Passwords' Value Lie In Psychology, Not Security - InformationWeek
Infrastructure // PC & Servers
10:16 AM

Passwords' Value Lie In Psychology, Not Security

Poor password security and rampant reuse means less-secure Web sites are a gateway to high-value targets for attackers.

Passwords may be the security equivalent of the "close door" button in an elevator -- something you expect to be present, but which only serves as a psychological placebo.

In fact, according to a paper delivered this week at the ninth annual Workshop on the Economics of Information Security at Harvard University, many Web sites use passwords "primarily for psychological reasons, both as a justification for collecting marketing data, and as a way to build trusted relationships with customers," rather than for security.

The unfortunate side effect of that approach is that less secure sites actually compromise the security of better secured sites.

The study, conducted by researchers Joseph Bonneau and Sören Preibusch, based at Cambridge University in England, analyzed the security practices of 150 Web sites, including e-commerce, news, and social networking sites, all of which offered free accounts secured via user-chosen passwords.

Many sites' password practices are inherently insecure -- they don't demand long or complex enough passwords, and don't filter out simple numerical sequences or family pets. Yet passwords are here to stay, because people expect them. "Efforts to replace passwords with more-secure protocols or federated identity systems may fail because they don't recreate the entrenched ritual of password authentication," said the researchers.

Unfortunately, people often reuse the same password for multiple sites. As a result, attackers can -- and do -- hit a less secure site to harvest passwords that work on higher-value sites.

In January, for example, a hacker stole a database from RockYou, an online gaming website, containing the passwords for 32 million users, as well as their passwords for partner sites. Helpfully, for researchers, the attacker also published a subset of the stolen database, revealing that RockYou had stored the passwords in clear text, and claimed that 10% of them could be used to access people's PayPal accounts.

What can be done? Bonneau and Preibusch suggest taking an economic approach to the problem, perhaps in the form of regulations, such as "a password tax or increased liability which provide strong disincentives for sites to use password-protected accounts when they have no business reason for doing so."

They also suggest branding password security, and issuing publicly-reviewed code to help eliminate the password "best practice" confusion now facing developers.

"Most [password] knowledge remains spread across years of often-conflicting academic research papers, where it is not easily accessible for developers," they said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll