Saturday, March 23, 2013

Making the Password Usable, But Yet Secure

XKCD 936 - Password Strength
One of the interesting parts of information security is that there are two extremes in regards to the spectrum. On one end you have Strong Security, the whole goal of securing data is making it as secure as possible: Crytography, Passwords, 2-Factor Authentication, Configuration, etc. At the complete other side of the spectrum is Strong Usability, we need to do our jobs after all and the more usable it is, the faster we can do it.

These two ends of the spectrum are directly disproportional to one another. It is very easy to have too much security, making the usability mind-numbing: carrying around hard-tokens with pin codes, 16 character passwords with 30 day expirations, 10 minute timeouts, and network policies where everything needs approval. But if you relax all of the policies to make them more usable, suddenly you are vulnerable to all of the threats involved with information security: hash rainbow tables, brute force attacks, denial of service (DOS) attacks, social engineering, etc.

So where do we draw the line in the middle? I thought about passwords and think I have come up with a password policy.

5 Characters, 5 Tries

The idea is simple, every single account you own should have a 5 character password with the following general rules:
  1. The password can only contain lower case letters, and the digits 2-9. This is for easier perception, legibility, and typing (the 1 and 0 look like L and O in many typefaces). A grand total of 34 different characters per each of the 5 in the password
  2. You get 5 attempts to type in your password, success resets the counter to 0.
  3. Each attempt also gets a logged ip address on the server, this is simply for easier identification of the bad guys as well as a way to let the user know what activity is associated to their account.
  4. After you expire your 5 attempts, your password is reset to a randomly created temporary password that is immediately emailed to your address associated to your account.
  5. Each temporary password overwrites the previous and recursively follows these exact same rules until success.
When implemented, this policy becomes easy for the user, secure against attack, and provides a method for identifying attackers for blacklisting. So how secure is the password anyways? Here are some simple combinatorics:

5 characters with a set of 34 unique possibilities per character:
34^5 = 45,435,424 possible passwords

So each attempt has the probability of correctly being guessed:
1 / 45,435,424 = 0.000002200926 %

We could optionally add some rules for stupid passwords like 'jesus' and 'passw', just to alleviate the "most recently used" statistics.

There is one catch however, your email account needs to be Fort Knox. Every email account needs two factor authentication and captcha constraints after too many attempts by default. There are no more exceptions for hacked email addresses, it is the most important asset on the internet as a unique identifier for you. I personally like having a "safe list" in gmail that knows when not to challenge me with two-factor authentication just by looking at the device I'm authenticating from.

The concept is simple, and with a proper storage policy (512bit+ hashing with salts and strong crypto) on the server, should be impossible to hack in a password leak.

Let me know what you guys think; the internet needs a consistent policy.

No comments:

Post a Comment