Password Strength is not Password Security
Kevin Marino
November 11, 2013

MSCC697, Regis University

Professor Garcia

Password Strength is not Password Security When password security becomes the topic of conversation it generally focuses on how strong a password is and whether or not the user reuses a password across multiple sites. While these aspects can affect password security, there are certain measures that the server side of the authentication process can implement to increase security without the user changing their habits. This approach would solve many of the security problems that authentication servers are facing. The goal of this study is to determine a set of best practices that can be implemented to increase security without the intervention of the user. While passwords may not be around forever, due to the introduction of new authentication hardware, they will be around until one of these hardware become mainstream and readily available to the general public. These practices will offer greater security until that time comes. User authentication in today's world generally requires a user name and a password. Though the strength of the user's password is generally seen as the base line for security, the authenticating server can implement certain security measures that can compensate for weak passwords. One main factor for considering different security measures is the advancement of brute force attack techniques on passwords. These techniques make even very strong, by accepted standards, random character passwords susceptible to being cracked through brute force cracking techniques (Gosney, 2013). With the number of services requiring log in credentials, often comprising of a password, the risk of account compromise grows, leading to the need of more secure authentication techniques. There are a number of alternative authentication techniques, such as biometrics, certificates, and tokens, however, these are not the within the scope of this problem. Xiong, Jianwei, Muhammad, and Junguo (2013) offer a scheme to for smart card based authentication that is secure and very user friendly, however this study doesn't account for the lack of smart card readers on client systems. These solutions require that user hardware be modified and the current authenticating scheme within the server be changed to accommodate these new technologies. The problem at hand is how to make minimal adjustments on the server side of the authentication process to allow clients the use of easy to remember, non-random, passwords considered weak by today's standards while also increasing the the security of the authentication process. The purpose of this research is to provide best practices regarding password security, that if adopted by authenticating entities, will allow their clients to use easy to remember passwords while decreasing the risk of compromise of the client's account. There are a number of best practices with regard to password security on the client side, which studies have shown that most users rarely implement. One of these best practices is the use of unique passwords between multiple sites (Duggan, Johnson, & Grawemeyer, 2012; Campbell, Ma, & Kleeman, 2011; Brown, Bracken, Zoccoli, & Douglas, 2004), which may be the most ignored practice by users. Brown et al. (2004) estimates that two thirds of passwords are used across multiple accounts. These studies all show the bad practices used by clients, however, they do not account for practices used by attackers. Even the most complex password with regard to password strength is of no match to attack techniques that involve key-loggers and password sniffers (Stross, 2010) and only slow down brute force techniques on hardware that can execute 350 billion password guesses per second (Gosney, 2013). The Gosney (2013) attack is an offline attack, meaning that the password list has been retrieved from the authenticating server. If the authenticating entity puts measures in place to properly safeguard this list, this threat can be avoided. Gosney's (2013) attack also depends heavily on the hashing algorithm used to store the passwords. The same system that can perform 350 guesses per second can reduced to less than 18 thousand per second by changing the hashing algorithm. A 6 character password, with 94 possible characters, can be guessed in half an hour with one hashing algorithm, while changing the algorithm reduces this to about 443 days. This shows one simple change that the authenticating service can make to greatly increase the security of even simple passwords. Thangavel and Krishnan (2010) address the issue of hashing. There research shows the importance of choosing the proper hashing algorithm to use when storing passwords. This directly confirms the statements made earlier. However, Tangavel and Krishnan (2010) also suggest a scheme to help the users with their bad habits. The scheme that is suggested involves the authenticating server using a random password generator to issue their users a password, along with periodically issuing a new password. This issue with this scheme is the memorability of the issued passwords. Users may be more likely to write these passwords down, or even worse, storing these passwords in a file on their computer with all of their issued passwords, completely negating the benefits gained from this scheme. Stross (2010) discusses the differences in password requirements between different domains of sites. He mentions that a trend is the more sensitive the information is, the more lax the restrictive password composition policies are. This means that financial institutes will allow a weaker password than a social networking site. The suggestion behind the phenomenon is the fact that servers that house more sensitive data implement more password security measures, not relying on the strength of the password for security. Tam, Glassman, and Vandenwauver (2010) explore the reasons why users ignore good password behaviors. Their study shows that users are aware of what is good and bad with regard to password security and they choose bad practices. The user perceives that the risk to their account being compromised is very low. Since the user is choosing bad password practices, it can be assumed that even educating them on the risks associated with their password choices will not make a difference. For this reason, it should be on the authenticating entity to secure their users information to provide a better experience for their users. It has been shown that websites vary greatly amongst each other with regard to password policies (Furnell, 2007). These websites vary their password restrictions, some allowing shorter passwords while others requiring longer passwords with a mix of alpha numeric characters. These websites also differ in password recovery schemes. The majority of the websites in the study would send a link to the user's email to allow the user to reset their password (Furnell, 2007). This scheme is especially dangerous, as a compromised email account could lead to numerous other accounts being compromised, even if the user uses good password practices. Brown et al. (2004) found that users use personal information when generating passwords, such as birth dates, family member's and significant other's information, and pet information. This scheme makes passwords very easy for the user to remember, however, it also makes them easier to guess. This increases the risk to user's accounts through social engineering and can lead to cross-site impersonation attacks, as the user's passwords are all related to personal information. They also found that users will forget their passwords for infrequently accessed accounts. This increases the need for secure password retrieval policies, which contradicts reality according to Furnell (2007).

