As technology gets better, it often also becomes more complicated for the average user. The balance between security and convenience is a constant battle. Passwords are a good example, as a password is access control at it’s most basic. Passwords restrict access to many things, providing protection to information.
IT specialists agree that more complex passwords provide greater security. A good password now must be eight characters or more, with a combination of uppercase and lowercase letters, combined with numbers and special characters. Security specialists know that as passwords become more complex, people tend to not be able to remember them, so they write them down and hide them. It’s no secret that passwords are hidden under calendars, under telephones and in the Rolodex under “c” for computer or “p” for password.
The Emerging Password Threat
Now a new threat has emerged. The original concern of the written down password being found has been replaced by the concern of the password being retrieved.
As passwords continue to get more complicated, procedures to retrieve forgotten passwords have been developed for the user. The procedure generally involves the use of “secret questions” that must be answered to either provide the password or to reset the password.
A recent paper presented by Ariel Rabkin of UC Berkeley addressed the new threat.
A study of online criminal markets has found that stolen bank login credentials are highly valued by criminals. To meet this threat, banks have developed increasingly sophisticated authentication methods, including a requirement for a user to pick a “strong” password, not easily guessed by an attacker. To meet the balance between security and convenience, banks often couple their password authentication with some sort of “lost password” mechanism, which users can fall back on if they have forgotten their passwords.
A solution used by many banking sites has been to rely on security questions. These come in two varieties. One sort of question asks about sensitive (though not necessarily private) information such as Social Security and bank account numbers, and ATM PIN codes. Another set of security questions, personal security questions, ask about personal history and family background, such as one’s mother’s maiden name. Personal security questions, in turn, can be divided into those selected by the user from a menu of choices, and those specified entirety by the institution, such as zip codes, mother’s maiden name or date of birth. Use of these types of questions benefits the user, as they are typically unambiguous and involve easy-to-remember answers.
When Rabkin sampled actual questions used by institutions, names of friends and family were a common topic. After gathering over 200 questions from different sites, there were 34 questions about first names, 13 about middle names and 10 about last names and nicknames. Four sites out of eleven sampled asked about grandmother’s first names, six asked the name of your favorite pet, while mother’s maiden name came up three times compared to four each for high school mascot and favorite sports team.
Social Networks’ Dirty Little Secret
Facebook is technology on a crash course with password authentication. How is Facebook a threat? A little bit of knowledge goes a long way. An overwhelming majority of today’s college students and recent college graduates maintain an account at a social networking site, such as Facebook, MySpace or LiveJournal. These sites allow users to expose structured information about themselves, such as their educational background, age, birthday, friends via their personal profiles. Also note that social networking sites are not typically viewed as needing strong protection, and may represent a privacy risk to users.
Public posting of private information can help an attacker gain the knowledge necessary to answer the security questions and allow forgotten password access to an account. Rabkin noted, “Roughly 12 percent of our sample was automatically attackable, meaning that the answers to those questions could be found on a social networking site.”
A great deal of other personal information used for authentication, such as date of birth or ZIP code can also be found in public records, again easily accessible on the Internet. An attacker who knows the victim’s identity can get answers to job related questions by viewing commonly available employer Web pages posting bios, staff resumes and the like.
An online account that I have asked me to verify “security questions” – my questions were: “Who was your first employer (first job)?” and “What is the last school you attended?” The answer to both of these questions could be easily found on many Facebook pages.
As we make things more secure, password retrieval protocols increase the options that the bad guys have to get at the things we value. Know what of your personal information is accessible through the Internet. We teach children to be careful not to expose too much information about themselves on the Internet; perhaps we should be teaching adults the same thing.