Should systems force the user to create a strong password?

Asked

Viewed 1,348 times

46

I’ve been wondering why some systems require such strong passwords.

Example:

  • Minimum of 8 Characters
  • Uppercase and Minuscule
  • Numbers
  • Special Characters

In many places they say that strong passwords ensure greater system security and help prevent algorithmic attacks like Brute-force attack(algorithm capable of detecting short passwords), in return to discover the algorithm Dictionary attack.

Banks for example use 4-digit passwords and this password are numbers

I think strong and complex passwords make it very difficult for the user to login, for the difficulty in remembering which password you created.

Why use such complex passwords? Wouldn’t that make it difficult for the user to remember this password in a possible return to the system? Because a password without these above mentioned criteria is considered weak?

  • 20

    It comes down to this image

  • 8

    I will make a comment just as a matter of opinion, this is not a matter of Ubeing andXperience, this is security issue, common user does not understand security issues, he does not know that "brute force" software can break weak passwords quickly, the reason this exists is because UX cannot keep up with a basic need of the modern world.

  • 3

    Because credit card you can make a purchase using only a 3-digit numeric password?

  • as a complement to the @Everson comment, I leave as a suggestion a good technique for generating passwords, is the diceware https://antivigilancia.org/wordpress/wp-content/uploads/2015/06/diceware_ptbr.pdf created by Arnold Reinhold and an instructive explanation https://theintercept.com/2016/12/29/passwords-faceis-para-Voce-memorizar-e-que-nem-a-nsa-can’t-unravel/

  • 1

    My banks require multiple checks. The account or card which is something more complicated to pick up from someone. The password. A fixed or variable token for operations that go beyond query. A data check. Not counting usage pattern check. It is complicated to use bank authentication.

  • 2

    I also agree that it’s a question relative of UX. Acculturating people is great, but it creates little monsters: an absurdly common trap is that, lately, everything that requires authentication is "found the last cookie in the package". Long, strong passwords are great, but your rock forum really needs it demand passwords composed of symbols and numbers? Does your non-interacting recruitment site really need a double authentication factor? The fact is that there is a lot of exaggeration in this. Security is also functionality: it should be used where it matters, not by default.

  • 1

    With strong password you are not protecting the user but protecting the system or the organization. Passwords very strong however (16 char, alpha, special etc.) end up being weak 9my opinion) because the user notes somewhere , under the keyboard for example ....

  • 2

    The security you want to implement depends solely on the risk you are willing to take.

  • Just to reinforce I ended up reading this today that in a way has a little to do with the theme: Know the device capable of unlocking any iPhone 7

Show 4 more comments

3 answers

53


Banks afford to allow you to use weak passwords for two reasons:

  • They can lock your password with impunity without losing you as a user.

Not that it’s bad. After all, it’s your money they’re protecting.

If Google or Facebook blocked your password every time they thought something went wrong with your account, you’d probably be sick and tired of having to switch it all the time. You would eventually give up using your services and your social networks (and remember, for them you are a source of income, not a customer, so they want you using these things).

But if you can’t use your debit card, You’re so fucked up and so you will make the effort to go to the nearest agency to resolve this as soon as possible. This is strongly related to the next reason:

  • They have how to validate very accurately that you are who you say you are.

If you need to create a new password for Xvideos because you forgot yours, you can’t go to the nearest Xvideos agency because it doesn’t exist. They have to use your email, which is a mechanism that may be compromised, to restore your access.

Already in a bank you have to present yourself with your documents. This is not impossible to cheat, but it is much more difficult, so the degree of confidence is greater.


That’s why banks give you the luxury of giving you weak passwords. They will lock your password if anything goes wrong. They will block you even in cases of false positive (already happened to me). As you can see, the choice between allowing weak passwords and allowing strong passwords by institutions and large companies that have a lot to lose/protect is a matter of balance between practicality and risk.


As to what makes a password strong or not: there is no unbreakable password, but what separates a good password from the password that its lay relatives usually use is the time that a hacker would take to break it.

Consider the following passwords:

  • 0004071974
  • sSashaGrey
  • Tododia7a1
  • $7@CK 0V3R

They all have the same size. However, to make a brute force attack on each one, we would need the following number of combinations:

  • For the first password, which only uses numbers, 1010 attempts. High number, but nothing that a computer cluster with multiple GPU’s each couldn’t chew in a short time nowadays. 10,000,000,000 combinations.
  • For the second password, we have only letters. The number of combinations is now 5210 (for our alphabet, considering that letters can vary between upper and lower case), a considerably larger sample space. This gives 144.555.105.949.057.024 combinations.
  • For the third password, we have letters and numbers. There are 6210 combinations, or 839.299.365.868.340.224 attempts at worst. Compare with the combination just above.
  • For the final password, assuming we limit only the ASCII table, we have ninety-four usable characters, so we have 9410 possible combinations, or 53,861,511,409,489,970,176.

