I spent a frustrating 5 minutes this weekend enduring a forced password change on a retirement account containing $400. I was sure that the randomly generated and completely unmemorizable string my password utility came up with exceeded 7 characters, contained upper and lower case letters, at least 1 number, and a special character. It finally sunk in that the detailed password complexity policy only considered 3 characters as special ones, an inexplicable avoidance of entropy that was incompatible with my automated choice of the underline character. What a useless exercise.
Speaking of password compromise, it had recently been reported that some individuals believed their email addresses had been compromised through Dropbox. After an investigation, Dropbox has determined what happened, explaining in a July 31 blog post:
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.
It seems that both a Dropbox employee and several Dropbox users had the same password within Dropbox as they had on at least one system outside of Dropbox. The passwords were stolen outside of Dropbox (my money is on password slurping malware), so no amount of password complexity on the part of Dropbox could have prevented these incidents. The only difference between a 1024 bit random string and a 3-character first name would be that one comes with a false sense of security.
As I pointed out last December, the exploit community has long recognized that a high percentage of people use the same password on multiple systems. Once somebody finally comes up with an acceptably complex password that they can remember, who can blame them blame them for wanting to use that password on multiple systems?
Maybe I’m being overoptimistic, given their brain dead complexity requirement, but I find it very hard to believe that the login mechanisms for my pension site, or Dropbox, would allow brute force attacks. So what’s the point of password complexity requirements, or any of the other useless and impractical policies typically associated with this fatally flawed mechanism? Its a cynical exercise in denial.
The sad truth is that passwords are a problem that nobody really wants to solve. Users want to do whatever is easiest, and don’t want to be burdened by the inconvenience of strong authentication. System owners don’t want to spend any money on stronger authentication, and lack the will to enforce an unpopular mechanism on users.
If slurping is more common than cracking, then complexity is counterproductive. We are trapped in a cynical convention in which system owners can claim that they are doing everything possible to protect their users, when in reality, they are doing everything they can to leave their users out to dry. Recognizing that a vulnerability exists, and choosing to consciously live with it and manage it is an acceptable risk management decision. Pretending that an obsolete practice has solved the problem is a cynical exercise, an institutional abrogation of responsibility that consists of dumping the hot potato of risk into the laps into a user base that has no choice but to play along if they want to participate in the economy.