By Antone Gonsalves, CSO | July 17th, 2014
New research shows that “123456” is a good password after all.
In fact, such useless credentials from a security standpoint have an important role in an overall password management strategy, researchers at Microsoft and Carleton University, Ottawa, Canada, have found.
Rather than hurt security, proper use of easy-to-remember, weak credentials encourages people to use much stronger passwords on the few critical sites and online services they visit regularly.
“Many sites ask for passwords, but they require no security at all,” Paul C. Van Oorschot, a Carleton professor and a co-author of the research, said. “They basically want to get the email address to contact you, but there’s nothing to protect.”
Strong passwords would be more likely adopted if people learned to use them only on critical accounts, such as employer websites, online banking and e-commerce sites that store the user’s credit card number. To be effective, this group should be small.
Websites that hold no sensitive information and would not present a threat if hacked should get the throwaway credentials. However, people need to carefully select that sites that get those passwords.
“Far from optimal outcomes will result if accounts are grouped arbitrarily,” the research says.
Following the standard advice of choosing and never reusing passwords of eight characters or more that includes uppercase and lowercase letters, numbers and special characters, is “an impossible task as portfolio size grows,” the research said.
Studies have shown that despite warnings, people continue to use the same weak password across websites. In 2013, the most commonly used password on the Internet was “123456,” followed by “password.”
Therefore, rather than continue pushing a failed password strategy, the industry should adopt something that actually works, the researchers argue.
“Our model yields detailed results; it indicates that any strategy that rules out weak passwords or re-use will be sub-optimal,” the paper says.
The researchers also argued that a password grouping strategy is more secure than a password manager, which stores passwords and their corresponding site URLs in the cloud and lets people access the information using a single master password.
“If the master password is guessed or used on any malware-infected client, or the cloud store is compromised, then all credential are lost,” the paper said.
Indeed, researchers at the University of California, Berkeley, studied five password managers and found vulnerabilities that could be exploited to gain access to master passwords. The vendors studied included LastPass, RoboForm, My1login, PasswordBox and NeedMyPassword.
Although the latest research focuses on individuals, it has implications for business.
Companies are making a website or corporate network less secure if they require employees to use complex passwords that are difficult to remember and have to be changed every three months, Avivah Litan, analyst for Gartner, said.
In those cases, users will counter the security measure by writing down the password or storing it in a digital address book that could get hacked.
“You need to strike a balance between customer convenience and security and that balance is struck by having other measures besides passwords,” Litan said.
Businesses should also have technology in place that monitors login behavior and user activity to watch for anomalies that would indicate malware or hackers.