Let me list just the amounts of possible combinations, one on top of the other, so you can feel the pressure:

  • 10.000.000.000
  • 144.555.105.949.057.024
  • 839.299.365.868.340.224
  • 53.861.511.409.489.970.176

And that’s if we’re cool with the hacker and limit all passwords to exactly ten characters. The legal is to leave the variable quantity, because then the number of possible combinations is the sum of the combinations of each possible size.

Here fits a but: the strength of passwords is not limited by the forms you allow, but by the forms you require. If you allow your users to use all of the above forms but do not make demands, in practice most people will use the first or second form. Because in general, the criminals of today are more interested in breaking a lot of passwords at once instead of hacking the accounts of some anonymous person out there, criminals would be content to try to guess by brute force only a fraction of the passwords in their database. It would be enough for them to use brute force to break only the passwords of the first and second types.

P s..:

Why use such complex passwords? This would not make it difficult for the user to remember this password in a possible return to the system?

Most people nowadays always navigate from the same device, and they keep the password for the person - removing the restriction of difficulty remembering the password for most cases.

  • 3

    And also, because you need (at least on my debit card) to be going to an ATM in order to use it, there is a validation of 2 steps, first checks the chip of the card and then asks for the password or digital. Obviously the place is monitored, and so there is no way to have a hacker there trying to make Ruth force on a protected equipment, so they use dynamite :P

  • e eles guardam a senha para a pessoa - removendo a restrição da dificuldade de lembrar a senha para a maioria dos casos. - that is the danger. What if the person needs to access another device, or need to change or format changes? Of course, in the case of Chrome (who nags you until you log in) this is not a problem, until you forget his own password...

  • @Everson but imagine the weakest password of all in the world of cards, credit card CVV. Only three numbers...

  • 1

    @diegofm is that story of VS risk practicality. For most people losing browser passwords is not so severe nor occurs frequently.

  • 7

    +1 sSashaGrey

  • 1

    In your second example, if you differentiate between upper and lower case letters, the space to be searched is 52<sup>10</sup>; in the third, upper, lower and lower case letters make 62<sup>10</sup>; and in the latter, there are only 94 "visible" characters in ASCII (including 33 to 126). Added to space (ASCII 32), the search space in this case is 95<sup>10</sup>.

  • @Wtrmute thanks! I had fixed the first two bugs, but the third went unnoticed. I will adjust :)

  • @Renan I’ll add an extra reward here, I think more than deserved

  • 1

    @Marconi thanks :)

Show 4 more comments

8

As you have already responded very well from a technical point of view, I will reply from the UX point of view.

Why some systems require such strong passwords?

Because there’s a concern legitimate with the safety of users - and also with the business of the company. No matter what service you are offering (withdrawal of your own money or access to memes on Facebook, for example), if a user’s account is stolen that user will not be the only one having problems. The overall perception of the quality of the service will be affected in a short time, as the user will certainly share this occurrence with their peers. Moreover, while from the individual’s point of view the worst that can occur is the theft of your data/goods, from the company’s point of view the worst is the identity theft: by impersonating someone who is not, the meliante will have more facility to steal more users using social engineering (impersonating a Facebook friend, for example) and will help the problem grow exponentially.

The solution used then is to make unauthorized access as difficult as possible, even to the detriment of other qualities (further). As colleagues have already responded well, complex and larger passwords are statistically harder to guess and proven more difficult to break.

This would not make it difficult for the user to remember this password in a possible back in the system?

Certainly. In the accepted reply it was commented that banks can allow themselves to provide short passwords because there are other (even physical) restrictions. Although that’s true, this is not motivation. This is another legitimate concern with users and business. A smaller password is potentially easier to remember, but the most important thing is that it’s faster to type it into the bank queue! Complex passwords require not only more complex (and expensive) equipment, but also more complex procedures. For example, the ATM numeric keypad occupies less physical space than an alphanumeric keypad; moreover, the user does not need to hold a SHIFT to enter a different character. That is, the bank’s concern is to make you wait less time in the queue because this is good for you and (mainly) for the bank, since it decreases the queues and allows the use by more customers.

In fact the ideal for a bank would not need any password, because any typo also generates delays (<ironia>ah, yes, of course, let’s not forget the user, who would no longer need to remember anything</ironia>). No wonder that even the Bank of Brazil now has Atms with fingerprint readers or palm...

Systems must force the user to create a strong password?

No, they shouldn’t. In fact my answer to that question is the suggestion to exchange a single word: Systems should auxiliary the user to create a strong password.

First of all, it is in the user’s interest that their profile, data and assets are kept safe, so that people naturally feel motivated to act to increase security. For example, you want more intrinsic motivation than being forced to change a password every 6 months, using a minimum size of 8 characters, at least 1 digit and 1 symbol, not being able to repeat the last 3 passwords used, and still continue using the service? (unfortunately it is a real case...). In other words, people tend to use the passwords that a company requires even if it makes their life hell. This makes me believe that if this process is facilitated, they will continue to have this interest (contrary to what may be believed there).

Secondly, it is already widely known that too complex passwords are bad not only for the user experience, but also for system security. If the user is forced to use a password difficult to remember (especially when the creation process is obscure for him), there are great chances of him annotate, reuse the same password in several different systems, and especially forget and need to change. Studies have shown, for example, that the forgetfulness of passwords does not result from age, as common sense may lead to believe, but to the amount of passwords used by the individual and the different contexts in which they are used (study reference: Passwords Usage and Human Memory Limitations: A Survey Across Age and Educational Background). In other words, the more passwords a person needs to remember, and the more out of context they use each of those passwords, the more people will forget the passwords and need to constantly change them.

So the ideal would be for designers to build the systems so that users are allowed to build passwords freely, but instructed to do so using real and meaningful sentences personally in the context of using the system. For example, users could be illustrated with a strong password for a literature website is not an excerpt from a Shakespeare book (which everyone can know), but a phrase of its own that translates as it sit down in relation to the service.

For example, consider the phrase, "The book I like best about George Orwell is 1984!". It is relatively easy to be remembered by the user because (1) it was he who chose it freely; (2) it is significant to the individual; and (3) it has a lot to do with the context of system use. One could argue that this reduces security because that information can be known by other people. But although this may be true, the phrase is sufficiently complex in the sense of the amount of permutations to make his divination enormously difficult exact. And in practice, this is what happens anyway: if the bookstore used the same tactics as the bank, the password of this user would probably be only "1984". :)

  • 1

    I wish I could give multiple positive votes, especially for "In fact my answer to this question is the suggestion to exchange a single word: Systems should help the user to create a strong password." But with respect to the bank password: I have distinct passwords for ATM and Internet Banking in two banks. ATM’s are really simple and small, but Internet Banking’s are not. One of them even has special characters, which is not possible in ATM.

  • I will remember my passwords according to the last paragraph, great idea :). @Luiz do you think I should change the title of my question? I’ve already left my +1, excellent response.

  • 1

    It is because on your Internet there is no queue @Renan. :)

  • 1

    Thanks @Marconi. But I don’t think it’s necessary to change anything in your question.

8

In my opinion, nay, I will explain why:

Overall, there are 2 main targets, the "Usuário" and the "Sistema".

However, most attacks targeted at a "Usuário" has as real objective to obtain information that will be used to attack a "Sistema".

In open systems the attacker doesn’t even need to attack a "Usuário" first, to attack the "Sistema", he himself can create a "Usuário" and from it explore possible faults. Unlike closed systems, where you will target a "Usuário" or the "Rede" to try to explore the "Sistema".

In both cases, the "Usuário" is not prepared to defend itself from an attack if it is the target. Most attacks made to "Usuários" common, are given through "Engenharia Social", then no matter how large or complex the password is if the attacker through the "Engenharia Social" be able to gift the "Usuário" with a trojan, the password has been broken at the level of "Usuário".

In relation to the comparison you made with the Bank, the system involves a number of other policies than the password itself, for example, as said the credit card are 4 digits, but in fact the credit transaction, depending on the medium, nor need the 4 digits, only the card data, however the "Sistema" is able to assess whether this purchase is within the standards of "Usuário" and take the necessary measures if the operation is suspected.

In short, in the case of "Usuário"(UX), I do not believe that forcing a complex password is essential security, in relation to "Sistema", this topic occupies extensive literature.

inserir a descrição da imagem aqui

  • Em sistemas abertos o atacante nem necessita atacar um "Usuário" primeiro, para atacar o "Sistema", ele mesmo pode criar um "Usuário" e à partir dele explorar possíveis falhas. But it’s much better when you take the Admin :D password

  • If the password of Admin compromises the entire system, something needs to be reviewed and from what agent sees on the day, we realize how many are vulnerable. For what I’m seeing in (GRC), is what you said, the lower the risk the higher the cost(monetary and bureaucratic)...

  • @Magichat When you say attacks to a User you talk about attacks XSS? o "Sistema" é capaz de avaliar se essa compra está dentro dos padrões do "Usuário" e tomar as medidas necessárias you mean the Anti Fraud Companies?

  • 2

    @Marconi user as human user of a system, the system defends itself from the XSS the user defends himself from social engineering. At another point, understand system as a set of rules and policies that will be analyzed by an algorithm for each operation, including the Anti Fraud system. See my answer regarding security is very generic, the intention was to make explicit the characters and assign the responsibility of security to who is due, in this case the system. In this Global aspect understand system as the set of all the elements of the image diagram and not only to the software.

  • A user attack can be done with social engineering too, it is even easier.

  • For social networks the use of complex passwords can really "discourage" the user from using their services. Banks, it is what it is... It has card, chip, lock after N attempts, among other authentication features. But there are also other open systems that should address the use of complex rules for passwords in my view. A good example would be the SERASA website, where there is bank information, notaries, etc. Laboratories that offer the withdrawal of results of medical examinations via web also. Whether or not to use complex rules will depend on how critical the information is.

Show 1 more comment

Browser other questions tagged

You are not signed in. Login or sign up in order to post.