Comments on: Numeric Password Follies

By: Dr. Jose A. Wong - Perez

Dr. Jose A. Wong - Perez — Wed, 26 Sep 2012 13:01:47 +0000

…Thanks for the good article and Per Thorsheim links to enhance this particular keynote…Thanks for sharing

0 likes

By: Per Thorsheim

Per Thorsheim — Wed, 26 Sep 2012 04:59:30 +0000

Sure, having a 4-digit PIN on your phone and a real password at the website would be much better. Together with Jeremi Gosney we created some infographics on the Linkedin leak, clearly showing that many people use association elements to the service in question when creating their passwords, or PINs in general. In the Linkedin case, the use of “blue” in passwords were much higher than any other color word. The primary logo color of Linkedin is …. blue.

Blacklisting top100 PINs, like the list created by Bonneau/Cambridge, would be somewhat reasonable today – from a isolated security perspective. That is; until users start complaining (by phone/mail), and/or start initiating password resets that may genereate extra cost for them and the service provider. Even without any financial cost, I’ll bet users won’t be happy, no matter how you explain security to them.

I fully believe that implementing better rate-limiting on the server side will give better security than applying restrictions onto end users.

Instead of putting restrictions on end users, why not give them the ability to use <= length 64 passwords and explain to them why using long & unique passwords is a good idea, perhaps in combination with a password manager?

There is lots more to be told, which is why I am organizing this passwords conference for the third consecute year.

0 likes

By: Andy Balinsky

Andy Balinsky — Tue, 25 Sep 2012 21:32:54 +0000

Excellent comments, Per. I agree that usability is a key concern. In the case that prompted this article, it does not seem necessary for the PIN to be identical on the phone and the website to achieve usability. Could it not be similarly usable if you had a numerical PIN on the phone, and a more complex, but still memorable password for the website?

Your list of resources is excellent. I enjoyed the paper by Joseph Bonneau on user-selected PINs. It confirms my assertions that users are terrible at choosing strong numerical PINs, but also indicates that blacklisting common PINs can be effective in cases where 1) attackers get only a small number of guesses (e.g. 3 or 6 tries at an ATM for a bank card) and 2)attackers do not know the birthdate of the victim.

They recommend that users do not base PINs on birthdays, and that banks may need to prevent users choosing PINs to completely avoid birthday-based guessing attacks.

I wish you luck with your Passwords 12 conference in December. Hopefully it will serve to raise awareness of the importance of password policies.

0 likes

By: Per Thorsheim

Per Thorsheim — Tue, 25 Sep 2012 19:30:19 +0000

Andy;
Good article, although I do not agree on everything. Usability, or should I say security usability, should be a key concern for almost all service providers who considers using PINs as part of the authentication process.

There is more research on PINs available:
Joseph Bonneau (& others) from Cambridge have done some nice work in this area: http://www.cl.cam.ac.uk/~jcb82/

Presentation on PIN codes at Passwords^10 by Howard Smith (Oracle UK): http://ftp.ii.uib.no/pub/passwords10/Howard_Smith_at_Passwords10.mp4 (720p MP4 file, 509MB)

Last but not least:
Passwords^12. A 3-day conference *only* about passwords & PIN codes. December 3-5, Oslo, Norway. Some of the very best password crackers & more coming together to discuss and present more than you ever knew about passwords. More info here:
http://securitynirvana.blogspot.no/p/passwords12-practical-info.html

Best regards,
Per Thorsheim

0 likes