about passwords and web security in general



The topic about passwords never gets old. They are the unique string which a user has to enter into a web site in order for the system of that site to know who the user is.. But you already know that of course.

In the beginning passwords could be anything from just a single letter to 20 chars. Then password polices got a little stricter and most of the websites made a requirement for at least 4 characters, then the limit was lifted to 6 characters. Now in the last few years some websites have lifted the limit to 8 characters and others have also added additional security requirements such as having both upper and lower case characters and numbers in the password.

That’s all good and it is going in the right direction, however, users are not happy with that at all. A lot of users are so frustrated, when they try to register on a website and they are asked to change their password and add numbers to it, that they just don’t bother doing it. That way, the website owner looses visitors/customers and as a result looses money and website reputation.

Back in the day passwords could be just anything because there were not so many and even if accounts were hacked it wasn’t that critical – there wasn’t that many e-commerce websites and other things involving money. The only thing that people were using which could be hacked were emails but, usually there was just spam in them which wasn’t valuable.

Nowadays, passwords can’t be just words. The web is world wide. This includes all those dodgy places such (as Nigera) which means that all these bad people from across the world (some of you may call them “hackers” but “crackers” would be more suitable in my opinion) could make an attempt to login as you and access your money or other valuable information. The attempt is more likely to be successful if your password was just a word. If your password was matching the new polices (having both lower/uppercase/number/etc) it is less likely that the Nigerians would get access to your money.

The modern crackers are not sitting down and trying each word that comes on their mind manually. It’s easier for them if they write a program, which tries thousands of different words automatically until it gets the right one. Having these thousands of crackers, trying thousands of words it is most likely that you will get hacked if you used something like “health” as your password.

To give you an idea of what the strength of the passwords nowadays, we will use analyzes from the recently hacked sony accounts:

An analysis by security researcher Troy Hunt revealed that two-thirds of users with accounts at both Sony and Gawker used the same password on both sites... Half the password sample from the Sony hack used only one character type and only one in a hundred passwords used a non-alphanumeric character, much the same as revealed by the earlier Gawker hack. Only 4 per cent of these passwords had three or more character types.

read the complete analyzes here

So this means that the crackers are currently way ahead in front of users. If one of those users with a weak password becomes the target of an experienced cracker, it is just a matter of time for the cracker to get illegal access.

If something like that happens, legally it is entirely the user’s fault for using that weak password and the website cant be held liable for any damages. The users don’t know that, they think that if something happens it’s the website’s fault not theirs. They want their data, money, etc to be secure but they also want to use “1234” as password at the same time. That is what the problem is.
Possible solutions to this problem are universal cross-webstie online identities such as openID. However, they are still not bullet proof.

Another problem is that even the complex passwords will not be that secure in the near future with the crackers improving and using faster and faster software (some of which is run on graphics cards) with more and more words in their databases.

In my opinion the whole username/password login model must change in the future because it will soon be useless. I dont know what we should use instead. We cant relay on low level limits (such as limiting a user to an ip) because we live in the mobile days, where the mobile phones change their ip address on every cell they register.

I cant think of a better identification mechanism. Can you?