects everyone who works for an organization, small or big, they are there to do the job that they are trying to do and want to do it in as quick a way as possible and focus their attention on getting the work done, not trying to remember passwords. No matter what tool it is for authentication, you have to make it easier [to use] and only then can you insist.”
Is the Industry Responding?
All of this advice on how to build a secure password does lead us to consider what is being done to actually inform the user when they are using a ‘bad’ password. A number of browser extensions have been introduced over recent months to inform the user when the password they are using has been caught up in a breach.
A recent introduction to version M79 of Google’s Chrome browser will inform you if your password has been involved in a breach, with a suggestion that the user changes their login information. This is done by turning the password into a hash and turning it into an undecipherable string of numbers and letters. If the same password exists in Google’s archive of previously stolen logins, a matching hash will be found to avoid comparing plain text passwords.
Another option is the browser plug-in Shield from OneLogin. The company says that this works by “taking a hash and comparing it with known hashes and looking for comparisons.” Currently available as both a free and paid for product, Kayla Gesek, product manager for Shield at OneLogin says that the plug-in flashes up an alert when a password is used from a list of commonly breached and used passwords, and settings allow the user to see where a password is being reused.
She says that reuse is the main intention of Shield and prevents password reuse, but will also alert a user to when a weak password is being used. “It really doesn’t do you any good if you have a long and difficult-to-crack password but are reusing it everywhere. The one time it gets cracked the hacker has access to every account that you are using it on,” she says. “The reuse factor is a bigger issue than the complexity problem.”
The focus has shifted more to reuse and preventing the issues associated with account takeover that lead to phishing and business email compromise. Over the past 10 years we have had many conversations about password security and replacing them with an alternative, but as we enter a new decade, it seems that passwords are the only viable option for widespread authentication.
The reality of creating a strong and secure password remains uncomplicated, but actually getting the message out is as much of a challenge as creating a secure, strong and unique password for every login. If, as Steven Furnell’s research shows, even the tools designed to help people cannot be totally relied upon, will we still be having the same conversations in 10 years’ time?