Restrictive composition policies are a common practice among authentication entities to help enforce good password practices in their users. However, Campbell et al. (2011) state that these policies have no effect on user behaviors. These policies only slow down brute force attacks, however, with the increase in password cracking power shown by Gosney (2013), these policies do not slow the attack process down enough. Campbell et al. (2011) also mention that these policies don't actually increase the security of the system and system administrators should not rely on these policies alone for security. The Campbell et al. (2011) suggests a study of this nature to be conducted to assist system administrators in making the best choices with regard to password security. Acar, Belenkiy, and Kupcu (2013) suggest an authentication scheme that would allow for clients to maintain a single password for all of their accounts that, if discovered, would prevent attackers access to other accounts through cross-site impersonation attacks. The problem with this solution is it requires the client to implement the use of cloud services or a secondary device. This single scheme has the ability to fulfill the problem associated with this research. The major downfall to this scheme is the necessity for secondary equipment, requiring habit changes by the user. The scope of this research is to determine best authentication practices that only affect the server side without requiring a change by the user an making password creation and remembrance easier on the user. While there are many problems with user password habits, there are somethings that the authenticating entity can implement to compensate for some of these short comings. It has been shown that choosing the correct hashing algorithm can greatly increase the security of simple passwords. This is just one thing can be implemented to compensate for user habits. There has been a lot of research and reports on what users can do to increase the security of their accounts, however, Campbell et al. (2011) and Tam et al. (2010) have effectively shown that users choose to have bad habits. If the user isn't going to put forth the effort of increasing their security, then it is the responsibility of the service provider to protect their customers. This area of password security has had little attention. There are numerous studies that focus on the users and their behaviors and securing the password during transmission, but little work has been published on the aspect of the best practices for authenticating servers. It has been noted that more sensitive information requires weaker passwords than the protection of less sensitive information, but little has been done to explain this phenomenon. This work will fill the gaps in the knowledge base of authenticating server security. Even though it is quite possible that passwords will be replaced in the future by some other authentication technique, smart cards or biometrics are some of these techniques, this work will provide increased security until that time comes.

References
Acar, T., Belenkiy, M., & Kupcu, A. (2013). Single password authentication. Computer Networks, 57(13), 2597-2614. doi: 10.1016/j.comnet.2013.05.007

Brown, A., Bracken, E., Zoccoli, S., & Douglas, D. (2004). Generating and remembering passwords. Applied Cognitive Psychology, 18, 641-651. doi: 10.1002/acp.1014

Campbell, J., Ma, W., & Kleeman, D. (2011). Impact of restrictive composition policy on user password choices. Behaviour & Information Technology, 30(3), 379-388. doi:10.1080/0144929X.2010.492876

Duggan, G., Johnson, H., & Grawemeyer, B. (2012). Rational Security: Modelling Everyday Password Use. International Journal of Human Computer Studies, 70, 415-431. doi: 10.1016/j.ijhcs.2012.02.008
Furnell, S. (2007). An assessment of website password practices. Computers & Security, 26, 445-451.
Gosney, J. (2013, December). Password cracking HPC. In Passwords^12 Security Conference.
Stross, R. (2010, September, 5). A strong password isn't the strongest security. The New York Times, p. BU3.
Tam, L., Glassman, M., & Vandenwauver, M. (2010). The psychology of password management: A tradeoff between security and convenience. Behavior & Information Technology 29(3), 233-244. doi: 10.1080/01449290903121386
Thangavel, T. S. & Krishnan, A. (2010). Efficient secured hash based password authentication in multiple websites. International Journal on Computer Science & Engineering, 2(5), pp 1846-1851.
Xiong, L., Jianwei, N., Muhammad K. K., & Junguo, L. (2013). An enhanced smart card based remote user password authentication scheme. Journal of Network & Computer Applications, 36(5), 1365-1371. doi: 10.1016/j.jnca.2013.02.034