Skip to content ↓ | Skip to navigation ↓

Debates and discussions about passwords are nothing new in information security. From the infamous ‘chocolate for passwords’ experiment to the iconic ‘correct battery horse staple’ XKCD comic, we spend a fair amount of time on this topic as an industry.

It has been accepted best practice for a long time now that increased password complexity results in better security. There’s an entire market of password managers that has developed out of this well accepted principle, and an awful lot of security awareness training material.

Researchers at Microsoft and the University of Ottawa have now published a paper (PDF) on the topic that concludes somewhat the opposite. To be more specific, they use a mathematical model to demonstrate that a more segmented approach to password management is the most secure, where users optimally form “groups whose accounts in sum have similar PL values.” In other words, it’s ok to use (and re-use) simple passwords for low value accounts, as long as you construct more unique and complex passwords for high value accounts.

The conclusion of this research is fundamentally flawed in two specific ways.

First, the usefulness of password managers is dismissed because of potential vulnerabilities and because they are a single point of failure. While this may be accurate, it is not necessarily material to the analysis. The ‘single point of failure’ aspect can be addressed through a myriad of technological solutions, many of which are already in use across other products.

Information technology is adept at solving backup and recovery problems. Further, the idea that a solution shouldn’t be used because it may contain vulnerabilities fails the test of reasonableness. Take, for example, Microsoft itself. There are many products that succeed in adoption while also managing security.

The second flaw is more subtle and more important. The conclusion ultimately fails because it relies on an assumption that the user is capable of determining which accounts are of value. The reality is that while the average user can clearly distinguish between, say, financial data and pizza topping preferences, users may not know or realize what sensitive data most accounts actually provide access to.

For example, a user might reasonably conclude that their email account doesn’t contain sensitive data, but access to an email account could allow an attacker to execute a password reset on a financial account. The clearly demonstrated tendency for sharing publically on Facebook provides further evidence that the average user does not actively choose to protect their own data.

Additionally, users aren’t in a position to adequately judge what collection of data might constitute a sensitive result set, so that even if I could make good decisions about individual accounts, I simply don’t have access to the aggregate set in a way that allows me to effectively segment my passwords.

Finally, don’t forget about the implications of the growing single-sign on capabilities introduced by Google, Facebook and Twitter. As the applications using these sign on capabilities grow, the value to which that credential is attached may change over time. A user who has segmented their accounts simply won’t be able to keep up and the issue of complexity becomes a blocker for the published strategy as well.

In a very pragmatic sense, improving password managers, and increasing the adoption of two-factor authentication, is the most useful path towards greater authentication security in general. And if you need a clearer picture of how far behind we are with password hygiene, just go ask people at RSA what their password is.


Related Articles


picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock