(I wanted to spend more time on this post, but my brain hurts now. Keep in mind that I don’t have it out for simple or complex passwords; the crux of my post is that neither is de facto better than the other. It all just depends. But if some “normal” person asks me for my advice, I won’t say simple passwords are the solution.)
Read and wanted to comment on an article I saw over on Securiteam, but my comment got way longer than I felt like posting, so I figured I’d vomit it out here in full instead. The article, titled, “Simple passwords are the solution,” made the claim: “The solution is not to make passwords more complex. It’s making them less complex (so that users can actually remember them) and making sure brute force is impossible.”
You see what Aviram did there? Took a bad statement and clarified it with the better answer in that last phrase. Cute. 🙂 This is a common approach when dealing with users, particular managers who make decisions. The demand, “I want simpler passwords,” is rightfully countered with, “Sure, but in order to do that we need to make sure brute forcing is difficult and cracking is adequately thwarted. Here’s what that will cost…”
Let’s back up to that first part about simple passwords being the solution and how that relates to the originally-referenced article over on PCPro.co.uk. That original article is pretty useless, but let me forget that for a moment.
I think there is a problem with saying simple passwords are the solution and complex passwords are bad.
You should be saying: 2F auth is better than complex passwords which itself is better than simple passwords.
If I walk around my business saying simple passwords are better because then you won’t have to write them down, I’m spreading around a horrible habit for those systems/apps/sites that may only accept a simple password. This provides a bad mixed message to my users, which has no upside to it. I’m also oversimplifying the problem. If there’s anything at all that turns users off to security, it’s the mixed, complex messages we can concoct when we’re not careful. If I have to go into a deeply technical discussion about simple vs complex passwords and why one is better than the other in some cases but not others, I’ve already lost them.
Oh, and what is more of a risk? Someone with physical access to a written-down password, or a digital attack that leverages any weakness in that simple password? I’m not sure I’d even begin to say I have an answer for that…
The risks:
- brute force the login (effective against simple pw)
- hash/encryption cracking
- long-term reuse once found
- acquiring the password in other ways
- hash resuse (which I won’t touch on here)
2F auth really helps all of these cases, which isn’t really an argument since I think everyone here can agree to that.
(For this paragraph I may have been distracted with the link to the Password: Impossible article by Aviram.) But password expiry/rotation limits some risk as well. If a password is disclosed, at least the user can change their password or it naturally gets changed during the age expiration. Many attacks are point in time hacks where a hash gets out or a password guessed. Clearly, this isn’t universal as an attacker may have another channel to get back in or perform his attack periodically, but certainly it avoids the point in time exposures. Still, if a password is disclosed for whatever reason, you want some automatic method to prevent that knowledge from being useful forever.
The article talks entirely about cracking passwords. 2F auth helps avoid that risk, but otherwise fixing things to make cracking much more difficult is a server-side thing and won’t affect users (salts, shadow, time-based tokens…) beyond having more complex passwords. The same goes for simply protecting the hashes (but even I assume that will be exposed at some point).
The article doesn’t make a new argument at all. Cracking like this has been around for 20+ years, it’s just faster. That’s certainly not news that it is faster today, and doesn’t change any answers or risks. It’ll be faster tomorrow and it’ll be faster in 10 more years. And we’re still talking about cracking taking longer with complex passwords than it does with simple ones. We haven’t changed that. Sure, we might be talking a few minutes, but that’s still a few minutes. Being that I’m not a crypto-geek, I’ll have to stay shallow in this topic.
It really all gets back to looking at some core security fundamentals. Is there a perfect answer/silver bullet? No. So does that mean we should be accepting any incremental security measure we can that decreases our risk and makes sense economically? Yes. Simple passwords, complex passwords, and passwords of *any* type are not perfect, but at least they help. (And let’s remember that passwords are also still a form of security through obscurity….).
We should keep in mind that “writing down” passwords is the same concept whether you write them down on a post-it note under the keyboard, in a journal in a lock drawer or in a digital safe application. Yes, some are easier to break into than others, but we’re still talking about recording-them-somewhere-because-they’re-too-long-to-remember. And if you do that digitally, you actually *might* increase user risk because they have far less chance to memorize the password and may never actually know it. Which sucks when your digital safe is not accessible at some point for whatever reason.
We should also step back and see that there are certainly different assets that passwords are protecting. Should I use 2F auth when commenting on some forum or blog that has their own login I need to use, whose server-side setup I know nothing about? Certainly not, unless I truly value it. Does this mean I should use simple passwords so I don’t write them down? Perhaps, especially if I see very little value to an attacker or even myself in that asset. Certainly the answer is not that I have a 2F auth fob for every login I use, and certainly the answer is not some universal solution so I have just one fob but a federated identity for everything (arguable, and I’ll let that one just hang there as a wholly different topic).
Just to get back to the main point, saying simple passwords are better is a bad statement, even if I agree with it given qualified scenarios and restrictions.