Infrastructure // PC & Servers
10:16 AM
Connect Directly
Repost This

Passwords' Value Lie In Psychology, Not Security

Poor password security and rampant reuse means less-secure Web sites are a gateway to high-value targets for attackers.

Passwords may be the security equivalent of the "close door" button in an elevator -- something you expect to be present, but which only serves as a psychological placebo.

In fact, according to a paper delivered this week at the ninth annual Workshop on the Economics of Information Security at Harvard University, many Web sites use passwords "primarily for psychological reasons, both as a justification for collecting marketing data, and as a way to build trusted relationships with customers," rather than for security.

The unfortunate side effect of that approach is that less secure sites actually compromise the security of better secured sites.

The study, conducted by researchers Joseph Bonneau and Sören Preibusch, based at Cambridge University in England, analyzed the security practices of 150 Web sites, including e-commerce, news, and social networking sites, all of which offered free accounts secured via user-chosen passwords.

Many sites' password practices are inherently insecure -- they don't demand long or complex enough passwords, and don't filter out simple numerical sequences or family pets. Yet passwords are here to stay, because people expect them. "Efforts to replace passwords with more-secure protocols or federated identity systems may fail because they don't recreate the entrenched ritual of password authentication," said the researchers.

Unfortunately, people often reuse the same password for multiple sites. As a result, attackers can -- and do -- hit a less secure site to harvest passwords that work on higher-value sites.

In January, for example, a hacker stole a database from RockYou, an online gaming website, containing the passwords for 32 million users, as well as their passwords for partner sites. Helpfully, for researchers, the attacker also published a subset of the stolen database, revealing that RockYou had stored the passwords in clear text, and claimed that 10% of them could be used to access people's PayPal accounts.

What can be done? Bonneau and Preibusch suggest taking an economic approach to the problem, perhaps in the form of regulations, such as "a password tax or increased liability which provide strong disincentives for sites to use password-protected accounts when they have no business reason for doing so."

They also suggest branding password security, and issuing publicly-reviewed code to help eliminate the password "best practice" confusion now facing developers.

"Most [password] knowledge remains spread across years of often-conflicting academic research papers, where it is not easily accessible for developers," they said.

Comment  | 
Print  | 
More Insights
Server Market Splitsville
Server Market Splitsville
Just because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.