Complex passwords — not so important after all

A New York Times article explains something that has long puzzled me: why are institutions where security really matters so lax about passwords, while the corner store requires long, ever-changing, combinations of  upper and lower case, alphanumeric and non-alphanumeric characters? Why are my credit union and my bank satisfied with a four-digit numeric PIN, which they never make me change?

The answer, according to a number of security experts interviewed by the Times, is that passwords don’t need to be strong or constantly changed. Worse, “[O]nerous requirements for passwords have given us a false sense of protection against potential attacks. In fact, they say, we aren’t paying enough attention to more potent threats.”

After investigating password requirements in a variety of settings, [Microsoft security specialist Cormac] Herley is critical not of users but of system administrators who aren’t paying enough attention to the inconvenience of making people comply with arcane rules. “It is not users who need to be better educated on the risks of various attacks, but the security community,” he said at a meeting of security professionals, the New Security Paradigms Workshop, at Queen’s College in Oxford, England. “Security advice simply offers a bad cost-benefit tradeoff to users.”….

One might guess that heavily trafficked Web sites — especially those that provide access to users’ financial information — would have requirements for strong passwords. But it turns out that password policies of many such sites are among the most relaxed. These sites don’t publicly discuss security breaches, but Mr. Herley said it “isn’t plausible” that these sites would use such policies if their users weren’t adequately protected from attacks by those who do not know the password.

Mr. Herley, working with Dinei Florêncio, also at Microsoft Research, looked at the password policies of 75 Web sites. At the Symposium on Usable Privacy and Security, held in July in Redmond, Wash., they reported that the sites that allowed relatively weak passwords were busy commercial destinations, including PayPal, and Fidelity Investments. The sites that insisted on very complex passwords were mostly government and university sites. What accounts for the difference? They suggest that “when the voices that advocate for usability are absent or weak, security measures become needlessly restrictive.”

Donald A. Norman, a co-founder of the Nielsen Norman Group, a design consulting firm in Fremont, Calif., makes a similar case. In “When Security Gets in the Way,” an essay published last year, he noted the password rules of Northwestern University, where he then taught. It was a daunting list of 15 requirements. He said unreasonable rules can end up rendering a system less secure: users end up writing down passwords and storing them in places that can be readily discovered.

“These requirements keep out the good guys without deterring the bad guys,” he said.

I’ve suspected this for a long time, although I may have carried it too far. I recently found my (former!) favorite password in the number-two slot on a list of most frequently chosen passwords.