Poor password security and rampant reuse means less-secure Web sites are a gateway to high-value targets for attackers.
Passwords may be the security equivalent of the "close door" button in an elevator -- something you expect to be present, but which only serves as a psychological placebo.
In fact, according to a paper delivered this week at the ninth annual Workshop on the Economics of Information Security at Harvard University, many Web sites use passwords "primarily for psychological reasons, both as a justification for collecting marketing data, and as a way to build trusted relationships with customers," rather than for security.
The unfortunate side effect of that approach is that less secure sites actually compromise the security of better secured sites.
The study, conducted by researchers Joseph Bonneau and Sören Preibusch, based at Cambridge University in England, analyzed the security practices of 150 Web sites, including e-commerce, news, and social networking sites, all of which offered free accounts secured via user-chosen passwords.
Many sites' password practices are inherently insecure -- they don't demand long or complex enough passwords, and don't filter out simple numerical sequences or family pets. Yet passwords are here to stay, because people expect them. "Efforts to replace passwords with more-secure protocols or federated identity systems may fail because they don't recreate the entrenched ritual of password authentication," said the researchers.
Unfortunately, people often reuse the same password for multiple sites. As a result, attackers can -- and do -- hit a less secure site to harvest passwords that work on higher-value sites.
In January, for example, a hacker stole a database from RockYou, an online gaming website, containing the passwords for 32 million users, as well as their passwords for partner sites. Helpfully, for researchers, the attacker also published a subset of the stolen database, revealing that RockYou had stored the passwords in clear text, and claimed that 10% of them could be used to access people's PayPal accounts.
What can be done? Bonneau and Preibusch suggest taking an economic approach to the problem, perhaps in the form of regulations, such as "a password tax or increased liability which provide strong disincentives for sites to use password-protected accounts when they have no business reason for doing so."
They also suggest branding password security, and issuing publicly-reviewed code to help eliminate the password "best practice" confusion now facing developers.
"Most [password] knowledge remains spread across years of often-conflicting academic research papers, where it is not easily accessible for developers," they said.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.