We all know that the user cannot be trusted because often times, the user is not concerned with security. Websites have been pushing users to make stronger passwords for years, but silly passwords like “password” or “12345” still are prominent. The question for website administrators remains, “how can we ensure the security of the user?”
A study from Microsoft (available here) shows that the demands of website administrators are often ignored by the user. The push to get users to use more complex passwords is often a failing attempt. The study suggests that administrators should do more on their end to protect the user.
The authors suggest that a password that’s targeted in an online attack needs to be able to withstand no more than about 1,000,000 guesses.
An online attack is the most common method of attacking. Users’ passwords are subject to dictionary attacks. However, security measures like a limited number of password guess attempts limit the success of the attacker. Diligence in administrator response to abnormally large amounts of login traffic can limit the success of an attacker. Therefore, it was concluded that a password only needs to survive about a million guesses, as long as the proper security measures are in place with the responsibility of the administrators.
So how strong does a password need to be to stand a chance against a determined offline attack? According to the paper’s authors it’s about 100 trillion…
Offline attacks are harder to protect against once an attacker gains a hold of the back-end of a system. However, this is entirely the responsibility of the administrators. Once an administrator detects that the system has been breached, a reset of all users’ passwords should occur to ensure the safety of their accounts (so long as they haven’t already been compromised). But again, the responsibility is to be put in the hands of the administrators to protect the user.
Systems administrators, they say, should stop worrying about getting users to create strong passwords and should focus instead on properly securing password databases and detecting leaks when they happen.
There is an apparent inconsistency in the quality of website administrators. With new breaches being announced almost weekly, there is more than enough proof to back this claim. Some websites remain well defended while others fall victim to the attacks. Many administrators seemingly have given up on their end to defend the user, and have placed all of the responsibility in the hands of the user, who is not often a security professional (or even a person with a strong computer background). In a world of constant online-attacks, website administrators should be beefing-up their efforts to securing the systems they are supposed to protect along with their campaign for users to use stronger passwords.