As a man, I am ashamed to admit this, but admit this I must: Once -- almost three years ago -- I was wrong about something.
In 2011, I wrote this criticism of IT paternalism. I argued users were better able to determine their own password alternatives than IT professionals.
Certainly, many IT password policies are far from perfect -- and technology still deserves the lion's share of the blame for bad security. I did not account for one important fact, however:
Internet users can be really stupid.
To anyone who has ever read YouTube comments, this is not a mind-blowing revelation. Still, I should cite a contextual example.
This year, Adobe suffered one of the largest discovered hacks ever. In addition to loads of proprietary source code, experts estimate that more than 150 million user accounts were compromised -- including unhashed, unsalted, pitifully encrypted passwords.
Worse, users' password hints were exposed as well -- in plaintext. Unsurprisingly, security analysts have cracked at least hundreds of Adobe users' passwords, guided by such intrepid user-written hints as "the password is password" and "animal that says neigh."
Because Adobe used only one encryption key across all passwords, what makes these passwords easier to guess, thanks to the password hints, is their popularity. For each popular or semi-popular password, a variety of plaintext hints are available to enterprising hackers. For instance, while any one of the individual clues "book," "movie," "Edward," or "Bella" might give a password cracker pause, when they are taken all together, the password becomes relatively obvious.
Password cracker Ben Falconer illustrates this with his website, Adobe Crossword, a set of crossword puzzles inspired by this xkcd commentary on the Adobe password leak. In Falconer's crossword puzzles, the clues are a collection of actual Adobe user hints, and the answers are each collection's corresponding password. Falconer determined about 650 of the top 1,000 passwords, spending less than 10 seconds on each, he said.
Cracking individual passwords makes decrypting the entire key more likely. As hackers solve more bits of the puzzle, it becomes easier for them to resolve the entire puzzle. Thus, all of Adobe's users' accounts become compromised by a significant collection of people using stupid passwords and prompting themselves with stupidly obvious hints. Factor in password reuse, and user foolishness becomes problematic for other service providers too. (Indeed, Facebook has already taken proactive steps to identify its users who used the same password on Facebook and Adobe, forcing those users to change their passwords.)
Not all systems have password hints, but many do have similar prompts, such as security questions. In 2011, I advocated the following solution to the problem of weak security questions drafted and imposed by IT departments:
Until cost-effective biometrics can be widely implemented, the simple, obvious solution is to let users write their own security questions... Only users know what their true secrets are.
Apparently, I was partly mistaken on this point (and not merely due to the gross flaws of biometrics security) because an overwhelming plurality of users do not understand the definition of "secret."
Research by software architect Troy Hunt supports this theory. More than 6.7% of Adobe users who had password hints "used the same 100 top hints," Hunt reported. (The most popular password hint? Apparently 559,358 people used "dog.") Hunt used Adobe password hints to categorize passwords by type. From there, he demonstrated an example on his blog of how such information could be used to correctly make an educated guess of thousands of passwords.
Furthermore, prompts such as these can "inadvertently leak [other] sensitive information," particularly in cases where a user is foolhardy enough to use a Social Security number, date of birth, bank PIN, or other private data, Hunt found.
It is thus abundantly clear that any password workaround -- whether a hint or security question -- threatens user security. There may be cogent arguments that these prompts are only as flawed as their users -- but that's precisely the problem.
— Joe Stanganelli is a writer, attorney, and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.