Overheard at RSA: the challenges around passwordsFred O'Connor | March 11, 2019
Amid sessions on IoT security, how to protect organizations from ransomware attacks and attack trends, an arguably less sexy but equally important security topic permeated the 2019 RSA Conference: the challenges around passwords.
Here’s a roundup of just a few of the undoubtedly many times that passwords were discussed at RSA.
What’s stronger: kale or love?
In the context of what makes a more secure password, kale wins out over love, according to a study Lorrie Faith Cranor, a professor of engineering and public policy at Carnegie Mellon University, conducted that looked at people’s perceptions of passwords. Participants were given 16 pairs of passwords and asked if one was stronger than the other or if they were equally strong. Some passwords used similar wording or contained the same numbers, like iloveyou88 or ilovekale88, for example. When asked to judge the strength of iloveyou88 versus ilovekale88, people said that both passwords were equally secure.
But ilovekale88 is 4 trillion times stronger than iloveyou88 Cranor said during the session Security, Privacy and Human Behavior. “I love you is one of the most common strings used in passwords and nobody loves kale.”
Cranor’s research found that participants overvalued the security benefits of adding numbers to their passwords instead of including more characters and didn’t see the security shortcoming around incorporating popular phrases in passwords.
Just how rampant is password reuse?
We’ve all read that people use the same password to access multiple accounts but just how rampant is password reuse? Very, based on another survey Cranor conducted that looked password reuse.
She collected passwords data on 200 users and found that the average participant had 26 different accounts but only 10 different passwords. Just over half (51 percent) of users either exactly or partially reused a password and only 21 percent used a unique passwords.
“So they’d have passwords like monkey1, monkey2 and monkey3 and use monkey1 to access multiple accounts. We saw that there wasn’t much in the way of unique passwords,” she said.
But perhaps people create stronger and unique passwords for more valuable accounts, Cranor hypothesized. Surely, a person uses a different password to access a work application and their bank’s website? Alas, her research showed otherwise. “In almost every category, we saw rampant password reuse.” Those categories finance, file sharing, social media, work, email and health.
To use 2FA or not to use 2FA, that is the question
People know that reusing passwords to access multiple accounts and services is a major security violation. They also know that two-factor authentication can reduce the risk of a threat actor accessing their accounts. Elissa Redmiles, a computer science PhD candidate at the University of Maryland conducted an experiment to look at why people sometimes fail to act rationally and use two-factor authentication when it’s offered.
People were told to create an online banking account that would hold their compensation for participating in the study. They were also told that 20 percent of accounts would get hacked during the study. Participant stood to lose real money: any funds pilfered from their accounts during an attack wouldn’t be returned.
“I wasn’t paying them to get hacked,” Redmiles said.
Users were also given the option to enact two-factor authentication, which would protect them 90 percent of the time but increased the time and complexity required to access their accounts. With two-factor authentication reducing the risk of getting attacked and having their money stolen, participants should have been eager to use the technology. But after the first round of the experiment, 52 percent of the 125 participants enabled two-factor authentication. The second phase of the experiment began after a two-day break and out of the 105 participants who participated, 61 percent used two-factor authentication.
While more people used two-factor authentication in round two, the numbers weren’t overwhelming. Redmiles said that while shunning two-factor authentication appeared irrational, people were actually acting rationally.
“People said that they had weighed the benefits of two-factor authentication — decreased chance of getting attacked and losing money — and decided that it didn’t outweigh the drawback — increasing login complexity,” she said.
For security professionals who want to offer two-factor authentication, Redmiles had this advice: after making the initial offer, wait awhile and offer it again.
“Maybe a month after two-factor is offered, ask again. At first, people may not have seen the value of the service, particularly if they thought it was low-value account, but after having a few weeks to think it over, they may be more open to enabling two-factor,” she said.
The trouble with tokens is
During a break in an RSA Sandbox session, an unnamed cybersecurity professional talking to a colleague shared why tokens frustrate him.
“I do tokens because the IT guys are too busy to do them. It’s not my job but someone has to them. I code them, I take them to FedEx and ship them, I manage them and it’s a pain and it
keeps me from doing my job.”